Documentation Question / Integration with Evaluate STIG

[jeremyatourville]

A new version of Evaluate STIG is available and it now integrates with STIG Manager by allowing the data to be automatically uploaded.

See references here:
https://spork.navsea.navy.mil/nswc-crane-division/evaluate-stig/-/releases

Where are the options for ?:

• STIGManagerKey
• STIGManagerPassphrase

Where are these set within the STIG Manager application?

It sounds like these are references to certificates..... but I could be wrong. Any suggestions here? Thanks!

[Zachary-Lemoine]

That's a question that should be geared towards them. STIG Manager being an API means that it's meant to be interfaced to by outside applications, and how those applications choose to do it is up to them. With that said I had my own personal interest in this and tackled it myself. Make sure you review the JWT creation process to create a token (there's a link to a youtube video detailing this in the STIGMAN Watcher repository's wiki. The options in KeyCloak shifted around a bit since then, but ultimately all you have to do is enable authentication, disable authorization and only select service accounts). Note that your account name for grants will be service-account-<client-id> With that out of the way,

They're defined within the preferences.xml file which is now bundled with Evaluate-STIG. The STIGManagerKey references a key defined within the Preferences File. That key has attributes that define what API to access, where to authenticate against, who to authenticate as, and with what certificate you'll present for authentication. Finally, it allows you to define what collection you'll import into. Below is what one of my entries looks like:

<STIGManagerKey Name="DEFAULT">
	<SMImport_API_BASE>https://my.stig.manager.mil/api</SMImport_API_BASE>
	<SMImport_AUTHORITY>https://my.stig.manager.mil/kc/realms/stigman</SMImport_AUTHORITY>
	<SMImport_CLIENT_ID>evaluate-stig</SMImport_CLIENT_ID>
	<SMImport_CLIENT_PEM>evaluate-stig-client.pem</SMImport_CLIENT_PEM>
	<SMImport_CLIENT_KEY></SMImport_CLIENT_KEY>
	<SMImport_COLLECTION>11</SMImport_COLLECTION>
</STIGManagerKey>

Going back to the above for a second, within STIG Manager itself, I've given service-account-evaluate-stig the manage privilege on collection 11. This service account won't appear as a user within KeyCloak, but rather, must be explicitly referenced inside the application itself.

Note that "SMImport_CLIENT_KEY" expects a private key file to be present. I haven't been able to get that function to work properly. If you instead export the .p12 JWT token and then run "openssl pksc12 -in myCertificate.p12 -out myUnsafeUnencryptedCertificate.pem -nodes", you'll be able to get your configuration working by leaving CLIENT_KEY as null and then referencing "myUnsafeUnencryptedCertificate.pem" for your CLIENT_PEM attribute.

When running Evaluate-STIG, for the configuration above, you would use ".\Evaluate-STIG.ps1 -ComputerList $myServers -STIGManager". Since the key above is named default, it is assumed that the key is what you use. In my example, 11 is my "test" collection I used for setting this up. Yours will obviously vary. If you want to import to different collections, you could create different keys. Example:

<STIGManagerKey Name="Web">
	<SMImport_API_BASE>https://my.stig.manager.mil/api</SMImport_API_BASE>
	<SMImport_AUTHORITY>https://my.stig.manager.mil/kc/realms/stigman</SMImport_AUTHORITY>
	<SMImport_CLIENT_ID>evaluate-stig</SMImport_CLIENT_ID>
	<SMImport_CLIENT_PEM>evaluate-stig-client.pem</SMImport_CLIENT_PEM>
	<SMImport_CLIENT_KEY></SMImport_CLIENT_KEY>
	<SMImport_COLLECTION>12</SMImport_COLLECTION>
</STIGManagerKey>
<STIGManagerKey Name="DB">
	<SMImport_API_BASE>https://my.stig.manager.mil/api</SMImport_API_BASE>
	<SMImport_AUTHORITY>https://my.stig.manager.mil/kc/realms/stigman</SMImport_AUTHORITY>
	<SMImport_CLIENT_ID>evaluate-stig</SMImport_CLIENT_ID>
	<SMImport_CLIENT_PEM>evaluate-stig-client.pem</SMImport_CLIENT_PEM>
	<SMImport_CLIENT_KEY></SMImport_CLIENT_KEY>
	<SMImport_COLLECTION>13</SMImport_COLLECTION>
</STIGManagerKey>

