diff --git a/apps/frontend/src/components/global/ExportCKLModal.vue b/apps/frontend/src/components/global/ExportCKLModal.vue
index 0c6d42eab3..aeb7daa5e6 100644
--- a/apps/frontend/src/components/global/ExportCKLModal.vue
+++ b/apps/frontend/src/components/global/ExportCKLModal.vue
@@ -61,20 +61,37 @@
-
+
mdi-information-variant-circle
Export
@@ -280,7 +297,8 @@ import {
StigMetadata,
Assettype,
Role,
- Techarea
+ Techarea,
+ validateChecklistMetadata
} from '@mitre/hdf-converters';
import {ExecJSON} from 'inspecjs';
import {Dependency} from 'inspecjs/src/generated_parsers/v_1_0/exec-json';
@@ -290,6 +308,10 @@ import Component from 'vue-class-component';
import {Prop, Watch} from 'vue-property-decorator';
import {DateTime} from 'luxon';
import {coerce} from 'semver';
+import {validationMixin} from 'vuelidate';
+import {or, CustomRule} from 'vuelidate/lib/validators';
+import ValidationProperties from 'vue/types/vue';
+import {Result} from '@mitre/hdf-converters/src/utils/result';
type ExtendedEvaluationFile = (EvaluationFile | ProfileFile) &
ChecklistMetadata & {
@@ -303,9 +325,31 @@ type FileData = {
data: string;
};
+const isNotSelected: CustomRule = (_, file) => !file.selected;
+function validateField(prop: string): CustomRule {
+ return (_, file: ExtendedEvaluationFile) => {
+ let results = validateChecklistMetadata(file);
+ return results.ok || !results.error.invalid.includes(prop);
+ };
+}
+
@Component({
- components: {
- LinkItem
+ mixins: [validationMixin],
+ components: {LinkItem},
+ validations: {
+ files: {
+ $each: {
+ hostip: {
+ ipAddress: or(validateField('hostip'), isNotSelected)
+ },
+ hostmac: {
+ macAddress: or(validateField('hostmac'), isNotSelected)
+ },
+ hostfqdn: {
+ fqdn: or(validateField('hostfqdn'), isNotSelected)
+ }
+ }
+ }
}
})
export default class ExportCKLModal extends Vue {
@@ -540,20 +584,17 @@ export default class ExportCKLModal extends Vue {
return results;
}
- validateIpAddress(value: string): boolean | string {
- if (!value) {
- return true;
- }
- const ipPattern = /^(\d{1,3}\.){3}\d{1,3}$/;
- return ipPattern.test(value) || 'Invalid IP Address Format';
- }
-
- validateMacAddress(value: string): boolean | string {
- if (!value) {
- return true;
+ /**
+ * Checks the input field and generates a formatted error message if necessary
+ *
+ * @param field the validation state of the input field
+ * @param name name of the field that will show up in error message
+ */
+ validateFormat(field: typeof ValidationProperties, hint: string): string[] {
+ if (_.get(field, '$invalid')) {
+ return [hint];
}
- const macPattern = /^([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}$/;
- return macPattern.test(value) || 'Invalid MAC Address Format';
+ return [];
}
setProperName(name: string, fileIndex: number, profileIndex: number): string {
@@ -679,6 +720,15 @@ export default class ExportCKLModal extends Vue {
for (const selected of this.selected) {
this.addMetadataToPassthrough(selected);
if ('evaluation' in selected) {
+ // validate checklist metadata input from user
+ const result = this.validateInputMetadata(selected);
+
+ // display error message upon any invalid user inputs
+ if (!result.ok) {
+ SnackbarModule.failure(result.error);
+ return;
+ }
+
const data = new ChecklistResults(selected.evaluation.data).toCkl();
const filename = `${cleanUpFilename(selected.filename)}.ckl`;
fileData.push({
@@ -690,5 +740,11 @@ export default class ExportCKLModal extends Vue {
saveSingleOrMultipleFiles(fileData, 'ckl');
this.closeModal();
}
+
+ validateInputMetadata(metadata: ChecklistMetadata): Result {
+ const result = validateChecklistMetadata(metadata);
+ if (result.ok) return {ok: true, value: true};
+ return {ok: false, error: result.error.message};
+ }
}
diff --git a/libs/hdf-converters/index.ts b/libs/hdf-converters/index.ts
index b33c5370c4..d426140dae 100644
--- a/libs/hdf-converters/index.ts
+++ b/libs/hdf-converters/index.ts
@@ -4,6 +4,7 @@ export * from './src/burpsuite-mapper';
export * from './src/ckl-mapper/checklist-mapper';
export * from './src/ckl-mapper/checklistJsonix';
export * from './src/ckl-mapper/checklist-jsonix-converter';
+export * from './src/ckl-mapper/checklist-metadata-utils';
export * from './src/converters-from-hdf/asff/reverse-asff-mapper';
export * from './src/converters-from-hdf/caat/reverse-caat-mapper';
export * from './src/converters-from-hdf/html/reverse-html-mapper';
diff --git a/libs/hdf-converters/package.json b/libs/hdf-converters/package.json
index 97c03907ae..58727f9aa2 100644
--- a/libs/hdf-converters/package.json
+++ b/libs/hdf-converters/package.json
@@ -34,7 +34,9 @@
"@types/ms": "^0.7.31",
"@types/mustache": "^4.1.2",
"@types/papaparse": "^5.3.2",
+ "@types/revalidator": "^0.3.12",
"@types/triple-beam": "^1.3.2",
+ "@types/validator": "^13.12.0",
"@types/xml2js": "^0.4.9",
"axios": "^1.3.5",
"compare-versions": "^6.0.0",
@@ -48,10 +50,12 @@
"ms": "^2.1.3",
"mustache": "^4.2.0",
"papaparse": "^5.3.1",
+ "revalidator": "^0.3.1",
"run-script-os": "^1.1.6",
"semver": "^7.6.0",
"tailwindcss": "^3.3.3",
"tw-elements": "^1.0.0-beta2",
+ "validator": "^13.12.0",
"winston": "^3.6.0",
"xml-formatter": "^3.6.2",
"xml-parser-xo": "^4.1.1",
diff --git a/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.ckl b/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.ckl
new file mode 100644
index 0000000000..01b25edbcd
--- /dev/null
+++ b/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.ckl
@@ -0,0 +1,505 @@
+
+
+
+
+ Member Server
+ Computing
+ CUI
+ valid
+ invalid
+ invalid
+ invalid
+
+ Exchange Server
+ 5339
+ false
+
+
+
+
+
+
+
+ version
+ 1
+
+
+ classification
+ UNCLASSIFIED
+
+
+ customname
+
+
+ stigid
+ Cisco_ASA_FW_STIG
+
+
+ description
+ This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
+
+
+ filename
+ U_Cisco_ASA_Firewall_STIG_V1R4_Manual-xccdf.xml
+
+
+ releaseinfo
+ Release: 4 Benchmark Date: 27 Apr 2023
+
+
+ title
+ Cisco ASA Firewall Security Technical Implementation Guide
+
+
+ uuid
+ b6a7cb18-6ffe-4a6e-9f44-60d514c98db9
+
+
+ notice
+ terms-of-use
+
+
+ source
+ STIG.DOD.MIL
+
+
+
+
+ Vuln_Num
+ V-239852
+
+
+ Severity
+ high
+
+
+ Group_Title
+ SRG-NET-000019-FW-000003
+
+
+ Rule_ID
+ SV-239852r665842_rule
+
+
+ Rule_Ver
+ CASA-FW-000010
+
+
+ Rule_Title
+ The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.
