Skip to content

Commit

Permalink
More touch-ups to rules model and examples (#1444)
Browse files Browse the repository at this point in the history 
* Updates to model and examples for #1364.

* [WIP] Example SSP w/ rules for #1364.

* Add missing assembly refs for rule-impl in c-i statement.

* Add example meeting from 20220902 model meeting.
  • Loading branch information
@aj-stein-nist
aj-stein-nist authored Sep 20, 2022
1 parent 6a134f0 commit a158725
Show file tree
Hide file tree
Showing 3 changed files with 144 additions and 6 deletions.
15 changes: 9 additions & 6 deletions src/metaschema/examples/rules-component.xml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This is a mapping example used for development. This file should be moved to the oscal-content repo when this feature is ready. -->
<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="3559d200-4849-41ac-a420-28b2ffa22c52">
<metadata>
<title>Example Component Definition for Openshift Container Platform v4, Rules, and Tests</title>
<last-modified>2022-08-23T00:00:00.000000000-04:00</last-modified>
<last-modified>2022-08-23T00:00:00.000000001-04:00</last-modified>
<version>0.0.1-alpha</version>
<oscal-version>1.2.0</oscal-version>
</metadata>
Expand Down Expand Up @@ -117,11 +116,15 @@
<description>
<p>Configuration managers can use the product's functionality to establish and document configuration settings for OCP4 cluster(s) employed within the system. When not using system defaults, configuration managers can use <insert type="param" id-ref="cm-06_prm_1"/> that reflect the most restrictive mode consistent with operational requirements.</p>
</description>
<rule-implementation uuid="9b49bb8b-7eb6-48a6-8dfa-08302f1af80c">
<description>
<p>This rule and test are evidence of how the use of properly configured OpenShift satisfies part of this requirement.</p>
</description>
<condition operator="and">
<testing-scenario-reference testing-scenario-uuid="0666cbf2-2b76-4e9d-ba99-a783419ff1fe"/>
</condition>
</rule-implementation>
</statement>
<condition operator="and">
<!-- Bind testing scenario for static analysis test only. -->
<testing-scenario-reference testing-scenario-uuid="0666cbf2-2b76-4e9d-ba99-a783419ff1fe" />
</condition>
</implemented-requirement>
</control-implementation>
</component>
Expand Down
123 changes: 123 additions & 0 deletions src/metaschema/examples/rules-ssp.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="46126f22-0bca-4a16-b6b1-8cb7e1915292">
<metadata>
<title>Example System Security Plan with Rules and Tests</title>
<last-modified>2022-08-23T00:00:00.000000001-04:00</last-modified>
<version>0.0.1-alpha</version>
<oscal-version>1.2.0</oscal-version>
</metadata>
<import-profile href="#9aa67a14-d18e-461f-8eee-d7b661703a9f"/>
<system-characteristics>
<system-id identifier-type="http://ietf.org/rfc/rfc4122">103e77a8-ab96-4767-9625-19940fefde5f</system-id>
<system-name>Example System</system-name>
<description>
<p>This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.</p>
</description>
<date-authorized>2022-08-23</date-authorized>
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
<system-information>
<information-type>
<title>Summary of System Development Information in Example System</title>
<description>
<p>This application contains system development data.</p>
</description>
<confidentiality-impact>
<base>fips-199-low</base>
<selected>fips-199-low</selected>
</confidentiality-impact>
<integrity-impact>
<base>fips-199-low</base>
<selected>fips-199-low</selected>
</integrity-impact>
<availability-impact>
<base>fips-199-low</base>
<selected>fips-199-low</selected>
</availability-impact>
</information-type>
</system-information>
<security-impact-level>
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
<security-objective-integrity>fips-199-moderate</security-objective-integrity>
<security-objective-availability>fips-199-moderate</security-objective-availability>
</security-impact-level>
<status state="under-development"/>
<authorization-boundary>
<description>
<p>There is no authorization boundary for the application.</p>
</description>
<remarks>
<p>This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.</p>
</remarks>
</authorization-boundary>
</system-characteristics>
<system-implementation>
<user uuid="a2276e8d-f8f1-43c3-9e5a-4165ba37476e">
<authorized-privilege>
<title>System Developer Privilege</title>
<function-performed>add functionality</function-performed>
<function-performed>modify functionality</function-performed>
<function-performed>maintain deploy system in environment</function-performed>
</authorized-privilege>
</user>
<rule uuid="0d0b4ba7-02ff-4c2c-8a32-19790fb5c12b">
<title>Monitoring System Logging for Indicators of Compromise Commands in Privileged Contacts</title>
<description>
<p>When threat actors want to confirm they have successfully performed privilege escalation, they will want to confirm they have elevated system privileges.</p>
<p>Responsible staff for a given role must monitor systems logs in a centralized logging system to confirm organizationally-recommended commands have not been run in a privileged context.</p>
<ul>
<li>whoami</li>
<li>id</li>
<li>groups</li>
<li>env</li>
</ul>
</description>
<prop name="ioc-command" class="query-parameter" value="whoami"/>
<prop name="ioc-command" class="query-parameter" value="id"/>
<prop name="ioc-command" class="query-parameter" value="groups"/>
<prop name="ioc-command" class="query-parameter" value="env"/>
</rule>
<test uuid="a3ec79e6-ab61-4dd7-94d5-fd99d7e9b539">
<description>
<p>This test documents which Splunk commands you will run to look for commands associated with indicators of compromise.</p>
</description>
<remarks>
<p>The internal structure of structuring and passing parameters of the query is yet to be determined.</p>
</remarks>
</test>
<testing-scenario uuid="886adeea-8cb9-4a78-9ab6-b3562cbc9e9f" rule-uuid="0d0b4ba7-02ff-4c2c-8a32-19790fb5c12b">
<test-reference test-uuid="a3ec79e6-ab61-4dd7-94d5-fd99d7e9b539" />
</testing-scenario>
<component uuid="2d885d41-7356-4ebd-bd16-a33eef3cc9d5" type="this-system">
<title>Example System Core Component</title>
<description>
<p>This component documents Example System, an information system under development that makes use of automated system evaluation with rules.</p>
</description>
<status state="under-development"/>
<responsible-role role-id="system-engineer"/>
<remarks>
<p>This is an example system to demonstrate the use of rules for auditing requirements.</p>
</remarks>
</component>
</system-implementation>
<control-implementation>
<description>
<p>Example System follows the Risk Management Framework as defined in SP 800-37 and 800-53 for risk management, privacy, and security guidance.</p>
</description>
<implemented-requirement uuid="2060f510-e178-40ce-8e61-8cd1ec16c348" control-id="au-6.8">
<by-component component-uuid="2d885d41-7356-4ebd-bd16-a33eef3cc9d5" uuid="1bbea228-c161-410f-a70e-3e287b38460c">
<description>
<p>This describes how Example System requires system operators to perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.</p>
</description>
<implementation-status state="implemented"/>

