diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 00000000..da96a162
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+ontology/1.0/catalog-v001.xml merge=ours
\ No newline at end of file
diff --git a/.github/workflows/ontology.yaml b/.github/workflows/ontology.yaml
index c65339fb..f69ff747 100644
--- a/.github/workflows/ontology.yaml
+++ b/.github/workflows/ontology.yaml
@@ -50,6 +50,11 @@ jobs:
--output-path=ontology/v1/ontology.proto \
--full-semantic-mode=false \
--deterministic-field-numbers=true
+ - name: Upload generated proto as artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: ontology-proto
+ path: ontology/v1/ontology.proto
- name: Validate proto file
run: |
mkdir -p buf/validate
diff --git a/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml b/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml
index 6399c50d..65c57e70 100644
--- a/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml
+++ b/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml
@@ -8,4 +8,4 @@ comments: Resources like virtual machines often offer a simple configuration tha
configuration:
p1:
operator: "<="
- targetValue: 720 # defined in hours
\ No newline at end of file
+ targetValue: 720 # defined in hours, which are 30 days
diff --git a/metrics/IdentityManagement/PasswordLength/PasswordLength.yaml b/metrics/IdentityManagement/PasswordLength/PasswordLength.yaml
new file mode 100644
index 00000000..9e601aec
--- /dev/null
+++ b/metrics/IdentityManagement/PasswordLength/PasswordLength.yaml
@@ -0,0 +1,16 @@
+# ====== Metadata ======
+id: PasswordLength
+category: IdentityManagement
+description: This rule assesses whether a [Resource] that offers the property [SecurityFeature.Authenticity.PasswordBasedAuthentication], has [p1:length] set correctly.
+implementationGuidelines:
+ AMOE:
+ question: "How long should passwords be?"
+ keywords:
+ - "password"
+version: "1.0"
+comments: This metric evaluates the length of passwords. It ensures that the length is set to a sensible minimum value of characters.
+# ====== Configuration ======
+configuration:
+ p1:
+ operator: ">="
+ targetValue: 8 # defined in characters
diff --git a/metrics/IdentityManagement/PasswordLength/data.json b/metrics/IdentityManagement/PasswordLength/data.json
new file mode 100644
index 00000000..d5b52683
--- /dev/null
+++ b/metrics/IdentityManagement/PasswordLength/data.json
@@ -0,0 +1,4 @@
+{
+ "operator": ">=",
+ "target_value": 8
+}
\ No newline at end of file
diff --git a/metrics/IdentityManagement/PasswordLength/metric.rego b/metrics/IdentityManagement/PasswordLength/metric.rego
new file mode 100644
index 00000000..b2d164f3
--- /dev/null
+++ b/metrics/IdentityManagement/PasswordLength/metric.rego
@@ -0,0 +1,19 @@
+package cch.metrics.password_length
+
+import data.cch.compare
+import rego.v1
+
+default applicable := false
+
+default compliant := false
+
+pwd := input.passwordBasedAuthentication
+
+applicable if {
+ pwd
+}
+
+compliant if {
+ # length is in characters
+ compare(data.operator, data.target_value, pwd.length)
+}
\ No newline at end of file
diff --git a/metrics/IdentityManagement/PasswordRotationInterval/PasswordRotationInterval.yaml b/metrics/IdentityManagement/PasswordRotationInterval/PasswordRotationInterval.yaml
new file mode 100644
index 00000000..fab962bc
--- /dev/null
+++ b/metrics/IdentityManagement/PasswordRotationInterval/PasswordRotationInterval.yaml
@@ -0,0 +1,16 @@
+# ====== Metadata ======
+id: PasswordRotationInterval
+category: IdentityManagement
+description: This rule assesses whether a [Resource] that offers the property [SecurityFeature.Authenticity.PasswordBasedAuthentication], has [p1:rotationInterval] set correctly.
+implementationGuidelines:
+ AMOE:
+ question: "What is the passwords rotation frequency?"
+ keywords:
+ - "password"
+version: "1.0"
+comments: This metric evaluates the rotation interval of passwords. It ensures that the interval is set to a sensible maximum value.
