Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve scoring docs #358

Merged
merged 3 commits into from
Sep 10, 2024
Merged

Improve scoring docs #358

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6c9ed5c
expand info on average scoring system, fix typo
misterpantz Sep 10, 2024
9e36c33
expand on scoring multiple policies
misterpantz Sep 10, 2024
32b90a9
fix indents
misterpantz Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 22 additions & 10 deletions docs/cnspec/cnspec-policies/write/policy-scoring.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,20 @@ The average scoring system considers impact before averaging check scores. Faile

- If a check fails (returns `false`), the asset receives (100-impact) for that check. For example, if an asset fails a check with an impact of 90, it receives a 10 for that check.

Here are possible results of our simple example query, which has a port check and a cipher check:
Our simple example query above contains:

| Port (impact 90) | Cipher (impact 80) | Overall score |
| :------------------- | :------------------- | :---------------------------------- |
| Pass (100) | Pass (100) | (100 + 100) / 2 = **100** or **A+** |
| Pass (100) | Fail (100 - 80 = 20) | (100 + 20) / 2 = **60** or **B** |
| Fail (100 - 90 = 10) | Pass (100) | (10 + 100) / 2 = **55** or **C** |
| Fail (100 - 90 = 10) | Fail (100 - 80 = 20) | (10 + 20) / 2 = **15** or **D** |
- A port check (sshd-01) with an impact of 90

- A cipher check (sshd-02) with an impact of 80

These are the possible asset scores on this policy:

| Port check (impact 90) | Cipher check (impact 80) | Overall score |
| :--------------------- | :----------------------- | :---------------------------------- |
| Pass (100) | Pass (100) | (100 + 100) / 2 = **100** or **A+** |
| Pass (100) | Fail (100 - 80 = 20) | (100 + 20) / 2 = **60** or **B** |
| Fail (100 - 90 = 10) | Pass (100) | (10 + 100) / 2 = **55** or **C** |
| Fail (100 - 90 = 10) | Fail (100 - 80 = 20) | (10 + 20) / 2 = **15** or **D** |

:::note

Expand Down Expand Up @@ -329,11 +335,17 @@ For example, suppose Mondoo assesses an asset based on two policies:

If an asset scores 72 on policy X and scores 50 on policy Y:

**72 x 100 = 7000**
1. Multiply policy x score by 100 because the policy contains 100 checks.

**72 x 100 = 7200**

2. Multiply policy y score by 20 because the policy contains 20 checks.

**50 x 20 = 1000**

**50 x 20 = 1000**
3. Divide the sum of the two policies by the total number of checks in both policies.

**(7200 + 1000) / 120 = 68 (B)**
**(7200 + 1000) / 120 = 68 (B)**

## Next steps

Expand Down
Loading