Dedupe NIST tags for 2inspec tools

[rlakey]

STIG controls with multiple SRG IDs and therefore multiple CCIs often reference the same NIST control family. When running for example xccdf2inspec and this scenario occurs there will be multiple NIST tags that are the same.

For example:

  tag severity: 'medium'
  tag gtitle: 'SRG-OS-000004-GPOS-00004'
  tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',
'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',
'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']
  tag gid: 'V-205625'
  tag rid: 'SV-205625r569188_rule'
  tag stig_id: 'WN19-AU-000100'
  tag fix_id: 'F-5890r354794_fix'
  tag cci: ['CCI-000018', 'CCI-001403', 'CCI-001405', 'CCI-001404',
'CCI-002130', 'CCI-000172']
  tag legacy: ['SV-103067', 'V-92979']
  tag nist: ['AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', "AU-12
c"]

[rbclark]

@ejaronne Do you have any input on this? I believe I mentioned this to you at one point and you suggested leaving the duplicates for conversion back to xccdf but I could be misremembering the conversation.

[ejaronne]

This is intended to emulate exactly the related controls from the DISA STIG itself. It is not a duplication. In this case, multiple CCI's support different aspects of AC-2(4), as shown in the DISA STIG Viewer:

[aaronlippold]

However, the other thing I would not hear is that since we don’t actually keep the relationship intact There really isn’t any need to have multiple data elements in the array. We ever needed to find the association we could look at the XML and the CCI to find out which 853 control it belongs to

On Tue, Nov 23, 2021 at 6:41 PM Eugene Aronne ***@***.***> wrote: This is intended to emulate exactly the related controls from the DISA STIG itself. It is not a duplication. In this case, multiple CCI's support different aspects of AC-2(4), as shown in the DISA STIG Viewer: [image: image] <https://user-images.githubusercontent.com/34140975/143145961-8bfdbe59-6305-493d-8a4f-1488db0b9246.png> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <mitre/saf#93>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42FSQDYJXWM4HAP5IX3UNQRCZANCNFSM5FTYIMZA> .

-- -------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

[rlakey]

Just wanted to bring this back up. I believe it still is a duplication of data. STIG Viewer displays this data differently as it shows each CCI and it's corresponding NIST control family where as in InSpec these are separate lists with no relation of CCI to NIST and should be deduped.

The NIST data isn't even in the XCCDF so converting back and forth should not be a concern. STIG Viewer is adding that data based on CCI and so are all of the MITRE tools.

[aaronlippold]

Yes, I think we can and a uniq to the cci and nist tag generator