This STIG control is somewhat confusing.

The STIG states that the finding will always be open, but the severity level changes depending on the result of the check.

The STIG itself is marked as a XCDDF severity="low", but the Check Text states that it's a CAT-II unless the mcafeetp package is installed and running.

The Inspec baseline incorrectly marks this as an open CAT-III if the package is not installed or not running. It also incorrectly marks this as closed if the package is installed and running.

The SV-238336.rb file should be changed to mark this as an open impact 0.5 if mcafeetp is not installed or not running.
It should mark this control as an open impact 0.3 if the package is installed and running.

The 'Tag and Release Process' would:

Start a new release by updating the version of the profile in:

• update the version in inspec.yml
• Generate a CHANGELOG file
• Generate a VERSION file
• Tag that release in GitHub

The control tries to check for lock either via the /etc/shadow file or using the passwd -S root command.

The InSpec code suggests describe.one but ends after then shadow file check, then parses the passwd -S command as though they were separate checks.

A correction might read:

  describe.one do
    describe shadow.where(user: 'root') do
      its('passwords.uniq.first') { should eq '!*' }
    end
    describe command('passwd -S root').stdout.strip do
      it { should match(/^root\s+L\s+.*$/) }
    end
  end

The STIG states that /etc/audisp/plugins.d/au-remote.conf should contain the line active = yes.

It also states that /etc/audisp/audisp-remote.conf should contain the remote_server = address.

The control is checking audispremote_config_file for both, but should be checking separate files.

The STIG states that the file in the audit rule should be /usr/sbin/fdisk.

The control is incorrectly looking for /sbin/fdisk

This control only checks the value of net.ipv4.tcp_syncookies via the sysctl command.

If the systctl command returns 1 but the /etc/sysctl.conf or /etc/sysctl.d/* files do not have it explicitly configured, the control should fail per the STIG Check Text.

The STIG says at least every 24 hours.

A value of maxpoll 16 is 2^16 seconds, or just over 18 hours

The control checks for maxpoll = 17 which is an invalid format and is beyond 24 hours at 2^17 seconds, or 1.5 days.

The chrony.conf file format shows that the line should contain maxpoll x and not maxpoll = x.

The STIG Check Text shows this correctly, while the Fix Text displays it incorrectly.

Where is the work for this profile being done?

All control tags have a trailing space.

When converted from JSON to CKL via Heimdall, the space remains in the CKL file's ATTRIBUTE node.

This makes it impossible to import the data into a checklist newly created from STIG Viewer due to the data mismatch.

https://github.com/haltcase/tablemark-cli

1. Create a profile json filtering the output to controls that either only apply to the host or the container
2. inspec json . --tags host| jq . > host-only.json or something like this
3. jq -r '.controls[] | {title: .title, id: .id, description: .desc}' host-only.json ( small bug that the elements are not separated by commas, perhaps this is why tablemark talked about the ndjson thing
4. yarn global add tablemark-cli
5. tablemark x.json > test.md

The STIG states the package named mcafeetp should be installed.

The Inspec file here is searching for a packaged named mfetp which does not exist.

The STIG is looking for the pam_faillock.so module, but the control is searching for the pam_tally module

A correction would be something like this:

    describe command('grep faillock /etc/pam.d/common-auth') do
      its('exit_status') { should eq 0 }
      its('stdout.strip') { should match(/^\s*auth\s+\[default=die\]\s+pam_faillock.so\s+authfail$/) }
      its('stdout.strip') { should match(/^\s*auth\s+sufficient\s+pam_faillock.so\s+authsucc$/) }
    end

The InSpec control is searching for:
^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$

The STIG check and fix text both state the line should contain:
password requisite pam_pwquality.so retry=3

While I agree that enforce_for_root is good practice, it is nowhere to be found in the STIG itself.

The control should be updated to grep for the line containing password requisite pam_pwquality.so, then only check for the presence of retry=3

There are currently 7 profile errors.

Please resolve them and then update the thresholds to again enforce zero errors.

There is missing conditional logic where if running on a container or host we need to verify if the service package is installed, or installed and enabled, that tests are run, other wise it would be Not Applicable.(

I see there are the ssh client ones and I ran across a couple sshd_server ones as well. This would come out in something like:

if `disable_thing_input
 ... NA
eleif !package('service_package').installed?
  ... NA
eleif ( in a container )*
  ... NA or tests differnt
eleif ( other NA conditions defined by the control )*
  NA
else
    run standard tests
 end

* optional - may not really apply

• ssh client
• sshd server
• pki related
• (list others here)

The control parses /etc/pam_pkcs11/pam_pkcs11.conf to find the line containing use_mappers

If that entry looks like the following, the control fails:
use_mappers = digest, cn, pwent, uid, mail, subject, null;

The Check Text states:

If "use_mappers" is not found or the list does not contain "pwent" this is a finding.

The Fix Text states:

Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a
comma-separated list of mappers, add it to the list, separated by comma, and before the null
mapper.

Changing line 50 in V-238201.rb from cmp to match corrects the issue.

The /etc/pam_pkcs11/pam_pkcs11.conf file can have different configurations for each pkcs11 module.

The STIG expects the user to check the module in use by checking the value of use_pkcs11_module.

Then, the user is expected to look at that module's configuration for the determination of the cert_policy settings.

If your pam_pkcs11.conf file contains the following, the control will fail:

use_pkcs11_module = opensc;
pkcs11_module opensc {
  cert_policy = ca,signature,ocsp_on,crl_auto;
}
pkcs11_module default {
  cert_policy = none;
}

An example for the correction of SV-238229.rb file might say:

  tag 'host'

  pkmod = command('grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |cut -d \'=\' -f2|cut -d \';\' -f1|xargs').stdout.strip
  awkcmd = "awk '/pkcs11_module #{pkmod} {/,/}/\' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy"

  if virtualization.system.eql?('docker')
    impact 0.0
    describe 'Control not applicable to a container' do
      skip 'Control not applicable to a container'
    end
  elsif input('pki_disabled')
    impact 0.0
    describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do
      skip 'This system is not using PKI for authentication so the controls is Not Applicable.'
    end
  else
    config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?
    if config_file_exists
      describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do
        its('use_pkcs11_module') { should_not be_nil }
        describe command(awkcmd) do
          its('stdout') { should include 'ca' }
        end
      end
    else
      describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do
        subject { config_file_exists }
        it { should be true }
      end
    end
  end

Note the variables pkmod and awkmod and the describe command below the parse_config_file.

add a

tag 'host'
or
tag 'container'
or 
tag 'host','container'

to each control as appropriate for that controls' context

The STIG states that the audit rule should be in place for /var/run/utmp.

The control is incorrectly checking for /var/run/wtmp instead.

The wtmp file is being checked as /var/log/wtmp in SV-238315.

Both controls attempt to determine if a GUI is installed.

If a GUI is not installed, the controls state that a GUI is not installed, but mark the control as Not Reviewed.

The STIG states that if a GUI is not installed, the control is Not Applicable.

The SV-238198 control correctly marks this as NA by setting impact 0.0.