</by-component>
</implemented-requirement>
</control-implementation>
<back-matter>
<resource uuid="9aa67a14-d18e-461f-8eee-d7b661703a9f">
<rlink href="https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml"/>
</resource>
</back-matter>
</system-security-plan>
12 changes: 12 additions & 0 deletions src/metaschema/oscal_ssp_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -801,6 +801,12 @@
<assembly ref="by-component" max-occurs="unbounded">
<group-as name="by-components" in-json="ARRAY"/>
</assembly>
<assembly ref="rule-implementation" max-occurs="unbounded">
<group-as name="rule-implementations" in-json="ARRAY"/>
<remarks>
<p>Multiple rule implementations can be provided to describe alternative rule-based implementations used to evaluate the implementation and effectiveness of the containing control statement.</p>
</remarks>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER"/>
</model>
<constraint>
Expand Down Expand Up @@ -1031,6 +1037,12 @@
<group-as name="responsible-roles" in-json="ARRAY"/>
</assembly>
<!-- CHANGED: removed "set-parameter" -->
<assembly ref="rule-implementation" max-occurs="unbounded">
<group-as name="rule-implementations" in-json="ARRAY"/>
<remarks>
<p>Multiple rule implementations can be provided to describe alternative approaches for using rules to evaluate the implementation and effectiveness of the containing control.</p>
</remarks>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER"/>
</model>
<constraint>
Expand Down

0 comments on commit a158725

Please sign in to comment.