+
+
+ Vuln_Discuss
+ Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.
+
+The firewall that filters traffic outbound to interconnected networks with different security policies must be configured to permit or block traffic based on organization-defined traffic authorizations.
+
+
+ IA_Controls
+
+
+
+ Check_Content
+ Review the ASA configuration to determine if it only permits outbound traffic using authorized ports and services.
+
+Step 1: Verify that an ingress ACL has been applied to all internal interfaces as shown in the example below.
+
+ interface GigabitEthernet0/0
+ nameif INSIDE
+ security-level 100
+ ip address 10.1.11.1 255.255.255.0
+…
+…
+…
+access-group INSIDE _IN in interface INSIDE
+
+Step 2: Verify that the ingress ACL only allows outbound traffic using authorized ports and services as shown in the example below.
+
+access-list INSIDE _IN extended permit tcp any any eq www
+access-list INSIDE _IN extended permit tcp any any eq https
+access-list INSIDE _IN extended permit tcp any any eq …
+access-list INSIDE _IN extended deny ip any any log
+
+If the ASA is not configured to only allow outbound traffic using authorized ports and services, this is a finding.
+
+
+ Fix_Text
+ Step 1: Configure the ingress ACL similar to the example below.
+
+ASA(config)# access-list INSIDE_INextended permit tcp any any eq https
+ASA(config)# access-list INSIDE_INextended permit tcp any any eq http
+ASA(config)# access-list INSIDE_INextended permit tcp any any eq …
+ASA(config)# access-list INSIDE_INextended deny ip any any log
+
+Step 2: Apply the ACL inbound on all internal interfaces as shown in the example below.
+
+ASA(config)# access-group INSIDE_IN in interface INSIDE
+ASA(config)# end
+
+
+ False_Positives
+
+
+
+ False_Negatives
+
+
+
+ Documentable
+ false
+
+
+ Mitigations
+
+
+
+ Potential_Impact
+
+
+
+ Third_Party_Tools
+
+
+
+ Mitigation_Control
+
+
+
+ Responsibility
+
+
+
+ Security_Override_Guidance
+
+
+
+ Check_Content_Ref
+ M
+
+
+ Weight
+ 10.0
+
+
+ Class
+ Unclass
+
+
+ STIGRef
+ Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023
+
+
+ TargetKey
+ 5339
+
+
+ STIG_UUID
+ 54b4701f-19a1-4d5b-9497-5be85f995362
+
+
+ LEGACY_ID
+
+
+
+ LEGACY_ID
+
+
+
+ CCI_REF
+ CCI-001414
+
+ Not_Reviewed
+
+
+
+
+
+
+
+ Vuln_Num
+ V-239853
+
+
+ Severity
+ medium
+
+
+ Group_Title
+ SRG-NET-000019-FW-000004
+
+
+ Rule_ID
+ SV-239853r665845_rule
+
+
+ Rule_Ver
+ CASA-FW-000020
+
+
+ Rule_Title
+ The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
+
+
+ Vuln_Discuss
+ Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.
+
+
+ IA_Controls
+
+
+
+ Check_Content
+ By default, when you change a rule-based policy such as access rules, the changes become effective immediately. With transactional model configured, the rules are not active until after compilation.
+
+Review the ASA configuration and verify that the following command is not configured.
+
+asp rule-engine transactional-commit access-group
+
+If transactional-commit access-group has been configured, this is a finding.
+
+
+ Fix_Text
+ Remove the command asp rule-engine transactional-commit access-group
+
+ASA(config)# no asp rule-engine transactional-commit access-group
+
+
+ False_Positives
+
+
+
+ False_Negatives
+
+
+
+ Documentable
+ false
+
+
+ Mitigations
+
+
+
+ Potential_Impact
+
+
+
+ Third_Party_Tools
+
+
+
+ Mitigation_Control
+
+
+
+ Responsibility
+
+
+
+ Security_Override_Guidance
+
+
+
+ Check_Content_Ref
+ M
+
+
+ Weight
+ 10.0
+
+
+ Class
+ Unclass
+
+
+ STIGRef
+ Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023
+
+
+ TargetKey
+ 5339
+
+
+ STIG_UUID
+ 54b4701f-19a1-4d5b-9497-5be85f995362
+
+
+ LEGACY_ID
+
+
+
+ LEGACY_ID
+
+
+
+ CCI_REF
+ CCI-001414
+
+ Not_Reviewed
+
+
+
+
+
+
+
+ Vuln_Num
+ V-239854
+
+
+ Severity
+ medium
+
+
+ Group_Title
+ SRG-NET-000061-FW-000001
+
+
+ Rule_ID
+ SV-239854r665848_rule
+
+
+ Rule_Ver
+ CASA-FW-000030
+
+
+ Rule_Title
+ The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules.
