ConfigOS Classic Checklist Workflow
- Jesse Vaughn
In this article, we will go through the best-practice SteelCloud CKL workflow; wherein we touch upon the idea of ‘prepopulated’ (prepop) checklists (CKLs) and how to construct them, how to associate them with SteelCloud STIG signature policy files, how the Control Coverage documents are relevant, and how to perform exports of the machine-generated (via ConfigOS) data including the manual data (from the prepop CKLs), into various formats - fully populated CKLs, JSON files (for SIEM/Splunk/Xacta), and ARF/ASR files (for eMASS).
There are some controls that either cannot be automated, make no sense to be automated, or can’t yet be automated by our tool at this time. We inform customers of the controls we do not cover via our Coverage Documents (the spreadsheets we release with our signatures), and we currently take advantage of the STIGViewer .ckl files to account for the controls not present in our tool for reporting, either via .ckl, eMASS, Xacta, or through a log aggregator and/or dashboarding tool such as Splunk via our JSONs (which can also include the information from the prepopulated .ckls, meaning fully complete STIGs for every endpoint).
Our 2.8.6 Reference Guide covers the STIGViewer side of ckls on page 63.
Page 24: Assign the location bulk ckls are generated.
Page 44: Assign a checklist within a container for bulk ckl generation.
Page 50: Description of how to generate bulk ckls.
Page 62: How to generate an ad-hoc ckl.
We’re working on creating additional training videos to show examples of this process.
Manual checks, as in checks that cannot be automated at all, require working with STIGViewer to create a prepopulated checklist (this .ckl is populated with the results of the manual checks, of which you would perform as the STIG directs, but often can apply to multiple machines - such as servers in a rack for example), and then associate the ‘prepop’ .ckl with the signature in Command Center.
You can generate a ‘prepop’ .ckl following a relatively straightforward procedure:
Create a blank STIGViewer Checklist .ckl file for the relevant STIG
Scan a machine with the relevant STIG signature
Merge the results of the scan with the blank .ckl to create a ‘merged’ .ckl (while preserving the blank .ckl)
Open both the blank and ‘merged’ .ckls up as separate tabs in STIGViewer and fill in each control on the blank .ckl that is listed as ‘not reviewed’ on the ‘merged’ .ckl that has the scan output (you want the prepop/once-blank ckl to be the inverse of the merged ckl with regards to controls with the ‘Not Reviewed’ status)
Save your previously-blank .ckl as a ‘prepop’ .ckl
In order to get your ckls, navigate to your tree
Highlight the machines for which you would like to generate a merged ckl (shift click, or control click to select multiple endpoints at once)
Click the ‘export’ drop down, and select the ‘export checklists’ option (mine is greyed out because I don’t have prepops assigned to the 3 endpoints selected)
And then navigate to the following directory (as an example, this is a fairly default location):
C:\Users\Public\Documents\SteelCloud\ConfigOS Command Center\Preferences\Reports\Endpoint Reports\<IP_UUID>\Checklists\
Please ensure that you do not have any mismatched STIG and signature versions. I suggest you try one at a time before trying the bulk.
For controls that have ‘manual review required’, typically you’ll need someone who can determine whether certain accounts should have the privileges they have, or should be members of particular groups, etc., and then copy the output ('Current Value' field) in the report (I recommend an html report for best copy/paste compatibility) into the ‘Value’ field in Foundry for that specific control in that specific signature, and have the person who can determine the validity of group memberships sign off in the comments something along the lines of ‘these <results> are valid, John Smith, Administrator, extension x1010’.
This is where you will need to assign the ckls:
In order to get your bulk-generated merged ckls, JSONs, and/or eMASS formatted files, please navigate to your tree:
Highlight the machines for which you would like to generate a merged ckl, JSONs, or asr/arf files (shift click, or control click to select multiple endpoints at once):
and hit this dropdown (it will be greyed out if they don’t have ‘pre-populated checklists' assigned as above):
And for JSONs (these can also be automatically generated on-scan/on-remediation):
And for CKLs, click the ‘export’ drop down, and select the ‘export checklists’ option:
(these are greyed out because there are not ckls associated to each of the selected endpoints):
And then navigate to the following directory (as an example, this is the default location - this location can be managed in the Preferences tab within Command Center):
C:\Users\Public\Documents\SteelCloud\ConfigOS Command Center\Preferences\Reports\Endpoint Reports\<IP_UUID>\Checklists\
And you should find your bulk-generated ckls!
Below is a table I’m using as a guide for how to populate the prepop, and associated pictures for STIGViewer 3:
Previously Completed Scan/Checklist | New Pre-Populated Checklist |
Grey Box with White Circle Filled in Grey / Not Reviewed | Fill with data relevant to your environment/manual checks (should be any status other than ‘Not Reviewed’) |
Green Box with Checkmark / Not a Finding | Leave empty; Command Center will populate these and if they’re present in the prepop Command Center will not make any changes to the status or information |
Red Box with Exclamation Point / Open | Leave empty; Command Center will populate these and if they’re present in the prepop Command Center will not make any changes to the status or information |
Black box with struck circle / Not Applicable aka N/A | Not relevant as Command Center won’t populate this status |
If in the Command Center export there is something present, don’t fill it out in the prepop. If in the Command Center export there is nothing present, aka ‘Not Reviewed’, fill in the relevant data in the prepop.
Related content
