diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..da96a162 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +ontology/1.0/catalog-v001.xml merge=ours \ No newline at end of file diff --git a/.github/workflows/ontology.yaml b/.github/workflows/ontology.yaml index c65339fb..f69ff747 100644 --- a/.github/workflows/ontology.yaml +++ b/.github/workflows/ontology.yaml @@ -50,6 +50,11 @@ jobs: --output-path=ontology/v1/ontology.proto \ --full-semantic-mode=false \ --deterministic-field-numbers=true + - name: Upload generated proto as artifact + uses: actions/upload-artifact@v4 + with: + name: ontology-proto + path: ontology/v1/ontology.proto - name: Validate proto file run: | mkdir -p buf/validate diff --git a/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml b/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml index 6399c50d..65c57e70 100644 --- a/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml +++ b/metrics/EndpointSecurity/AutomaticUpdatesInterval/AutomaticUpdatesInterval.yaml @@ -8,4 +8,4 @@ comments: Resources like virtual machines often offer a simple configuration tha configuration: p1: operator: "<=" - targetValue: 720 # defined in hours \ No newline at end of file + targetValue: 720 # defined in hours, which are 30 days diff --git a/metrics/IdentityManagement/PasswordLength/PasswordLength.yaml b/metrics/IdentityManagement/PasswordLength/PasswordLength.yaml new file mode 100644 index 00000000..9e601aec --- /dev/null +++ b/metrics/IdentityManagement/PasswordLength/PasswordLength.yaml @@ -0,0 +1,16 @@ +# ====== Metadata ====== +id: PasswordLength +category: IdentityManagement +description: This rule assesses whether a [Resource] that offers the property [SecurityFeature.Authenticity.PasswordBasedAuthentication], has [p1:length] set correctly. +implementationGuidelines: + AMOE: + question: "How long should passwords be?" + keywords: + - "password" +version: "1.0" +comments: This metric evaluates the length of passwords. It ensures that the length is set to a sensible minimum value of characters. +# ====== Configuration ====== +configuration: + p1: + operator: ">=" + targetValue: 8 # defined in characters diff --git a/metrics/IdentityManagement/PasswordLength/data.json b/metrics/IdentityManagement/PasswordLength/data.json new file mode 100644 index 00000000..d5b52683 --- /dev/null +++ b/metrics/IdentityManagement/PasswordLength/data.json @@ -0,0 +1,4 @@ +{ + "operator": ">=", + "target_value": 8 +} \ No newline at end of file diff --git a/metrics/IdentityManagement/PasswordLength/metric.rego b/metrics/IdentityManagement/PasswordLength/metric.rego new file mode 100644 index 00000000..b2d164f3 --- /dev/null +++ b/metrics/IdentityManagement/PasswordLength/metric.rego @@ -0,0 +1,19 @@ +package cch.metrics.password_length + +import data.cch.compare +import rego.v1 + +default applicable := false + +default compliant := false + +pwd := input.passwordBasedAuthentication + +applicable if { + pwd +} + +compliant if { + # length is in characters + compare(data.operator, data.target_value, pwd.length) +} \ No newline at end of file diff --git a/metrics/IdentityManagement/PasswordRotationInterval/PasswordRotationInterval.yaml b/metrics/IdentityManagement/PasswordRotationInterval/PasswordRotationInterval.yaml new file mode 100644 index 00000000..fab962bc --- /dev/null +++ b/metrics/IdentityManagement/PasswordRotationInterval/PasswordRotationInterval.yaml @@ -0,0 +1,16 @@ +# ====== Metadata ====== +id: PasswordRotationInterval +category: IdentityManagement +description: This rule assesses whether a [Resource] that offers the property [SecurityFeature.Authenticity.PasswordBasedAuthentication], has [p1:rotationInterval] set