+
+
+ Vuln_Discuss
+ Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best.
+
+Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
+
+Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).
+
+
+ IA_Controls
+
+
+
+ Check_Content
+ Step 1: Verify that an ACL has been applied to the applicable VPN group policy via the vpn-filter attribute as shown in the example below.
+
+group-policy VPN_POLICY internal
+group-policy VPN_POLICY attributes
+ …
+ …
+ …
+ vpn-filter value RESTRICT_VPN
+
+Step 2: Verify that the filter restricts traffic according to organization-defined filtering rules as shown in the example below.
+
+access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.12 eq http
+access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.13 eq smtp
+access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp
+access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp-data
+access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.15 eq domain
+access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.16 eq sqlnet
+access-list RESTRICT_VPN extended deny ip any any log
+
+Note: In the example above, assume that the client-assigned IP address pool is 10.10.10.0/24 and the local private network is 192.168.1.0/24.
+
+If the ASA is not configured to restrict VPN traffic according to organization-defined filtering rules, this is a finding.
+
+
+ Fix_Text
+ Step 1: Configure the ACL to restrict VPN traffic.
+
+ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.12 eq http
+ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.13 eq smtp
+ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp
+ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp-data
+ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.y host 192.168.1.15 eq domain
+ASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.16 eq sqlnet
+ASA(config)# access-list RESTRICT_VPN extended deny ip any any log
+ASA(config)# exit
+
+Step 2: Apply the VPN filter to the applicable group policy as shown in the example below.
+
+ASA(config)# group-policy VPN_POLICY attributes
+ASA(config-group-policy)# vpn-filter value RESTRICT_VPN
+ASA(config-group-policy)# end
+
+
+ False_Positives
+
+
+
+ False_Negatives
+
+
+
+ Documentable
+ false
+
+
+ Mitigations
+
+
+
+ Potential_Impact
+
+
+
+ Third_Party_Tools
+
+
+
+ Mitigation_Control
+
+
+
+ Responsibility
+
+
+
+ Security_Override_Guidance
+
+
+
+ Check_Content_Ref
+ M
+
+
+ Weight
+ 10.0
+
+
+ Class
+ Unclass
+
+
+ STIGRef
+ Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023
+
+
+ TargetKey
+ 5339
+
+
+ STIG_UUID
+ 54b4701f-19a1-4d5b-9497-5be85f995362
+
+
+ LEGACY_ID
+
+
+
+ LEGACY_ID
+
+
+
+ CCI_REF
+ CCI-000067
+
+ Not_Reviewed
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.json b/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.json
new file mode 100644
index 0000000000..690db6090e
--- /dev/null
+++ b/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.json
@@ -0,0 +1 @@
+{"platform":{"name":"Heimdall Tools","release":"2.10.8"},"version":"2.10.8","statistics":{},"profiles":[{"name":"Cisco_ASA_FW_STIG","version":"1","title":"Cisco ASA Firewall Security Technical Implementation Guide","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"terms-of-use","supports":[],"attributes":[],"groups":[],"status":"loaded","controls":[{"tags":{"gtitle":"SRG-NET-000019-FW-000003","rid":"SV-239852r665842_rule","gid":"V-239852","stig_id":"CASA-FW-000010","cci":["CCI-001414"],"nist":["AC-4"],"weight":"10.0","STIGRef":"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023"},"refs":[],"source_location":{},"title":"The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.","id":"V-239852","desc":"Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.\n\nThe firewall that filters traffic outbound to interconnected networks with different security policies must be configured to permit or block traffic based on organization-defined traffic authorizations.","descriptions":[{"data":"Review the ASA configuration to determine if it only permits outbound traffic using authorized ports and services.\n\nStep 1: Verify that an ingress ACL has been applied to all internal interfaces as shown in the example below.\n\n interface GigabitEthernet0/0\n nameif INSIDE\n security-level 100\n ip address 10.1.11.1 255.255.255.0\n…\n…\n…\naccess-group INSIDE _IN in interface INSIDE \n\nStep 2: Verify that the ingress ACL only allows outbound traffic using authorized ports and services as shown in the example below.\n\naccess-list INSIDE _IN extended permit tcp any any eq www \naccess-list INSIDE _IN extended permit tcp any any eq https \naccess-list INSIDE _IN extended permit tcp any any eq …\naccess-list INSIDE _IN extended deny ip any any log\n\nIf the ASA is not configured to only allow outbound traffic using authorized ports and services, this is a finding.","label":"check"},{"data":"Step 1: Configure the ingress ACL similar to the example below.\n\nASA(config)# access-list INSIDE_INextended permit tcp any any eq https\nASA(config)# access-list INSIDE_INextended permit tcp any any eq http\nASA(config)# access-list INSIDE_INextended permit tcp any any eq …\nASA(config)# access-list INSIDE_INextended deny ip any any log \n\nStep 2: Apply the ACL inbound on all internal interfaces as shown in the example below.\n\nASA(config)# access-group INSIDE_IN in interface INSIDE\nASA(config)# end","label":"fix"}],"impact":0.7,"code":"{\n \"status\": \"Not Reviewed\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"\",\n \"severityjustification\": \"\",\n \"vulnNum\": \"V-239852\",\n \"severity\": \"high\",\n \"groupTitle\": \"SRG-NET-000019-FW-000003\",\n \"ruleId\": \"SV-239852r665842_rule\",\n \"ruleVer\": \"CASA-FW-000010\",\n \"ruleTitle\": \"The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.\",\n \"vulnDiscuss\": \"Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.\\n\\nThe firewall that filters traffic outbound to interconnected networks with different security policies must be configured to permit or block traffic based on organization-defined traffic authorizations.