mved fast-xml-parser to ver 4.5.1, added one additional test

Signed-off-by: George M Dias <[email protected]>
mitre · Jan 23, 2025 · fc71165 · fc71165
1 parent 120e1e8
commit fc71165
Show file tree

Hide file tree

Showing 7 changed files with 115 additions and 18 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -31,7 +31,7 @@
     "@types/lodash": "^4.14.178",
     "@types/mustache": "^4.2.0",
     "@types/pretty": "^2.0.1",
-    "fast-xml-parser": "^4.2.7",
+    "fast-xml-parser": "^4.5.1",
     "flat": "5.0.2",
     "he": "^1.2.0",
     "htmlparser2": "^10.0.0",

diff --git a/src/objects/control.ts b/src/objects/control.ts
@@ -267,17 +267,20 @@ export default class Control {
       if (verbose) {logger.error(`${this.id} does not have an impact`);}
     }
 
-    // This may not be necessary, but it is included for completeness.
-    // Once we agreed that it is not needed we can remove it.
-    if (this.refs) {
-      this.refs.forEach((ref) => {
-        if (typeof ref === 'string') {
-          result += `  ref ${escapeQuotes(ref)}\n`;
-        } else {
-          result += `  ref ${escapeQuotes(ref.ref?.toString() || '')}, url: ${escapeQuotes(ref.url || '')}`
-        }
-      });
-    }
+    //-------------------------------------------------------------------------
+    // This may not be necessary, leaving commented code for posterity. Once we
+    // have implemented the process and determined that there isn't any side
+    // effects we can remove the commented code
+    //-------------------------------------------------------------------------
+    // if (this.refs) {
+    //   this.refs.forEach((ref) => {
+    //     if (typeof ref === 'string') {
+    //       result += `  ref ${escapeQuotes(ref)}\n`;
+    //     } else {
+    //       result += `  ref ${escapeQuotes(ref.ref?.toString() || '')}, url: ${escapeQuotes(ref.url || '')}`
+    //     }
+    //   });
+    // }
 
     Object.entries(this.tags).forEach(([tag, value]) => {
       if (value) {

diff --git a/test/sample_data/controls-for-describe-tests/control-tests/new-control.json b/test/sample_data/controls-for-describe-tests/control-tests/new-control.json
@@ -0,0 +1 @@
+{"controls":[{"id":"SV-218735","code":"control 'SV-218735' do\n  title 'The IIS 10.0 website session state must be enabled.'\n  desc \"When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is either stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials.\n\nWhen the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.\n\nASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.\"\n  desc 'check', 'Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nIf the \"Session State Mode Settings\" is set to \"In Process\", this is not a finding.\n\nAlternative method:\n\nClick the site name.\n\nSelect \"Configuration Editor\" under the \"Management\" section.\n\nFrom the \"Section:\" drop-down list at the top of the configuration editor, locate \"system.web/sessionState\".\n\nVerify the \"mode\" reflects \"InProc\".\n\nIf the \"mode\" is not set to \"InProc\", this is a finding.\n\nIf the system being reviewed is part of a Web Farm, interview the System Administrator to ensure Session State Tracking is enabled via a SQL server, or other means. If Session State Tracking is enabled on the Web Farm, this is not a finding.'\n  desc 'fix', 'Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nSelect \"Apply\" from the \"Actions\" pane.'\n  impact 0.5\n  ref 'DPMS Target Microsoft IIS 10.0 Site'\n  tag check_id: 'C-20208r311103_chk'\n  tag severity: 'medium'\n  tag gid: 'V-218735'\n  tag rid: 'SV-218735r879511_rule'\n  tag stig_id: 'IIST-SI-000201'\n  tag gtitle: 'SRG-APP-000001-WSR-000002'\n  tag fix_id: 'F-20206r311104_fix'\n  tag 'documentable'\n  tag legacy: ['SV-109295', 'V-100191']\n  tag cci: ['CCI-000054']\n  tag nist: ['AC-10']\nend","source_location":{"line":1,"ref":"new-control/SV-218735.rb"},"title":"The IIS 10.0 website session state must be enabled.","desc":"When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is either stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials.\n\nWhen the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.\n\nASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.","descriptions":{"default":"When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is either stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials.\n\nWhen the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.