+# ====== Configuration ======
+configuration:
+ p1:
+ operator: "<="
+ targetValue: 120 # defined in days
diff --git a/metrics/IdentityManagement/PasswordRotationInterval/data.json b/metrics/IdentityManagement/PasswordRotationInterval/data.json
new file mode 100644
index 00000000..d6939e2d
--- /dev/null
+++ b/metrics/IdentityManagement/PasswordRotationInterval/data.json
@@ -0,0 +1,4 @@
+{
+ "operator": "<=",
+ "target_value": 120
+}
\ No newline at end of file
diff --git a/metrics/IdentityManagement/PasswordRotationInterval/metric.rego b/metrics/IdentityManagement/PasswordRotationInterval/metric.rego
new file mode 100644
index 00000000..2b686446
--- /dev/null
+++ b/metrics/IdentityManagement/PasswordRotationInterval/metric.rego
@@ -0,0 +1,19 @@
+package cch.metrics.password_rotation_interval
+
+import data.cch.compare
+import rego.v1
+
+default applicable := false
+
+default compliant := false
+
+pwd := input.passwordBasedAuthentication
+
+applicable if {
+ pwd
+}
+
+compliant if {
+ # rotationInterval is in days
+ compare(data.operator, data.target_value, pwd.rotationInterval)
+}
\ No newline at end of file
diff --git a/metrics/LoggingMonitoring/AntimalwareScanFrequency/AntimalwareScanFrequency.yaml b/metrics/LoggingMonitoring/AntimalwareScanFrequency/AntimalwareScanFrequency.yaml
new file mode 100644
index 00000000..944bf568
--- /dev/null
+++ b/metrics/LoggingMonitoring/AntimalwareScanFrequency/AntimalwareScanFrequency.yaml
@@ -0,0 +1,18 @@
+# ====== Metadata ======
+id: AntimalwareScanFrequency
+category: LoggingMonitoring
+description: This rule assesses whether a [Resource] that offers the property [SecurityFeature.Auditing.MalwareProtection], has [p1:scan_interval] set correctly.
+implementationGuidelines:
+ AMOE:
+ question: "How frequent are antimalware scans done?"
+ keywords:
+ - "antimalware"
+ - "malware"
+ - "scan"
+version: "1.0"
+comments: "This metric evaluates the frequency of Antimalware scans. It ensures that the interval is set to a sensible maximum value."
+# ====== Configuration ======
+configuration:
+ p1:
+ operator: "<="
+ targetValue: 10 # in days? (TODO)
diff --git a/metrics/LoggingMonitoring/AntimalwareScanFrequency/data.json b/metrics/LoggingMonitoring/AntimalwareScanFrequency/data.json
new file mode 100644
index 00000000..c7b8d071
--- /dev/null
+++ b/metrics/LoggingMonitoring/AntimalwareScanFrequency/data.json
@@ -0,0 +1,4 @@
+{
+ "operator": "<=",
+ "target_value": 10
+}
\ No newline at end of file
diff --git a/metrics/LoggingMonitoring/AntimalwareScanFrequency/metric.rego b/metrics/LoggingMonitoring/AntimalwareScanFrequency/metric.rego
new file mode 100644
index 00000000..9f992885
--- /dev/null
+++ b/metrics/LoggingMonitoring/AntimalwareScanFrequency/metric.rego
@@ -0,0 +1,19 @@
+package cch.metrics.antimalware_scan_frequency
+
+import data.cch.compare
+import rego.v1
+
+default applicable = false
+
+default compliant = false
+
+mp := input.malwareProtection
+
+applicable if {
+ mp
+}
+
+compliant if {
+ # scan_interval is in days
+ compare(data.operator, data.target_value, mp.scanInterval)
+}
diff --git a/ontology/v1/catalog-v001.xml b/ontology/v1/catalog-v001.xml
index f42dbb4e..1ae1499b 100644
--- a/ontology/v1/catalog-v001.xml
+++ b/ontology/v1/catalog-v001.xml
@@ -1,22 +1,22 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/ontology/v1/core/framework.owx b/ontology/v1/core/framework.owx
index 2e0e7245..7da3fc08 100644
--- a/ontology/v1/core/framework.owx
+++ b/ontology/v1/core/framework.owx
@@ -348,11 +348,6 @@
core:lastActivity
lastActivity
-
-
- core:length
- length
-
core:local
diff --git a/ontology/v1/core/functionality.owx b/ontology/v1/core/functionality.owx
index 98e67725..1e999de9 100644
--- a/ontology/v1/core/functionality.owx
+++ b/ontology/v1/core/functionality.owx
@@ -2620,11 +2620,6 @@
core:lastActivity
lastActivity
-
-
- core:length
- length
-
core:local
diff --git a/ontology/v1/core/properties.owx b/ontology/v1/core/properties.owx
index d4814e78..99a360fa 100644
--- a/ontology/v1/core/properties.owx
+++ b/ontology/v1/core/properties.owx
@@ -639,6 +639,11 @@
res:lastActivity
lastActivity
+
+
+ res:length
+ The length refers to the length of the given class, e.g. password length
+
res:length
diff --git a/ontology/v1/core/security.owx b/ontology/v1/core/security.owx
