Skip to content

Requirements and Configuration

Jump to bottom
Mathew edited this page Nov 7, 2023 · 4 revisions

STIGMan Watcher requires these components and configurations to function most effectively:

A Directory to "Watch"

  • STIGMan Watcher is designed to monitor a directory containing .ckl or XCCDF STIG Evaluation files. This folder can be a local directory or on a file share, but ensure it will have consistent access to it, and that you only populate it with results that you want imported!

STIG Manager API

  • STIGMan Watcher requires an instance of the STIG Manager API to import the result files it detects.
  • The STIGMan Watcher Client must be registered as a User in that STIGMan instance with the proper Collection Grants.
  • You must specify the Collection ID that Watcher will post to. You can find the Collection Id in the individual "Manage Collection" Workspaces, or the "Collections" Workspace accessible from the Application Management Navigation Tree Menu.

  • The Collection should have your desired Import Settings configured. If not configured, Watcher will use the defaults discussed in the STIG Manager Documentation.

NOTE: An instance of STIGMan Watcher is configured to import into to ONE Collection. If you are managing more than one Collection in STIGMan, it is likely you will need at least one instance of STIGMan Watcher for each Collection.

  • While a given instance of STIGMan Watcher only writes to one Collection, they can share the same User in the STIGMan API. The Client ID used for Watcher and configured in Keycloak will be displayed as the "User" in the STIGMan Reference UI. Each Collection must be configured with a Grant of Manage or above for the Watcher User.

In the example below, the Client ID "stigman-watcher-test" has Manage access to the "Collection X" and "Collection Y" collections:

NOTE: You can pre-register the Watcher User Profile in the API before you set up Watcher, or let Watcher connect first, which will create a User Profile with no Grants. Once the User Profile has been established in the STIGMan API, Application Managers or individual Collection Owners can grant the Watcher User access to their Collections, so that it can import results.

Keycloak

  • Keycloak 11+ configured to issue tokens for the STIG Manager API.
  • A Keycloak OpenID Connect client configured with a service account and appropriate scopes.
  • Required Scopes for full functionality: 
    roles
stig-manager:collection
stig-manager:stig:read
stig-manager:user:read
  • There are multiple ways to configure an OIDC client to use a service account in Keycloak. Watcher supports:
    • Signed JWT Authentication (Recommended)
    • Client ID and Secret Authentication

For help configuring Keycloak to use Signed JWTs, please see this popular video on YouTube.

Signed JWT Authentication Setup Guide

This guide covers the necessary steps to set up with RSA encryption.

Generating Keys and Certificates

1. Generate a Private Key

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

2. Generate Public Key

openssl rsa -pubout -in private_key.pem -out public_key.pem

3. Create a certificate

openssl req -new -x509 -key private_key.pem -out cert.pem -days 365

4. Create pkcs12 archive

openssl pkcs12 -export -out keystore.p12 -inkey private_key.pem -in cert.pem -name mykey

5. Create a new client (keycloak).

  • Enter your relm
  • Go to Clients -> Create client
  • Create a client ID, turn on Client authentication and enable Service accounts roles authentication flow.

6. Set credential type to rs256 signed JWT (keycloak).

  • Go to 'Client Scopes' and set desired scopes.
  • Go to 'Credentials' and selected Signed Jwt with RS256.

7. Import keys (keycloak).

  • Go to Client -> Keys -> Import.
  • Archive Format: PKCS#12
  • Key Alias: mykey
  • Store Password:
  • Import File: keystore.p12
Clone this wiki locally