Import and Update SCAP (XML)

With the Slang Authoring Toolkit, you can import an existing SCAP (XML) Benchmark into Slang. For example, you can:

• Create new rules.
• Customize check logic.
• Change the embedded remediation guidance.

These sample procedures use Windows 10 STIG as the sample SCAP. You can import your own SCAP as well.

Before you begin

• Install Slang Authoring Toolkit
• Create a Slang project

Steps

1. Download and import SCAP.
2. Update the project-wide settings.
3. Adjust rules.
4. Export Slang to SCAP (XML).

Step 1: Download and import SCAP

1. Download or navigate to the SCAP.

   For example, download the Microsoft Windows 10 STIG Benchmark from the list of SCAP-formatted STIGs on the Department of Defence (DoD) Cyber Exchange.

2. Open Visual Studio Code (VS Code) and a CLI.

3. Run this command to import the STIG and create a new Slang project:

   slang import <filepath> <project_name>

Step 2: Update the project-wide settings

1. In VS Code, select File > Open Folder and navigate to ~/Slang/<project_name>.

2. Open the project.slang file.

3. Change the title and description to indicate this is your version of the STIG.

4. Change the id_namespace.

   This should be a valid reverse-DNS style string associated with you or your organization. Use letters, numbers, periods, hyphens only.

5. Click Save.

Step 3: Adjust rules

You can add, remove, and customize rules for your project.

Add a rule to a project

1. In VS Code, create a folder, naming it after the rule.

2. Create a file titled <rule_id>.slang and add rule content.

   For example:

   Rule:
      title: The system must be configured to audit DPAPI Activity failures.
      checks: 
         - windows.audit_policy.subcategory:
            dpapi_activity: failure only 

3. Click Save.

Remove a rule from a project

There are two ways that you can remove a rule from a project. You can simply delete the file, or leave the file in place and remove the rule through a slang profile. To remove a rule without deleting the file:

1. Create a file in the main project folder, next to project.slang, called profile.<profile_name>.slang.

2. Add the following content:

    Profile:
       title: <profile_name> 

3. Add the select_all_rules_except parameter and any applicable values.

   For example:

   select_all_rules_except:
       - SV-220924r569187_rule.slang

4. Click Save.

Customize a rule

1. In VS Code, open the <rule_id>.slang file.
2. Change Title as applicable.
3. Delete any irrelevant tags.
4. Edit the description.
5. Edit the check:
   1. Delete the imported OVAL check from common.oval.
   2. Type windows. to see a list of suggested checks.
   3. Select an option.
6. Edit the audit policy:
   1. Select windows.audit_policy.subcategory.
   2. Press Ctrl+Space to see suggestions.
   3. Select an option.
7. Edit the validation:

   1. Select credential_validation.

   2. Press Ctrl+Space to see suggestions.

   3. Select an option.

      For example, selecting success and failure updates the checks section to:

      checks:
         -  windows.audit_policy.subcategory:
            credential_validation: success and failure

8. Save the rule file.

Step 4: Export Slang to SCAP (XML)

1. In the Terminal press Ctrl+` and then run this command to export your Slang project to SCAP (XML):

   slang export <project_name> <project_name>.xml

   A new folder in your project appears titled exported_scap, which contains the XML file.

   Tip: If you have access to a Windows 10 scan target and have completed Test a Slang project, run lang export <project_name> <project_name>.xml --scan_config <config_name> --profile profile.<profile_name>.slang to export and test your project using the profile created. When you review the results, look for your DPAPI rule. Filter to NOT SELECTED and rule that was removed in Remove a rule from a project appears.

See also

• Slang Authoring Toolkit Quickstart Tutorial
• Test a Slang Project
• Add Profiles and Parameters
• Create Script-Based Checks