index 472977e9..fcdb63ea 100644
--- a/ontology/v1/core/security.owx
+++ b/ontology/v1/core/security.owx
@@ -235,6 +235,9 @@
+
+
+
@@ -274,6 +277,18 @@
+
+
+
+
+
+
+
+
+
+
+
+
@@ -406,6 +421,13 @@
+
+
+
+
+
+
+
@@ -740,6 +762,13 @@
+
+
+
+
+
+
+
@@ -1479,11 +1508,6 @@
core:lastActivity
lastActivity
-
-
- core:length
- length
-
core:local
@@ -1642,7 +1666,17 @@
core:rotationInterval
- Maximum password rotation interval in months
+ rotationInterval is given in days
+
+
+
+ core:rotationInterval
+ rotationInterval
+
+
+
+ core:rotationInterval
+ rotationInterval
diff --git a/ontology/v1/ontology-merged.owx b/ontology/v1/ontology-merged.owx
index c22d9f09..7af30dcb 100644
--- a/ontology/v1/ontology-merged.owx
+++ b/ontology/v1/ontology-merged.owx
@@ -1064,6 +1064,9 @@
+
+
+
@@ -1394,6 +1397,9 @@
+
+
+
@@ -1629,6 +1635,13 @@
+
+
+
+
+
+
+
@@ -3465,6 +3478,13 @@
+
+
+
+
+
+
+
@@ -6922,6 +6942,11 @@ name = metadata.name
/classes/leftPrincipal
leftPrincipal
+
+
+ /classes/length
+ The length refers to the length of the given class, e.g. password length
+
/classes/length
@@ -7140,7 +7165,7 @@ name = metadata.name
/classes/rotationInterval
- Maximum password rotation interval in months
+ rotationInterval is given in days
diff --git a/ontology/v1/ontology.owx b/ontology/v1/ontology.owx
index 4d9406cb..edb9431b 100644
--- a/ontology/v1/ontology.owx
+++ b/ontology/v1/ontology.owx
@@ -14,4 +14,9 @@
https://ontology.cybersecuritycertcluster.eu/core
https://ontology.cybersecuritycertcluster.eu/resource
-
\ No newline at end of file
+
+
+
+
+
+
diff --git a/ontology/v1/ontology.proto b/ontology/v1/ontology.proto
index 41dd5156..a10d0a22 100644
--- a/ontology/v1/ontology.proto
+++ b/ontology/v1/ontology.proto
@@ -475,7 +475,8 @@ message CertificateBasedAuthentication {
bool context_is_checked = 14958;
bool enabled = 11983;
- // Maximum password rotation interval in months
+ int32 length = 974;
+ // rotationInterval is given in days
int32 rotation_interval = 9404;
}
@@ -2042,7 +2043,8 @@ message JwtAuthentication {
bool context_is_checked = 3538;
bool enabled = 3085;
bool enforced = 13206;
- // Maximum password rotation interval in months
+ int32 length = 9933;
+ // rotationInterval is given in days
int32 rotation_interval = 3257;
optional string token_id = 17648;
}
@@ -2547,6 +2549,7 @@ message MalwareProtection {
google.protobuf.Duration duration_since_active = 18754;
bool enabled = 18004;
int32 number_of_threats_found = 11973;
+ int32 scan_interval = 3356;
ApplicationLogging application_logging = 12380;
}
@@ -2643,7 +2646,8 @@ message MultiFactorAuthentiation {
option (resource_type_names) = "SecurityFeature";
bool context_is_checked = 17335;
- // Maximum password rotation interval in months
+ int32 length = 2084;
+ // rotationInterval is given in days
int32 rotation_interval = 11722;
repeated Authenticity authenticities = 14430;
}
@@ -2782,7 +2786,8 @@ message NoAuthentication {
option (resource_type_names) = "SecurityFeature";
bool context_is_checked = 12023;
- // Maximum password rotation interval in months
+ int32 length = 968;
+ // rotationInterval is given in days
int32 rotation_interval = 11214;
}
@@ -2809,7 +2814,8 @@ message OTPBasedAuthentication {
bool activated = 7456;
bool context_is_checked = 18913;
- // Maximum password rotation interval in months
+ int32 length = 6810;
+ // rotationInterval is given in days
int32 rotation_interval = 12621;
}
@@ -3013,7 +3019,8 @@ message PasswordBasedAuthentication {
bool activated = 11798;
bool context_is_checked = 1362;
- // Maximum password rotation interval in months
+ int32 length = 17797;
+ // rotationInterval is given in days
int32 rotation_interval = 9048;
}
@@ -3779,7 +3786,8 @@ message SingleSignOn {
bool context_is_checked = 14488;
bool enabled = 10569;
- // Maximum password rotation interval in months
+ int32 length = 7846;
+ // rotationInterval is given in days
int32 rotation_interval = 9185;
}
diff --git a/ontology/v1/resource/infrastructure.owx b/ontology/v1/resource/infrastructure.owx
index 43d41aa2..ab4942a7 100644
--- a/ontology/v1/resource/infrastructure.owx
+++ b/ontology/v1/resource/infrastructure.owx
@@ -1970,11 +1970,6 @@ name = metadata.name
cl:lastActivity
lastActivity
-
-
- cl:length
- length
-
cl:local