\n\nASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.","check":"Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nIf the \"Session State Mode Settings\" is set to \"In Process\", this is not a finding.\n\nAlternative method:\n\nClick the site name.\n\nSelect \"Configuration Editor\" under the \"Management\" section.\n\nFrom the \"Section:\" drop-down list at the top of the configuration editor, locate \"system.web/sessionState\".\n\nVerify the \"mode\" reflects \"InProc\".\n\nIf the \"mode\" is not set to \"InProc\", this is a finding.\n\nIf the system being reviewed is part of a Web Farm, interview the System Administrator to ensure Session State Tracking is enabled via a SQL server, or other means. If Session State Tracking is enabled on the Web Farm, this is not a finding.","fix":"Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nSelect \"Apply\" from the \"Actions\" pane."},"impact":0.5,"refs":[{"ref":"DPMS Target Microsoft IIS 10.0 Site"}],"tags":{"check_id":"C-20208r311103_chk","severity":"medium","gid":"V-218735","rid":"SV-218735r879511_rule","stig_id":"IIST-SI-000201","gtitle":"SRG-APP-000001-WSR-000002","fix_id":"F-20206r311104_fix","documentable":null,"legacy":["SV-109295","V-100191"],"cci":["CCI-000054"],"nist":["AC-10"]}}],"groups":[{"id":"SV-218735.rb","title":null,"controls":["SV-218735"]}],"supports":[],"title":"tests from new-control","name":"tests from new-control","inputs":[],"sha256":"fcdeda81edf01693f1ce7fdeed39e9cb8aaa758e019da3e502d7c99403d88c9e","status_message":"","status":"loaded","generator":{"name":"inspec","version":"6.8.11"}}
diff --git a/test/sample_data/controls-for-describe-tests/control-tests/old-control.json b/test/sample_data/controls-for-describe-tests/control-tests/old-control.json
@@ -0,0 +1 @@
+{"controls":[{"id":"V-76775","code":"control 'V-76775' do\n  title 'The IIS 8.5 website session state must be enabled.'\n  desc  \"When the session information is stored on the client, the session ID,\n  along with the user authorization and identity information, is sent along with\n  each client request and is stored in either a cookie, embedded in the uniform\n  resource locator (URL), or placed in a hidden field on the displayed form. Each\n  of these offers advantages and disadvantages. The biggest disadvantage to all\n  three is the hijacking of a session along with all of the user's credentials.\n\n      When the user authorization and identity information is stored on the\n  server in a protected and encrypted database, the communication between the\n  client and web server will only send the session identifier, and the server can\n  then retrieve user credentials for the session when needed. If, during\n  transmission, the session were to be hijacked, the user's credentials would not\n  be compromised.\n\n      ASP.NET provides a session state, which is available as the\n  HttpSessionState class, as a method of storing session-specific information\n  that is visible only within the session. ASP.NET session state identifies\n  requests from the same browser during a limited time window as a session, and\n  provides the ability to persist variable values for the duration of that\n  session.\n  \"\n  impact 0.5\n  tag \"gtitle\": 'SRG-APP-000001-WSR-000002'\n  tag \"gid\": 'V-76775'\n  tag \"rid\": 'SV-91471r1_rule'\n  tag \"stig_id\": 'IISW-SI-000201'\n  tag \"fix_id\": 'F-83471r1_fix'\n  tag \"cci\": ['CCI-000054']\n  tag \"nist\": ['AC-10', 'Rev_4']\n  tag \"false_negatives\": nil\n  tag \"false_positives\": nil\n  tag \"documentable\": false\n  tag \"mitigations\": nil\n  tag \"severity_override_guidance\": false\n  tag \"potential_impacts\": nil\n  tag \"third_party_tools\": nil\n  tag \"mitigation_controls\": nil\n  tag \"responsibility\": nil\n  tag \"ia_controls\": nil\n  tag \"check\": \"Follow the procedures below for each site hosted on the IIS 8.5\n  web server:\n\n  Open the IIS 8.5 Manager.\n\n  Click the site name.\n\n  Under the \\\"ASP.NET\\\" section, select \\\"Session State\\\".\n\n  Under \\\"Session State Mode Settings\\\", verify the \\\"In Process\\\" mode is\n  selected.\n\n  If the \\\"Session State Mode Settings\\\" is set to \\\"In Process\\\", this is not a\n  finding.\n\n  Alternative method:\n\n  Click the site name.\n\n  Select \\\"Configuration Editor\\\" under the \\\"Management\\\" section.\n\n  From the \\\"Section:\\\" drop-down list at the top of the configuration editor,\n  locate \\\"system.web/sessionState\\\".