\",\n \"iaControls\": \"\",\n \"checkContent\": \"Review the ASA configuration to determine if it only permits outbound traffic using authorized ports and services.\\n\\nStep 1: Verify that an ingress ACL has been applied to all internal interfaces as shown in the example below.\\n\\n interface GigabitEthernet0/0\\n nameif INSIDE\\n security-level 100\\n ip address 10.1.11.1 255.255.255.0\\n…\\n…\\n…\\naccess-group INSIDE _IN in interface INSIDE \\n\\nStep 2: Verify that the ingress ACL only allows outbound traffic using authorized ports and services as shown in the example below.\\n\\naccess-list INSIDE _IN extended permit tcp any any eq www \\naccess-list INSIDE _IN extended permit tcp any any eq https \\naccess-list INSIDE _IN extended permit tcp any any eq …\\naccess-list INSIDE _IN extended deny ip any any log\\n\\nIf the ASA is not configured to only allow outbound traffic using authorized ports and services, this is a finding.\",\n \"fixText\": \"Step 1: Configure the ingress ACL similar to the example below.\\n\\nASA(config)# access-list INSIDE_INextended permit tcp any any eq https\\nASA(config)# access-list INSIDE_INextended permit tcp any any eq http\\nASA(config)# access-list INSIDE_INextended permit tcp any any eq …\\nASA(config)# access-list INSIDE_INextended deny ip any any log \\n\\nStep 2: Apply the ACL inbound on all internal interfaces as shown in the example below.\\n\\nASA(config)# access-group INSIDE_IN in interface INSIDE\\nASA(config)# end\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023\",\n \"targetKey\": \"5339\",\n \"stigUuid\": \"54b4701f-19a1-4d5b-9497-5be85f995362\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-001414\"\n}","results":[{"status":"skipped","code_desc":"","start_time":""}]},{"tags":{"gtitle":"SRG-NET-000019-FW-000004","rid":"SV-239853r665845_rule","gid":"V-239853","stig_id":"CASA-FW-000020","cci":["CCI-001414"],"nist":["AC-4"],"weight":"10.0","STIGRef":"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023"},"refs":[],"source_location":{},"title":"The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.","id":"V-239853","desc":"Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.","descriptions":[{"data":"By default, when you change a rule-based policy such as access rules, the changes become effective immediately. With transactional model configured, the rules are not active until after compilation.\n\nReview the ASA configuration and verify that the following command is not configured.\n\nasp rule-engine transactional-commit access-group\n\nIf transactional-commit access-group has been configured, this is a finding.","label":"check"},{"data":"Remove the command asp rule-engine transactional-commit access-group\n\nASA(config)# no asp rule-engine transactional-commit access-group","label":"fix"}],"impact":0.5,"code":"{\n \"status\": \"Not Reviewed\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"\",\n \"severityjustification\": \"\",\n \"vulnNum\": \"V-239853\",\n \"severity\": \"medium\",\n \"groupTitle\": \"SRG-NET-000019-FW-000004\",\n \"ruleId\": \"SV-239853r665845_rule\",\n \"ruleVer\": \"CASA-FW-000020\",\n \"ruleTitle\": \"The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.\",\n \"vulnDiscuss\": \"Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.\",\n \"iaControls\": \"\",\n \"checkContent\": \"By default, when you change a rule-based policy such as access rules, the changes become effective immediately. With transactional model configured, the rules are not active until after compilation.\\n\\nReview the ASA configuration and verify that the following command is not configured.\\n\\nasp rule-engine transactional-commit access-group\\n\\nIf transactional-commit access-group has been configured, this is a finding.\",\n \"fixText\": \"Remove the command asp rule-engine transactional-commit access-group\\n\\nASA(config)# no asp rule-engine transactional-commit access-group\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023\",\n \"targetKey\": \"5339\",\n \"stigUuid\": \"54b4701f-19a1-4d5b-9497-5be85f995362\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-001414\"\n}","results":[{"status":"skipped","code_desc":"","start_time":""}]},{"tags":{"gtitle":"SRG-NET-000061-FW-000001","rid":"SV-239854r665848_rule","gid":"V-239854","stig_id":"CASA-FW-000030","cci":["CCI-000067"],"nist":["AC-17 (1)"],"weight":"10.0","STIGRef":"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023"},"refs":[],"source_location":{},"title":"The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules.","id":"V-239854","desc":"Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","descriptions":[{"data":"Step 1: Verify that an ACL has been applied to the applicable VPN group policy via the vpn-filter attribute as shown in the example below.\n\ngroup-policy VPN_POLICY internal\ngroup-policy VPN_POLICY attributes\n …\n …\n …\n vpn-filter value RESTRICT_VPN\n\nStep 2: Verify that the filter restricts traffic according to organization-defined filtering rules as shown in the example below.\n\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.12 eq http \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.13 eq smtp \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp-data \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.15 eq domain\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.16 eq sqlnet\naccess-list RESTRICT_VPN extended deny ip any any log\n\nNote: In the example above, assume that the client-assigned IP address pool is 10.10.10.0/24 and the local private network is 192.168.1.0/24.\n\nIf the ASA is not configured to restrict VPN traffic according to organization-defined filtering rules, this is a finding.","label":"check"},{"data":"Step 1: Configure the ACL to restrict VPN traffic.