STIG & CCI Browsing
The stig and cci command groups let you browse STIG benchmarks, rules, and CCIs with full traceability from NIST 800-53 controls down to individual STIG check rules.
STIG Commands
List STIG Benchmarks
pretorin stig list
pretorin stig list --technology-area "Network"
pretorin stig list --product "Windows" --limit 10
Show STIG Details
pretorin stig show <stig_id>
Shows benchmark metadata including title, version, release info, and severity breakdown of rules.
List Rules for a STIG
pretorin stig rules <stig_id>
pretorin stig rules <stig_id> --severity cat_i
pretorin stig rules <stig_id> --cci CCI-000015 --limit 20
Show Applicable STIGs
# Uses active system context
pretorin stig applicable
# Explicit system
pretorin stig applicable --system "My System"
AI-Infer Applicable STIGs
pretorin stig infer
pretorin stig infer --system "My System"
Uses the system’s profile to recommend which STIG benchmarks should apply.
STIG Checklists (import / export)
Beyond read-only browsing, the stig group manages DISA checklist files — .ckl (legacy STIG Viewer XML) and .cklb (STIG Viewer 3 JSON) — against the platform’s STIG Checklist Workspace. Unlike OSCAL artifacts (which the platform generates and you only download), checklist data flows into the platform: a scanner an agent runs produces results, you push them up, and the platform regenerates air-gap/FIPS-safe checklist files on demand for the eMASS handoff.
A checklist is asset-scoped — it binds one STIG benchmark to one asset (inventory item). Import and export are always addressed by a checklist_id.
List checklists
# All checklists for the active system
pretorin stig checklists
# One asset's checklists, explicit system
pretorin stig checklists --system "My System" --asset <inventory_item_id>
Create a checklist
pretorin stig create-checklist --benchmark RHEL_9_STIG --asset <inventory_item_id> --title "web01 RHEL 9"
Binds a benchmark + asset and returns the new checklist ID. Fails if a checklist already exists for that (benchmark, asset) pair, or if the benchmark or asset is unknown.
Export a checklist
# Legacy .ckl (XML), default
pretorin stig export <checklist_id> --output web01.ckl
# STIG Viewer 3 .cklb (JSON)
pretorin stig export <checklist_id> --format cklb --output web01.cklb
The file is regenerated from stored reviews on demand — no eMASS connector required — and is byte-identical for an unchanged checklist. The command prints the SHA-256 of the downloaded bytes; this public surface has no server-side checksum, so the hash is yours to record for integrity assertion. When the filename comes from the server (no --output, or --output names a directory), an existing file is not overwritten without --force; an explicit --output <file> overwrites intentionally.
Import into a checklist
# Review axis: a full .ckl/.cklb (asset metadata + the four DISA statuses +
# finding details/comments + severity override), format auto-detected
pretorin stig import <checklist_id> web01.cklb
# Force a review-axis format
pretorin stig import <checklist_id> web01.ckl --format ckl
# Test axis: an XCCDF scan document (SCAP/OpenSCAP results)
pretorin stig import <checklist_id> results.xml --format xccdf
--format auto|ckl|cklb imports the review axis (per-rule reviews reconciled against the benchmark) and prints match counts plus a reconciles flag — the audit-integrity assertion that every parsed rule landed in exactly one action bucket. The command exits non-zero on a hard parse/scope failure or if the import fails to reconcile.
--format xccdf routes to the test axis, which is system-scoped: one host’s scan updates the derived status of every checklist on the system bound to the same benchmark. The command reports how many checklists the scan affects.
A checklist must already exist before you import into it. Use
pretorin stig checkliststo find its ID, orpretorin stig create-checklistto make one.
CCI Commands
CCIs (Control Correlation Identifiers) bridge NIST 800-53 controls to specific STIG rules via SRGs (Security Requirements Guides).
List CCIs
pretorin cci list
pretorin cci list --control ac-2
pretorin cci list --status draft --limit 50
Show CCI Details
pretorin cci show CCI-000015
Shows the CCI definition, linked SRGs, and linked STIG rules.
Full Traceability Chain
pretorin cci chain ac-2
pretorin cci chain ac-2 --system "My System"
Shows the complete chain: NIST 800-53 Control -> CCIs -> SRGs -> STIG rules (and test results when --system is provided).
This is useful for understanding exactly which technical checks validate a given control requirement.
Per-System CCI Implementation
pretorin cci impl <cci_uuid> --system "My System"
Reads the per-system CCI implementation row by (system, cci_uuid). Returns the live impl detail — status, status source, narrative (operator-authored or AI-generated draft), evidence count, conflict flag, and eMASS fields. A 404 means the impl row hasn’t been initialized yet for this system.
Use this when you already have the CCI catalog UUID (from cci show or upstream tooling) and want the system-specific compliance state without walking the full rollup.
STIG-to-CCI assignment is catalog-level. DISA defines the STIG-rule → CCI relationship in the catalog. There is no “assign STIG X to CCI Y on this system” operation — per-system applicability and per-system test results combine with the catalog mapping to produce the rollup. Use
cci chain --systemfor the full picture.