-
Notifications
You must be signed in to change notification settings - Fork 37
Delta
For instruction on how to developed an InSpec Profile visit the How to generate an InSpec profile from a STIG
To minimize the changes to only the meaningful changes based on the guidance update, it is beneficial to first format the profile to reflect the same format in which delta will write the profile. To accomplish this, perform the following action on the repository you're implementing the delta process:
1. Run cookstyle
-
Install the cookstyle gem on your development environment
a. To install the gem use:
gem install cookstyle
b. To verify that the gem is install use:
gem list cookstyle
-
Create a
.rubocop.yml
file with the contents listed below. Alternatively you could modify this setting via the command line.
Style/WordArray:
Description: 'Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)'
Enabled : false
Style/RedundantPercentQ:
Enabled: true
Style/NestedParenthesizedCalls:
Enabled: false
Style/TrailingCommaInHashLiteral:
Description: 'https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral'
Enabled: true
EnforcedStyleForMultiline: no_comma
Style/TrailingCommaInArrayLiteral:
Enabled: true
EnforcedStyleForMultiline: no_comma
Style/BlockDelimiters:
Enabled: false
- Run
cookstyle -a ./controls
to lint (modify) the controls into cookstyle format - Run any tests that you may have for your profile
2. Run the SAF CLI command `saf generate update_controls4delta`
Prior of running the delta process run the saf cli update_controls4delta
to check and update the controls Id and metadata with the provided XCCDF guidance's. The process checks if the new guidance's change the control numbers, if they have changed, it updates the controls to the new value. This minimizes the delta output content and makes for better and easier visualization of the modification provided by the Delta process.
Multiple options are available when invoking the update_controls4delta
us the help command (saf generate update_controls4delta -h
) for additional detailed information
-
Download new guidance from DISA for the appropriate profile. This will typically download a zip file on your machine. Unzip the downloaded folder and identify the
<name>xccdf.xml
file. -
Create the InSpec Profile JSON file.
-
Clone or download the InSpec profile locally.
-
Run the
inspec json
command to create the InSpec Profile JSON file to be used in thesaf generate delta
command. The full command is:inspec json <path to your InSpec profile> > <path to the file to generate profile.json>
For example, from the InSpec profile directory, the command could be
inspec json . > profile.json
.
-
- The newest saf-cli (current version is listed on the repo)
- The InSpec Profile JSON file
- The updated guidance file Then, run
saf generate delta [arguments]
Update Controls Diagram
Previous Delta Notes
- for the control ID, title, default text, check text, and fix text - delta replaces the single quotes with double quotes
- for each tag at the bottom, the name loses its single quotes, and the values for each tag are now in double quotes
- ref gets added in (between impact and tags)
(ex: 'name' --> name ~ stuff like that^)
- this was the original delta branch: https://github.com/mitre/saf/pull/485 (has been pushed into this repo)
- delta takes lines that are not labeled with 'desc' and sticks them in at the bottom (between tags and Inspec code)
- formatting should be adjusted, maybe having 2 runs - 1 for formatting the files in a way that delta likes, and then the 2nd run being delta?
- if the controls are formatted to be 80 lines, or not formatted, delta spits out the same behavior with the extra text
- parameterizing stuff
Streamline security automation for systems and DevOps pipelines with the SAF CLI
- Home
- How to create a release
- Splunk Configuration
- Supplement HDF Configuration
- Validation with Thresholds
- SAF CLI Delta Process
- Mapper Creation Guide for HDF Converters
- How to create a SAF CLI
- How to recommend development of a mapper
- Use unreleased version of a package from the Heimdall monorepo in the SAF CLI
- Troubleshooting