\n\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.12 eq http\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.13 eq smtp\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp-data\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.y host 192.168.1.15 eq domain\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.16 eq sqlnet\nASA(config)# access-list RESTRICT_VPN extended deny ip any any log\nASA(config)# exit \n\nStep 2: Apply the VPN filter to the applicable group policy as shown in the example below.\n\nASA(config)# group-policy VPN_POLICY attributes \nASA(config-group-policy)# vpn-filter value RESTRICT_VPN \nASA(config-group-policy)# end","label":"fix"}],"impact":0.5,"code":"{\n \"status\": \"Not Reviewed\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"\",\n \"severityjustification\": \"\",\n \"vulnNum\": \"V-239854\",\n \"severity\": \"medium\",\n \"groupTitle\": \"SRG-NET-000061-FW-000001\",\n \"ruleId\": \"SV-239854r665848_rule\",\n \"ruleVer\": \"CASA-FW-000030\",\n \"ruleTitle\": \"The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules.\",\n \"vulnDiscuss\": \"Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best.\\n\\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\\n\\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).\",\n \"iaControls\": \"\",\n \"checkContent\": \"Step 1: Verify that an ACL has been applied to the applicable VPN group policy via the vpn-filter attribute as shown in the example below.\\n\\ngroup-policy VPN_POLICY internal\\ngroup-policy VPN_POLICY attributes\\n …\\n …\\n …\\n vpn-filter value RESTRICT_VPN\\n\\nStep 2: Verify that the filter restricts traffic according to organization-defined filtering rules as shown in the example below.\\n\\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.12 eq http \\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.13 eq smtp \\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp \\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp-data \\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.15 eq domain\\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.16 eq sqlnet\\naccess-list RESTRICT_VPN extended deny ip any any log\\n\\nNote: In the example above, assume that the client-assigned IP address pool is 10.10.10.0/24 and the local private network is 192.168.1.0/24.\\n\\nIf the ASA is not configured to restrict VPN traffic according to organization-defined filtering rules, this is a finding.\",\n \"fixText\": \"Step 1: Configure the ACL to restrict VPN traffic.\\n\\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.12 eq http\\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.13 eq smtp\\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp\\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp-data\\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.y host 192.168.1.15 eq domain\\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.16 eq sqlnet\\nASA(config)# access-list RESTRICT_VPN extended deny ip any any log\\nASA(config)# exit \\n\\nStep 2: Apply the VPN filter to the applicable group policy as shown in the example below.\\n\\nASA(config)# group-policy VPN_POLICY attributes \\nASA(config-group-policy)# vpn-filter value RESTRICT_VPN \\nASA(config-group-policy)# end\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023\",\n \"targetKey\": \"5339\",\n \"stigUuid\": \"54b4701f-19a1-4d5b-9497-5be85f995362\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000067\"\n}","results":[{"status":"skipped","code_desc":"","start_time":""}]}],"sha256":"e95afc1669cf34c003d03b654a44be5dec349f78e4054207a38b9692708df7cf"}],"passthrough":{"checklist":{"asset":{"role":"Member Server","assettype":"Computing","hostname":"valid","hostip":"invalid","hostmac":"invalid","hostfqdn":"invalid","marking":"CUI","targetcomment":"","techarea":"Exchange Server","targetkey":"5339","webordatabase":false,"webdbsite":"","webdbinstance":""},"stigs":[{"header":{"version":"1","classification":"UNCLASSIFIED","customname":"","stigid":"Cisco_ASA_FW_STIG","description":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","filename":"U_Cisco_ASA_Firewall_STIG_V1R4_Manual-xccdf.xml","releaseinfo":"Release: 4 Benchmark Date: 27 Apr 2023","title":"Cisco ASA Firewall Security Technical Implementation Guide","uuid":"b6a7cb18-6ffe-4a6e-9f44-60d514c98db9","notice":"terms-of-use","source":"STIG.DOD.MIL"},"vulns":[{"status":"Not Reviewed","findingdetails":"","comments":"","severityoverride":"","severityjustification":"","vulnNum":"V-239852","severity":"high","groupTitle":"SRG-NET-000019-FW-000003","ruleId":"SV-239852r665842_rule","ruleVer":"CASA-FW-000010","ruleTitle":"The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.","vulnDiscuss":"Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.\n\nThe firewall that filters traffic outbound to interconnected networks with different security policies must be configured to permit or block traffic based on organization-defined traffic authorizations.","iaControls":"","checkContent":"Review the ASA configuration to determine if it only permits outbound traffic using authorized ports and services.\n\nStep 1: Verify that an ingress ACL has been applied to all internal interfaces as shown in the example below.\n\n interface GigabitEthernet0/0\n nameif INSIDE\n security-level 100\n ip address 10.1.11.1 255.255.255.0\n…\n…\n…\naccess-group INSIDE _IN in interface INSIDE \n\nStep 2: Verify that the ingress ACL only allows outbound traffic using authorized ports and services as shown in the example below.\n\naccess-list INSIDE _IN extended permit tcp any any eq www \naccess-list INSIDE _IN extended permit tcp any any eq https \naccess-list INSIDE _IN extended permit tcp any any eq …\naccess-list INSIDE _IN extended deny ip any any log\n\nIf the ASA is not configured to only allow outbound traffic using authorized ports and services, this is a finding.","fixText":"Step 1: Configure the ingress ACL similar to the example below.