With those two keys defined, I could do something like this:

.\Evaluate-STIG.ps1 -ComputerList $myDatabaseServers -STIGManager -SelectSTIG SQL2014DB,SQL2014Instance -STIGManagerKey DB
.\Evaluate-STIG.ps1 -ComputerList $myWebServers -STIGManager -SelectSTIG IIS85Site,IIS85Server -STIGManagerKey Web

For STIGManagerPassphrase, it's used to decrypt a private key presented to it in the Client_Key section. Unfortunately, I have not been able to get it to work. The STIGMaster module it is called from generates the certificate like so:

  if ($SMImport_CLIENT_KEY){
    $SMImport_PASSPHRASE = ConvertFrom-SecureString $SMImport_CLIENT_KEY_PASSPHRASE -AsPlainText
    $cert = [system.security.Cryptography.X509Certificates.X509Certificate2]::CreateFromEncryptedPemFile($SMImport_CLIENT_PEM, $SMImport_PASSPHRASE, $SMImport_CLIENT_KEY)
  }
  else{
    $cert = [system.security.Cryptography.X509Certificates.X509Certificate2]::CreateFromPemFile($SMImport_CLIENT_PEM)
  }

The method it calls from appears to be exclusive to PowerShell 7 (which explains the requirement for it in EvaluateSTIG). If I run the following:

$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromPemFile("E:\Evaluate-STIG\Certificates\insecureCert.pem")
$cert2 = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromEncryptedPemFile("E:\Evaluate-STIG\Certificates\cert.pem","1234","E:\Evaluate-STIG\certificates\key.pem")

Both certificates return as being identical to each other, but if I attempt to use cert.pem with key.pem and my highly confidential passphrase of 1234, it fails, whereas if I just use insecureCert.pem, it works. I'm not sure if I'm missing something obvious or if this is a bug, but I'm currently forced to use a raw, unencrypted private key. I've tried with both PowerShell 7.3.3 and 7.3.6 but no luck.

[jeremyatourville]

@ZacharyLemoine I greatly appreciate the response!

That's a question that should be geared towards them.

I had considered that and wasn't exactly sure which way to go on this. It seemed like a 50/50 proposition to me at first glance and I guessed wrong. All that said, I especially appreciate you clarifying the subject for me and giving some solid examples of what you did to make it work.

Also, you did confirm for me, that both items are related to various certificate configurations. Thanks!

[Zachary-Lemoine]

No worries. I didn't realize how butchered my comment originally was, so I updated it with some code tags. It should be much more readable now. And either way, Evaluate-STIG's documentation on the matter is lacking. There's minor references as to what to include in the preferences file itself, but it isn't super clear what it expects. It says it expects a public key for the client PEM, but I presented an entire certificate to it instead to get it working, for example.

[cd-rite]

Hi @ZacharyLemoine Thanks for helping @jeremyatourville out!
As you said, our API doesn't care whether it's our own clients are 3rd-party ones that talk to it, as long as their access token is proper. How they get that token is up to them and their OIDC provider!

We do have contact with the Eval STIG team, but I don't use the tool myself so I'm not familiar with its intricacies.

I created issue 1185 on their Navy Spork Repo asking them to add a bit more guidance on the new feature, and referencing this discussion.

@ZacharyLemoine If you have access to Spork, you might want to create an issue yourself about the encrypted cert and private key issues you mentioned!

Thanks again!