\n\n  Verify the \\\"mode\\\" reflects \\\"InProc\\\".\n\n  If the \\\"mode\\\" is not set to \\\"InProc\\\", this is a finding.\"\n  tag \"fix\": \"Follow the procedures below for each site hosted on the IIS 8.5\n  web server:\n\n  Open the IIS 8.5 Manager.\n\n  Click the site name.\n\n  Under the \\\"ASP.NET\\\" section, select \\\"Session State\\\".\n\n  Under \\\"Session State Mode Settings\\\", verify the \\\"In Process\\\" mode is\n  selected.\n\n  Select \\\"Apply\\\" from the \\\"Actions\\\" pane.\"\n\n  site_names = json(command: 'ConvertTo-Json @(Get-Website | select -expand name)').params\n\n  site_names.each do |site_name|\n    iis_configuration = json(command: \"Get-WebConfigurationProperty -Filter system.web/sessionState 'IIS:\\\\Sites\\\\#{site_name}'  -Name * | ConvertTo-Json\")\n\n    describe \"IIS sessionState setting for Site :'#{site_name}'\" do\n      subject { iis_configuration }\n      its('mode') { should cmp 'InProc' }\n    end\n  end\n\n  if site_names.empty?\n    impact 0.0\n    desc 'There are no IIS sites configured hence the control is Not-Applicable'\n\n    describe 'No sites where found to be reviewed' do\n      skip 'No sites where found to be reviewed'\n    end\n  end\nend","source_location":{"line":1,"ref":"old-control/V-76775.rb"},"title":"The IIS 8.5 website session state must be enabled.","desc":"There are no IIS sites configured hence the control is Not-Applicable","descriptions":{"default":"There are no IIS sites configured hence the control is Not-Applicable"},"impact":0.0,"refs":[],"tags":{"gtitle":"SRG-APP-000001-WSR-000002","gid":"V-76775","rid":"SV-91471r1_rule","stig_id":"IISW-SI-000201","fix_id":"F-83471r1_fix","cci":["CCI-000054"],"nist":["AC-10","Rev_4"],"false_negatives":null,"false_positives":null,"documentable":false,"mitigations":null,"severity_override_guidance":false,"potential_impacts":null,"third_party_tools":null,"mitigation_controls":null,"responsibility":null,"ia_controls":null,"check":"Follow the procedures below for each site hosted on the IIS 8.5\n  web server:\n\n  Open the IIS 8.5 Manager.\n\n  Click the site name.\n\n  Under the \"ASP.NET\" section, select \"Session State\".\n\n  Under \"Session State Mode Settings\", verify the \"In Process\" mode is\n  selected.\n\n  If the \"Session State Mode Settings\" is set to \"In Process\", this is not a\n  finding.\n\n  Alternative method:\n\n  Click the site name.\n\n  Select \"Configuration Editor\" under the \"Management\" section.\n\n  From the \"Section:\" drop-down list at the top of the configuration editor,\n  locate \"system.web/sessionState\".\n\n  Verify the \"mode\" reflects \"InProc\".\n\n  If the \"mode\" is not set to \"InProc\", this is a finding.","fix":"Follow the procedures below for each site hosted on the IIS 8.5\n  web server:\n\n  Open the IIS 8.5 Manager.\n\n  Click the site name.\n\n  Under the \"ASP.NET\" section, select \"Session State\".\n\n  Under \"Session State Mode Settings\", verify the \"In Process\" mode is\n  selected.\n\n  Select \"Apply\" from the \"Actions\" pane."}}],"groups":[{"id":"V-76775.rb","title":null,"controls":["V-76775"]}],"supports":[],"title":"tests from old-control","name":"tests from old-control","inputs":[],"sha256":"27a57b061ece617dc3c432828d7bc83ac1c7a66f871029ad0f1ee978b5ddb5cd","status_message":"","status":"loaded","generator":{"name":"inspec","version":"6.8.11"}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"controls":[{"id":"SV-218735","code":"control 'SV-218735' do\n title 'The IIS 10.0 website session state must be enabled.'\n desc \"When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is either stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials.\n\nWhen the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.\n\nASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.\"\n desc 'check', 'Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nIf the \"Session State Mode Settings\" is set to \"In Process\", this is not a finding.\n\nAlternative method:\n\nClick the site name.\n\nSelect \"Configuration Editor\" under the \"Management\" section.\n\nFrom the \"Section:\" drop-down list at the top of the configuration editor, locate \"system.web/sessionState\".\n\nVerify the \"mode\" reflects \"InProc\".\n\nIf the \"mode\" is not set to \"InProc\", this is a finding.