\n\nASA(config)# access-list INSIDE_INextended permit tcp any any eq https\nASA(config)# access-list INSIDE_INextended permit tcp any any eq http\nASA(config)# access-list INSIDE_INextended permit tcp any any eq …\nASA(config)# access-list INSIDE_INextended deny ip any any log \n\nStep 2: Apply the ACL inbound on all internal interfaces as shown in the example below.\n\nASA(config)# access-group INSIDE_IN in interface INSIDE\nASA(config)# end","falsePositives":"","falseNegatives":"","documentable":"false","mitigations":"","potentialImpact":"","thirdPartyTools":"","mitigationControl":"","responsibility":"","securityOverrideGuidance":"","checkContentRef":"M","weight":"10.0","class":"Unclass","stigRef":"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023","targetKey":"5339","stigUuid":"54b4701f-19a1-4d5b-9497-5be85f995362","legacyId":"; ","cciRef":"CCI-001414"},{"status":"Not Reviewed","findingdetails":"","comments":"","severityoverride":"","severityjustification":"","vulnNum":"V-239853","severity":"medium","groupTitle":"SRG-NET-000019-FW-000004","ruleId":"SV-239853r665845_rule","ruleVer":"CASA-FW-000020","ruleTitle":"The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.","vulnDiscuss":"Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.","iaControls":"","checkContent":"By default, when you change a rule-based policy such as access rules, the changes become effective immediately. With transactional model configured, the rules are not active until after compilation.\n\nReview the ASA configuration and verify that the following command is not configured.\n\nasp rule-engine transactional-commit access-group\n\nIf transactional-commit access-group has been configured, this is a finding.","fixText":"Remove the command asp rule-engine transactional-commit access-group\n\nASA(config)# no asp rule-engine transactional-commit access-group","falsePositives":"","falseNegatives":"","documentable":"false","mitigations":"","potentialImpact":"","thirdPartyTools":"","mitigationControl":"","responsibility":"","securityOverrideGuidance":"","checkContentRef":"M","weight":"10.0","class":"Unclass","stigRef":"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023","targetKey":"5339","stigUuid":"54b4701f-19a1-4d5b-9497-5be85f995362","legacyId":"; ","cciRef":"CCI-001414"},{"status":"Not Reviewed","findingdetails":"","comments":"","severityoverride":"","severityjustification":"","vulnNum":"V-239854","severity":"medium","groupTitle":"SRG-NET-000061-FW-000001","ruleId":"SV-239854r665848_rule","ruleVer":"CASA-FW-000030","ruleTitle":"The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules.","vulnDiscuss":"Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","iaControls":"","checkContent":"Step 1: Verify that an ACL has been applied to the applicable VPN group policy via the vpn-filter attribute as shown in the example below.\n\ngroup-policy VPN_POLICY internal\ngroup-policy VPN_POLICY attributes\n …\n …\n …\n vpn-filter value RESTRICT_VPN\n\nStep 2: Verify that the filter restricts traffic according to organization-defined filtering rules as shown in the example below.\n\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.12 eq http \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.13 eq smtp \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.14 eq ftp-data \naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.15 eq domain\naccess-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.1.16 eq sqlnet\naccess-list RESTRICT_VPN extended deny ip any any log\n\nNote: In the example above, assume that the client-assigned IP address pool is 10.10.10.0/24 and the local private network is 192.168.1.0/24.\n\nIf the ASA is not configured to restrict VPN traffic according to organization-defined filtering rules, this is a finding.","fixText":"Step 1: Configure the ACL to restrict VPN traffic.\n\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.12 eq http\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.13 eq smtp\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.14 eq ftp-data\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255.y host 192.168.1.15 eq domain\nASA(config)# access-list RESTRICT_VPN extended permit tcp 10.0.0.0 255.255.255. host 192.168.1.16 eq sqlnet\nASA(config)# access-list RESTRICT_VPN extended deny ip any any log\nASA(config)# exit \n\nStep 2: Apply the VPN filter to the applicable group policy as shown in the example below.\n\nASA(config)# group-policy VPN_POLICY attributes \nASA(config-group-policy)# vpn-filter value RESTRICT_VPN \nASA(config-group-policy)# end","falsePositives":"","falseNegatives":"","documentable":"false","mitigations":"","potentialImpact":"","thirdPartyTools":"","mitigationControl":"","responsibility":"","securityOverrideGuidance":"","checkContentRef":"M","weight":"10.0","class":"Unclass","stigRef":"Cisco ASA Firewall Security Technical Implementation Guide :: Version 1, Release: 4 Benchmark Date: 27 Apr 2023","targetKey":"5339","stigUuid":"54b4701f-19a1-4d5b-9497-5be85f995362","legacyId":"; ","cciRef":"CCI-000067"}]}]},"metadata":{"vulidmapping":"id","marking":"CUI","hostname":"valid","hostfqdn":"invalid","hostmac":"invalid","hostip":"invalid","targetcomment":"","role":"Member Server","techarea":"Exchange Server","assettype":"Computing","webordatabase":"false","webdbsite":"","webdbinstance":"","profiles":[{"name":"Cisco ASA Firewall Security Technical Implementation Guide","title":"Cisco ASA Firewall Security Technical Implementation Guide","version":1,"releasenumber":4,"releasedate":"27 Apr 2023","showCalendar":false}]}}}
\ No newline at end of file
diff --git a/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts b/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
index 51f86f05a2..e4839e8a22 100644
--- a/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
+++ b/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
@@ -22,6 +22,7 @@ import {
Vulnattribute
} from './checklistJsonix';
import {coerce} from 'semver';
+import {throwIfInvalidProfileMetadata} from './checklist-metadata-utils';
export type ChecklistObject = {
asset: ChecklistAsset;
@@ -31,7 +32,7 @@ export type ChecklistObject = {
