Discuss the use of STIG field Rule ID as InSpec Control id

[rx294]

The intent of the issue is to discuss the use of STIG field Rule ID as InSpec Control id rather than Vul Id that it is currently using.

1. Discuss the implication/benefits of the change.
2. Understand the scope of updates that has to be made to toolset and profiles.
3. Plan and create sub-tickets to update the elements.
4. Strategize communication to users of the profiles and toolset about the update.

Notes from meeting with RMO re the STIG Data fields.

Vul ID: This field will be depreciated in the near future. It is a remnant of the now retired VMS.

STIG ID: This not of a stable format and can be modified at any release.

Rule ID: This is the stable identifier to go with, since it relates to a database index of how the STIG is stored.
Legacy Rule ID are of format SV-86473r2_rule and new format is SV-204392r505924_rule
The part of the Rule ID before r will be stable across revisions/versions.
ie SV-86473 will be identical across generation of the same STIG.
However Rule ID will be different for RHEL7 to RHEL8 STIG.

[rbclark]

See also #135

[ksharper]

We discussed this from a Cerner perspective during our sync with MITRE. We agree the first half of the rule id, prior to the 'r', appears to be the best option for a consistent unique identifier. For our profiles, we've identified two changes we need to make:

• Rename the control ruby files after the new id. For example, what was V-221652.rb will become SV-221652.rb
• Update the control name within.
• Update the inspec_delta compare tool use the new id as the primary identifier for the purpose of comparing two profiles. We have logged Update comparison to use new rule id as primary identifier. cerner/inspec_delta#16 against inspec_delta

[ejaronne]

We should ensure that the cerner/inspec_delta can update the control ids cited in overlays.

[ejaronne]

And, to one-up Rony, include 2 new tags in InSpec profiles:
"legacy_gid", and "legacy_rid"
I plan to propose a Heimdall slider "Display Legacy ID" to display the old V- next to the new rid, so folks know that the finding they got before is essentially the same as the one they see now.

[ksharper]

Some thoughts on a conversion process to the proposed naming standard above. Three things comes to mind that would need to be changes when converting:

• Control files names would need to be renamed.
• Control names would need to be renamed
• References to old control name conventions (such as in wrappers) would need to be updated.

Anything I'm missing?

[rlakey]

This only accounts for officially published STIGs. What about content that vendors or users create based on SRGs that may never get published by DISA? We've been using our own STIG IDs as the control ID.

[rbclark]

Based on some offline discussion, it seems that the best course of action here (for inspec_tools at least) is to create a flag for each of the inspec_tools converter which chooses the mode of conversion (either Vul Id or Rule Id mode) and based on the mode specified will use that field as the primary identifier when generating an inspec profile. @rlakey I believe that would address your concerns?