Skip to content

Home

Jump to bottom
cd-rite edited this page May 16, 2022 · 15 revisions

STIG Manager Watcher

A STIG Manager CLI client that watches a path for test result files formatted as CKL or XCCDF and posts the results to a Collection.

The client is suitable for use as a service or daemon, as a scheduled task, in automated testing pipelines, or from the command line. Test result files discovered on the path and sub-paths are parsed and the parsed content is pushed to a timed cargo queue. If configured to do so, the queue worker creates new Assets as needed and updates STIG assignments. Reviews from the result files are then posted to the corresponding Asset.

Requirements

  • Node.js 14+ and npm
  • Keycloak 11+ configured to issue tokens for the STIG Manager API.
  • A Keycloak OpenID Connect client configured with a service account and appropriate scopes.
  • STIG Manager API with a Collection grant of "Manage" for the client
  • (Recommended) Appropriate Collection Import Settings configured in each Collection Watcher imports to.

See REQUIREMENTS for additional guidance on how to configure Keycloak and STIG Manager.

Installation and Deployment Options

Watcher is available as Windows or Linux binaries, as an npm module, or can be run from source as a NodeJS app. For best results, you may find it useful to configure a Service Manager to run STIGMan Watcher, so that it can continually monitor the directory you specify, collect its logs, etc.

To install the npm module:

$ npm install --global stigman-watcher

Usage

If running from the command line, simply run the npm module or executable with the appropriate options.

stigman-watcher [options]

Options

Options can be set from the command line, from environment variables prefixed by WATCHER_, or from the contents of an .env file in the current directory.

The --mode option configures the strategy used by STIG Manager Watcher to discover files. See MODES for a discussion of the supported modes.

Key Configuration Options

STIGMan Watcher has many configuration options, but most deployments will find it useful to specify at least the following:

  • mode
  • client-id
  • collection-id
  • path
  • authority
  • api
  • history-file - a text file containing a record of the
  • log-file

See OPTIONS for a list of all options and what they accomplish.

Example

$ stigman-watcher \
  --mode events
  --client-id stigman-watcher \
  --collection-id 1 \
  --path /my/path/to/results \
  --authority https://keycloak-host/auth/realms/stigman \
  --api https://stigman-api/api

Unless --one-shot is provided, the utility remains active and watches for test result files under the given path. To stop execution, send the process the SIGINT signal. If running interactivey, you can type Ctrl-C to exit.

Logging

The utility streams structured JSON logs to the console and/or to a specified logfile. The log related options are:

--log-level
--log-file
--log-file-level
--log-color
--silent

See LOGGING for documentation.

Clone this wiki locally