Skip to content
cd-rite edited this page Feb 12, 2023 · 15 revisions

STIG Manager Watcher

A STIG Manager CLI client that watches a path for test result files formatted as CKL or XCCDF and posts the results to a Collection.

The client is suitable for use as a service or daemon, as a scheduled task, in automated testing pipelines, or from the command line. Test result files discovered on the path and sub-paths are parsed and the parsed content is pushed to a timed cargo queue. If configured to do so, the queue worker creates new Assets as needed and updates STIG assignments. Reviews from the result files are then posted to the corresponding Asset.

Behavior Defined by STIG Manager API Collection Settings

STIGMan Watcher fetches the Collection settings and it's own User information from the STIG Manager instance it is posting to, and adjusts its behavior accordingly.

  • Where possible, STIGMan Watcher will use the Collection settings that specify requirements for Reviews to ensure it posts Reviews that will not be rejected.
  • Watcher can automatically mark Reviews as Accepted if those statuses are being used in the Collection and it's user has the proper Grant.
  • STIGMan Watcher complies with the Import Options specified in the Collection. If Import Options are not specified, it will use the same default behaviors that the UI uses. For more information on this behavior, check the STIG Manager Documentation.

Requirements

  • Node.js 14+ and npm, if Watcher is run from source or as a global npm module
  • An OIDC Provider supporting the Client Credentials Flow which issues tokens scoped for the STIG Manager API.
  • STIG Manager API with a Collection grant of "Manage" for the client

See Requirements and Configuration for additional guidance on how to configure STIG Manager and Keycloak (as your OIDC Provider).

Installation and Usage

You can install Watcher using one of these methods:

Copy a Release binary to a destination of your choice and execute

$ ./stigman-watcher-linuxstatic [options]

or

C:/> stigman-watcher-win.exe [options]

Install globally via NPM and run the module

$ npm install --global stigman-watcher
$ stigman-watcher [options]

Clone this repo and run the source code

$ git clone https://github.com/NUWCDIVNPT/stigman-watcher.git
$ node index.js [options]

Options

Options can be set from the command line, from environment variables prefixed by WATCHER_, or from the contents of an .env file in the current directory.

The --mode option configures the strategy used by STIG Manager Watcher to discover files. See MODES for a discussion of the supported modes.

Key Configuration Options

STIGMan Watcher has many configuration options, but most deployments will find it useful to specify at least the following:

  • mode - Should Watcher periodically scan the directory, or monitor it for events? See MODES for more info
  • client-id - How Watcher will identify itself to Keycloak and the STIGMan API
  • collection-id - The ID of the Collection to post Reviews to.
  • path - The path to the directory Watcher will monitor for new results files.
  • authority - Keycloak
  • api - The location of the STIGManager API that Watcher will post results to.
  • history-file - A text file containing a record of the files Watcher has already imported. If not specified, Watcher may re-import files.
  • log-file - Where to store Watcher's comprehensive log file.

See OPTIONS for a list of all options and what they accomplish.

Example

$ stigman-watcher \
  --mode events
  --client-id stigman-watcher \
  --collection-id 1 \
  --path /my/path/to/results \
  --authority https://keycloak-host/auth/realms/stigman \
  --api https://stigman-api/api

Unless --one-shot is provided, the utility remains active and watches for test result files under the given path. To stop execution, send the process the SIGINT signal. If running interactivey, you can type Ctrl-C to exit.

Logging

The utility streams structured JSON logs to the console and/or to a specified logfile. The log related options are:

--log-level
--log-file
--log-file-level
--log-color
--silent

See LOGGING for documentation.

Clone this wiki locally