type ChecklistAsset = Asset;
-type ChecklistStig = {
+export type ChecklistStig = {
header: StigHeader;
vulns: ChecklistVuln[];
};
@@ -777,6 +778,8 @@ export class ChecklistJsonixConverter extends JsonixIntermediateConverter<
const profileMetadata = metadata?.profiles.find(
(p) => p.name === profile.name
);
+ throwIfInvalidProfileMetadata(profileMetadata);
+
const version = coerce(profile.version);
const header: StigHeader = {
version: _.get(
diff --git a/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts b/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts
index f768fa48ff..5c6918f968 100644
--- a/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts
+++ b/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts
@@ -19,6 +19,7 @@ import {
} from './checklist-jsonix-converter';
import {Checklist} from './checklistJsonix';
import {jsonixMapping} from './jsonixMapping';
+import {throwIfInvalidAssetMetadata} from './checklist-metadata-utils';
enum ImpactMapping {
high = 0.7,
@@ -278,15 +279,19 @@ export class ChecklistResults extends ChecklistJsonixConverter {
constructor(data: string | ExecJSON.Execution, withRaw = false) {
super(jsonixMapping);
this.data = data;
+
if (typeof data === 'string') {
this.jsonixData = super.toJsonix(data);
this.checklistObject = super.toIntermediateObject(this.jsonixData);
+ throwIfInvalidAssetMetadata(this.checklistObject.asset);
} else if (containsChecklist(data)) {
this.checklistObject = getChecklistObjectFromHdf(data);
+ throwIfInvalidAssetMetadata(this.checklistObject.asset);
this.jsonixData = super.fromIntermediateObject(this.checklistObject);
} else {
// CREATE Intermediate Object from HDF
this.checklistObject = super.hdfToIntermediateObject(data);
+ throwIfInvalidAssetMetadata(this.checklistObject.asset);
this.jsonixData = super.fromIntermediateObject(this.checklistObject);
}
this.withRaw = withRaw;
diff --git a/libs/hdf-converters/src/ckl-mapper/checklist-metadata-utils.ts b/libs/hdf-converters/src/ckl-mapper/checklist-metadata-utils.ts
new file mode 100644
index 0000000000..73a17a0f6f
--- /dev/null
+++ b/libs/hdf-converters/src/ckl-mapper/checklist-metadata-utils.ts
@@ -0,0 +1,142 @@
+import {isFQDN, isIP, isMACAddress} from 'validator';
+import {Result} from '../utils/result';
+import {ChecklistMetadata, StigMetadata} from './checklist-jsonix-converter';
+import {Asset, Assettype, Role, Techarea} from './checklistJsonix';
+import * as Revalidator from 'revalidator';
+import _ from 'lodash';
+
+export class InvalidChecklistMetadataException extends Error {}
+
+const assetMetadataSchema: Revalidator.JSONSchema = {
+ properties: {
+ hostfqdn: {
+ type: 'string',
+ // STIG Viewer can autofill the FQDN as the local IP address
+ conform: (fqdn: string) => !fqdn || isFQDN(fqdn) || isIP(fqdn),
+ message: 'Host FQDN'
+ },
+ hostip: {
+ type: 'string',
+ conform: (ip: string) => !ip || isIP(ip),
+ message: 'Host IP'
+ },
+ hostmac: {
+ type: 'string',
+ conform: (mac: string) => !mac || isMACAddress(mac),
+ message: 'Host MAC'
+ },
+ role: {
+ type: 'string',
+ enum: Object.values(Role),
+ message: 'Role'
+ },
+ assettype: {
+ type: 'string',
+ enum: Object.values(Assettype),
+ message: 'Asset Type'
+ },
+ techarea: {
+ type: 'string',
+ enum: Object.values(Techarea),
+ message: 'Tech Area'
+ },
+ webordatabase: {
+ type: 'boolean',
+ message: 'Web or Database STIG'
+ }
+ }
+};
+
+const profileMetadataSchema: Revalidator.JSONSchema = {
+ properties: {
+ version: {
+ type: 'integer',
+ minimum: 0,
+ message: 'Version must be a non-negative integer'
+ },
+ releasenumber: {
+ type: 'integer',
+ minimum: 0,
+ message: 'Release number must be a non-negative integer'
+ },
+ releasedate: {
+ type: 'string',
+ conform: (date: string) => !date || !Number.isNaN(Date.parse(date)),
+ message: 'Release date must be a valid date'
+ }
+ }
+};
+
+export function validateChecklistAssetMetadata(
+ asset: Asset
+): Result {
+ const errors = Revalidator.validate(asset, assetMetadataSchema).errors;
+
+ if (errors.length === 0) return {ok: true, value: true};
+ // formats errors as: invalidField (invalidValue), otherInvalidField (otherValue), ...
+ const invalidFields = errors.map(
+ (e) => `${e.message} (${_.get(asset, e.property)})`
+ );
+ const message = `Invalid checklist metadata fields: ${invalidFields.join(', ')}`;
+ return {ok: false, error: {invalid: errors.map((e) => e.property), message}};
+}
+
+export function validateChecklistProfileMetadata(
+ metadata: StigMetadata
+): Result {
+ const errors = Revalidator.validate(metadata, {
+ ...profileMetadataSchema
+ }).errors;
+
+ if (errors.length === 0) return {ok: true, value: true};
+ // formats errors as: invalidField (invalidValue), otherInvalidField (otherValue), ...
+ const invalidFields = errors.map(
+ (e) => `${e.message} (${_.get(metadata, e.property)})`
+ );
+ const message = `Invalid checklist profile metadata fields: ${invalidFields.join(', ')}`;
+ return {ok: false, error: {invalid: errors.map((e) => e.property), message}};
+}
+
+export function validateChecklistMetadata(
+ metadata: ChecklistMetadata
+): Result {
+ let invalid: string[] = [];
+ const messages: string[] = [];
+ const assetResult = validateChecklistAssetMetadata({
+ ...metadata,
+ webordatabase: metadata.webdbinstance === 'true',
+ targetkey: null
+ });
+ if (!assetResult.ok) {
+ invalid = invalid.concat(assetResult.error.invalid);
+ messages.push(assetResult.error.message);
+ }
+
+ for (const profile of metadata.profiles) {
+ const profileResult = validateChecklistProfileMetadata(profile);
+ if (!profileResult.ok) {
+ invalid = invalid.concat(profileResult.error.invalid);
+ messages.push(`Profile ${profile.name}: ${profileResult.error.message}`);
+ }
+ }
+
+ if (invalid.length === 0) return {ok: true, value: true};
+
+ const message = messages.join(', ');
+ return {ok: false, error: {invalid, message}};
+}
+
+export function throwIfInvalidProfileMetadata(profileMetadata?: StigMetadata) {
+ if (profileMetadata) {
+ const results = validateChecklistProfileMetadata(profileMetadata);