\n\nIf the system being reviewed is part of a Web Farm, interview the System Administrator to ensure Session State Tracking is enabled via a SQL server, or other means. If Session State Tracking is enabled on the Web Farm, this is not a finding.'\n desc 'fix', 'Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nSelect \"Apply\" from the \"Actions\" pane.'\n impact 0.5\n ref 'DPMS Target Microsoft IIS 10.0 Site'\n tag check_id: 'C-20208r311103_chk'\n tag severity: 'medium'\n tag gid: 'V-218735'\n tag rid: 'SV-218735r879511_rule'\n tag stig_id: 'IIST-SI-000201'\n tag gtitle: 'SRG-APP-000001-WSR-000002'\n tag fix_id: 'F-20206r311104_fix'\n tag 'documentable'\n tag legacy: ['SV-109295', 'V-100191']\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\nend","source_location":{"line":1,"ref":"new-control/SV-218735.rb"},"title":"The IIS 10.0 website session state must be enabled.","desc":"When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is either stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials.\n\nWhen the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.\n\nASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.","descriptions":{"default":"When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is either stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials.\n\nWhen the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.\n\nASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.","check":"Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nIf the \"Session State Mode Settings\" is set to \"In Process\", this is not a finding.\n\nAlternative method:\n\nClick the site name.\n\nSelect \"Configuration Editor\" under the \"Management\" section.\n\nFrom the \"Section:\" drop-down list at the top of the configuration editor, locate \"system.web/sessionState\".\n\nVerify the \"mode\" reflects \"InProc\".\n\nIf the \"mode\" is not set to \"InProc\", this is a finding.\n\nIf the system being reviewed is part of a Web Farm, interview the System Administrator to ensure Session State Tracking is enabled via a SQL server, or other means. If Session State Tracking is enabled on the Web Farm, this is not a finding.","fix":"Follow the procedures below for each site hosted on the IIS 10.0 web server:\n\nOpen the IIS 10.0 Manager.\n\nClick the site name.\n\nUnder the \"ASP.NET\" section, select \"Session State\".\n\nUnder \"Session State Mode Settings\", verify the \"In Process\" mode is selected.\n\nSelect \"Apply\" from the \"Actions\" pane."},"impact":0.5,"refs":[{"ref":"DPMS Target Microsoft IIS 10.0 Site"}],"tags":{"check_id":"C-20208r311103_chk","severity":"medium","gid":"V-218735","rid":"SV-218735r879511_rule","stig_id":"IIST-SI-000201","gtitle":"SRG-APP-000001-WSR-000002","fix_id":"F-20206r311104_fix","documentable":null,"legacy":["SV-109295","V-100191"],"cci":["CCI-000054"],"nist":["AC-10"]}}],"groups":[{"id":"SV-218735.rb","title":null,"controls":["SV-218735"]}],"supports":[],"title":"tests from new-control","name":"tests from new-control","inputs":[],"sha256":"fcdeda81edf01693f1ce7fdeed39e9cb8aaa758e019da3e502d7c99403d88c9e","status_message":"","status":"loaded","generator":{"name":"inspec","version":"6.8.11"}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"controls":[{"id":"V-76775","code":"control 'V-76775' do\n title 'The IIS 8.5 website session state must be enabled.'\n desc \"When the session information is stored on the client, the session ID,\n along with the user authorization and identity information, is sent along with\n each client request and is stored in either a cookie, embedded in the uniform\n resource locator (URL), or placed in a hidden field on the displayed form. Each\n of these offers advantages and disadvantages. The biggest disadvantage to all\n three is the hijacking of a session along with all of the user's credentials.\n\n When the user authorization and identity information is stored on the\n server in a protected and encrypted database, the communication between the\n client and web server will only send the session identifier, and the server can\n then retrieve user credentials for the session when needed. If, during\n transmission, the session were to be hijacked, the user's credentials would not\n be compromised.\n\n ASP.NET provides a session state, which is available as the\n HttpSessionState class, as a method of storing session-specific information\n that is visible only within the session. ASP.NET session state identifies\n requests from the same browser during a limited time window as a session, and\n provides the ability to persist variable values for the duration of that\n session.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000001-WSR-000002'\n tag \"gid\": 'V-76775'\n tag \"rid\": 'SV-91471r1_rule'\n tag \"stig_id\": 'IISW-SI-000201'\n tag \"fix_id\": 'F-83471r1_fix'\n tag \"cci\": ['CCI-000054']\n tag \"nist\": ['AC-10', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Follow the procedures below for each site hosted on the IIS 8.5\n web server:\n\n Open the IIS 8.5 Manager.\n\n Click the site name.\n\n Under the \\\"ASP.NET\\\" section, select \\\"Session State\\\".\n\n Under \\\"Session State Mode Settings\\\", verify the \\\"In Process\\\" mode is\n selected.\n\n If the \\\"Session State Mode Settings\\\" is set to \\\"In Process\\\", this is not a\n finding.\n\n Alternative method:\n\n Click the site name.\n\n Select \\\"Configuration Editor\\\" under the \\\"Management\\\" section.\n\n From the \\\"Section:\\\" drop-down list at the top of the configuration editor,\n locate \\\"system.web/sessionState\\\".\n\n Verify the \\\"mode\\\" reflects \\\"InProc\\\".\n\n If the \\\"mode\\\" is not set to \\\"InProc\\\", this is a finding.\"\n tag \"fix\": \"Follow the procedures below for each site hosted on the IIS 8.5\n web server:\n\n Open the IIS 8.5 Manager.\n\n Click the site name.\n\n Under the \\\"ASP.NET\\\" section, select \\\"Session State\\\".\n\n Under \\\"Session State Mode Settings\\\", verify the \\\"In Process\\\" mode is\n selected.\n\n Select \\\"Apply\\\" from the \\\"Actions\\\" pane.\"\n\n site_names = json(command: 'ConvertTo-Json @(Get-Website \| select -expand name)').params\n\n site_names.each do \|site_name\|\n iis_configuration = json(command: \"Get-WebConfigurationProperty -Filter system.web/sessionState 'IIS:\\\\Sites\\\\#{site_name}' -Name * \| ConvertTo-Json\")\n\n describe \"IIS sessionState setting for Site :'#{site_name}'\" do\n subject { iis_configuration }\n its('mode') { should cmp 'InProc' }\n end\n end\n\n if site_names.empty?\n impact 0.0\n desc 'There are no IIS sites configured hence the control is Not-Applicable'\n\n describe 'No sites where found to be reviewed' do\n skip 'No sites where found to be reviewed'\n end\n end\nend","source_location":{"line":1,"ref":"old-control/V-76775.rb"},"title":"The IIS 8.5 website session state must be enabled.","desc":"There are no IIS sites configured hence the control is Not-Applicable","descriptions":{"default":"There are no IIS sites configured hence the control is Not-Applicable"},"impact":0.0,"refs":[],"tags":{"gtitle":"SRG-APP-000001-WSR-000002","gid":"V-76775","rid":"SV-91471r1_rule","stig_id":"IISW-SI-000201","fix_id":"F-83471r1_fix","cci":["CCI-000054"],"nist":["AC-10","Rev_4"],"false_negatives":null,"false_positives":null,"documentable":false,"mitigations":null,"severity_override_guidance":false,"potential_impacts":null,"third_party_tools":null,"mitigation_controls":null,"responsibility":null,"ia_controls":null,"check":"Follow the procedures below for each site hosted on the IIS 8.5\n web server:\n\n Open the IIS 8.5 Manager.\n\n Click the site name.\n\n Under the \"ASP.NET\" section, select \"Session State\".\n\n Under \"Session State Mode Settings\", verify the \"In Process\" mode is\n selected.\n\n If the \"Session State Mode Settings\" is set to \"In Process\", this is not a\n finding.\n\n Alternative method:\n\n Click the site name.\n\n Select \"Configuration Editor\" under the \"Management\" section.\n\n From the \"Section:\" drop-down list at the top of the configuration editor,\n locate \"system.web/sessionState\".\n\n Verify the \"mode\" reflects \"InProc\".\n\n If the \"mode\" is not set to \"InProc\", this is a finding.","fix":"Follow the procedures below for each site hosted on the IIS 8.5\n web server:\n\n Open the IIS 8.5 Manager.\n\n Click the site name.\n\n Under the \"ASP.NET\" section, select \"Session State\".\n\n Under \"Session State Mode Settings\", verify the \"In Process\" mode is\n selected.\n\n Select \"Apply\" from the \"Actions\" pane."}}],"groups":[{"id":"V-76775.rb","title":null,"controls":["V-76775"]}],"supports":[],"title":"tests from old-control","name":"tests from old-control","inputs":[],"sha256":"27a57b061ece617dc3c432828d7bc83ac1c7a66f871029ad0f1ee978b5ddb5cd","status_message":"","status":"loaded","generator":{"name":"inspec","version":"6.8.11"}}