+ if (!results.ok) {
+ throw new InvalidChecklistMetadataException(results.error.message);
+ }
+ }
+}
+
+export function throwIfInvalidAssetMetadata(metadata: Asset) {
+ const result = validateChecklistAssetMetadata(metadata);
+ if (!result.ok)
+ throw new InvalidChecklistMetadataException(result.error.message);
+}
diff --git a/libs/hdf-converters/src/utils/result.ts b/libs/hdf-converters/src/utils/result.ts
new file mode 100644
index 0000000000..daccb6b4c7
--- /dev/null
+++ b/libs/hdf-converters/src/utils/result.ts
@@ -0,0 +1 @@
+export type Result = {ok: true; value: T} | {ok: false; error: E};
diff --git a/libs/hdf-converters/test/mappers/forward/checklist_mapper.spec.ts b/libs/hdf-converters/test/mappers/forward/checklist_mapper.spec.ts
index 13367359b6..5ca4917d36 100644
--- a/libs/hdf-converters/test/mappers/forward/checklist_mapper.spec.ts
+++ b/libs/hdf-converters/test/mappers/forward/checklist_mapper.spec.ts
@@ -1,6 +1,7 @@
import fs from 'fs';
import {ChecklistResults} from '../../../src/ckl-mapper/checklist-mapper';
import {omitVersions} from '../../utils';
+import {InvalidChecklistMetadataException} from '../../../src/ckl-mapper/checklist-metadata-utils';
describe('checklist_mapper_single_stig', () => {
it('Successfully converts Checklists', () => {
@@ -141,3 +142,16 @@ describe('checklist_intermediate_object', () => {
);
});
});
+
+describe('checklist_with_invalid_metadata', () => {
+ // ensures that checklist metadata is being validated
+ it('Throws InvalidChecklistFormatException when trying to convert checklist with invalid metadata', () => {
+ const fileContents = fs.readFileSync(
+ 'sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.ckl',
+ {encoding: 'utf-8'}
+ );
+ expect(() => new ChecklistResults(fileContents)).toThrowError(
+ InvalidChecklistMetadataException
+ );
+ });
+});
diff --git a/libs/hdf-converters/test/mappers/reverse/checklist_reverse_mapper.spec.ts b/libs/hdf-converters/test/mappers/reverse/checklist_reverse_mapper.spec.ts
index c0930c2a8c..d5632d54f7 100644
--- a/libs/hdf-converters/test/mappers/reverse/checklist_reverse_mapper.spec.ts
+++ b/libs/hdf-converters/test/mappers/reverse/checklist_reverse_mapper.spec.ts
@@ -1,6 +1,7 @@
import fs from 'fs';
import {ChecklistResults} from '../../../src/ckl-mapper/checklist-mapper';
import {version as hdfConvertersVersion} from '../../../package.json';
+import {InvalidChecklistMetadataException} from '../../../src/ckl-mapper/checklist-metadata-utils';
describe('previously_checklist_converted_hdf_to_checklist', () => {
it('Successfully converts HDF to Checklist', () => {
@@ -117,3 +118,18 @@ describe('Small RHEL8 HDF file', () => {
);
});
});
+
+describe('hdf_profile_with_invalid_metadata', () => {
+ it('Throws InvalidChecklistFormatException when trying to convert to checklist with invalid metadata', () => {
+ // ensures that checklist metadata is being validated
+ const fileContents = JSON.parse(
+ fs.readFileSync(
+ 'sample_jsons/checklist_mapper/sample_input_report/invalid_metadata.json',
+ {encoding: 'utf-8'}
+ )
+ );
+ expect(() => new ChecklistResults(fileContents)).toThrowError(
+ InvalidChecklistMetadataException
+ );
+ });
+});
diff --git a/yarn.lock b/yarn.lock
index 644e9e5f81..8985ae44b3 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5109,6 +5109,11 @@
resolved "https://registry.npmjs.org/@types/retry/-/retry-0.12.0.tgz#2b35eccfcee7d38cd72ad99232fbd58bffb3c84d"
integrity sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==
+"@types/revalidator@^0.3.12":
+ version "0.3.12"
+ resolved "https://registry.yarnpkg.com/@types/revalidator/-/revalidator-0.3.12.tgz#fe6f6f9479fa2619a3352a02aa6ad102216c37a8"
+ integrity sha512-DsA2jHfz73JaIROVoMDd/x7nVWXBmEdDSoXB4yQlDzv/NCBkFY2fMHkyE6DGrvooLDAFe5QI6l9Wq0TgdopMtg==
+
"@types/sanitize-html@^2.3.1":
version "2.11.0"
resolved "https://registry.npmjs.org/@types/sanitize-html/-/sanitize-html-2.11.0.tgz#582d8c72215c0228e3af2be136e40e0b531addf2"
@@ -5233,7 +5238,7 @@
resolved "https://registry.yarnpkg.com/@types/uuid/-/uuid-10.0.0.tgz#e9c07fe50da0f53dc24970cca94d619ff03f6f6d"
integrity sha512-7gqG38EyHgyP1S+7+xomFtL+ZNHcKv6DwNaCZmJmo1vgMugyF3TCnXVg4t1uk89mLNwnLtnY3TpOpCOyp1/xHQ==
-"@types/validator@*", "@types/validator@^13.0.0", "@types/validator@^13.11.8", "@types/validator@^13.7.17":
+"@types/validator@*", "@types/validator@^13.0.0", "@types/validator@^13.11.8", "@types/validator@^13.12.0", "@types/validator@^13.7.17":
version "13.12.0"
resolved "https://registry.yarnpkg.com/@types/validator/-/validator-13.12.0.tgz#1fe4c3ae9de5cf5193ce64717c99ef2fa7d8756f"
integrity sha512-nH45Lk7oPIJ1RVOF6JgFI6Dy0QpHEzq4QecZhvguxYPDwT8c93prCMqAtiIttm39voZ+DDR+qkNnMpJmMBRqag==
@@ -17974,6 +17979,11 @@ reusify@^1.0.4:
resolved "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz#90da382b1e126efc02146e90845a88db12925d76"
integrity sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==
+revalidator@^0.3.1:
+ version "0.3.1"
+ resolved "https://registry.yarnpkg.com/revalidator/-/revalidator-0.3.1.tgz#ff2cc4cf7cc7c6385ac710178276e6dbcd03762f"
+ integrity sha512-orq+Nw+V5pDpQwGEuN2n1AgJ+0A8WqhFHKt5KgkxfAowUKgO1CWV32IR3TNB4g9/FX3gJt9qBJO8DYlwonnB0Q==
+
rfdc@^1.3.0:
version "1.3.1"
resolved "https://registry.npmjs.org/rfdc/-/rfdc-1.3.1.tgz#2b6d4df52dffe8bb346992a10ea9451f24373a8f"
@@ -20415,10 +20425,10 @@ validate-npm-package-name@^3.0.0:
dependencies:
builtins "^1.0.3"
-validator@^13.9.0:
- version "13.11.0"
- resolved "https://registry.npmjs.org/validator/-/validator-13.11.0.tgz#23ab3fd59290c61248364eabf4067f04955fbb1b"
- integrity sha512-Ii+sehpSfZy+At5nPdnyMhx78fEoPDkR2XW/zimHEL3MyGJQOCQ7WeP20jPYRz7ZCpcKLB21NxuXHF3bxjStBQ==
+validator@^13.12.0, validator@^13.9.0:
+ version "13.12.0"
+ resolved "https://registry.npmjs.org/validator/-/validator-13.12.0.tgz#7d78e76ba85504da3fee4fd1922b385914d4b35f"
+ integrity sha512-c1Q0mCiPlgdTVVVIJIrBuxNicYE+t/7oKeI9MWLj3fh/uq2Pxh/3eeWbVZ4OcGW1TUf53At0njHw5SMdA3tmMg==
value-or-promise@1.0.11:
version "1.0.11"