correctly. +implementationGuidelines: + AMOE: + question: "What is the passwords rotation frequency?" + keywords: + - "password" +version: "1.0" +comments: This metric evaluates the rotation interval of passwords. It ensures that the interval is set to a sensible maximum value. +# ====== Configuration ====== +configuration: + p1: + operator: "<=" + targetValue: 120 # defined in days diff --git a/metrics/IdentityManagement/PasswordRotationInterval/data.json b/metrics/IdentityManagement/PasswordRotationInterval/data.json new file mode 100644 index 00000000..d6939e2d --- /dev/null +++ b/metrics/IdentityManagement/PasswordRotationInterval/data.json @@ -0,0 +1,4 @@ +{ + "operator": "<=", + "target_value": 120 +} \ No newline at end of file diff --git a/metrics/IdentityManagement/PasswordRotationInterval/metric.rego b/metrics/IdentityManagement/PasswordRotationInterval/metric.rego new file mode 100644 index 00000000..2b686446 --- /dev/null +++ b/metrics/IdentityManagement/PasswordRotationInterval/metric.rego @@ -0,0 +1,19 @@ +package cch.metrics.password_rotation_interval + +import data.cch.compare +import rego.v1 + +default applicable := false + +default compliant := false + +pwd := input.passwordBasedAuthentication + +applicable if { + pwd +} + +compliant if { + # rotationInterval is in days + compare(data.operator, data.target_value, pwd.rotationInterval) +} \ No newline at end of file diff --git a/metrics/LoggingMonitoring/AntimalwareScanFrequency/AntimalwareScanFrequency.yaml b/metrics/LoggingMonitoring/AntimalwareScanFrequency/AntimalwareScanFrequency.yaml new file mode 100644 index 00000000..944bf568 --- /dev/null +++ b/metrics/LoggingMonitoring/AntimalwareScanFrequency/AntimalwareScanFrequency.yaml @@ -0,0 +1,18 @@ +# ====== Metadata ====== +id: AntimalwareScanFrequency +category: LoggingMonitoring +description: This rule assesses whether a [Resource] that offers the property [SecurityFeature.Auditing.MalwareProtection], has [p1:scan_interval] set correctly. +implementationGuidelines: + AMOE: + question: "How frequent are antimalware scans done?" + keywords: + - "antimalware" + - "malware" + - "scan" +version: "1.0" +comments: "This metric evaluates the frequency of Antimalware scans. It ensures that the interval is set to a sensible maximum value." +# ====== Configuration ====== +configuration: + p1: + operator: "<=" + targetValue: 10 # in days? (TODO) diff --git a/metrics/LoggingMonitoring/AntimalwareScanFrequency/data.json b/metrics/LoggingMonitoring/AntimalwareScanFrequency/data.json new file mode 100644 index 00000000..c7b8d071 --- /dev/null +++ b/metrics/LoggingMonitoring/AntimalwareScanFrequency/data.json @@ -0,0 +1,4 @@ +{ + "operator": "<=", + "target_value": 10 +} \ No newline at end of file diff --git a/metrics/LoggingMonitoring/AntimalwareScanFrequency/metric.rego b/metrics/LoggingMonitoring/AntimalwareScanFrequency/metric.rego new file mode 100644 index 00000000..9f992885 --- /dev/null +++ b/metrics/LoggingMonitoring/AntimalwareScanFrequency/metric.rego @@ -0,0 +1,19 @@ +package cch.metrics.antimalware_scan_frequency + +import data.cch.compare +import rego.v1 + +default applicable = false + +default compliant = false + +mp := input.malwareProtection + +applicable if { + mp +} + +compliant if { + # scan_interval is in days + compare(data.operator, data.target_value, mp.scanInterval) +} diff --git a/ontology/v1/catalog-v001.xml b/ontology/v1/catalog-v001.xml index f42dbb4e..1ae1499b 100644 --- a/ontology/v1/catalog-v001.xml +++ b/ontology/v1/catalog-v001.xml @@ -1,22 +1,22 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + diff --git a/ontology/v1/core/framework.owx b/ontology/v1/core/framework.owx index 2e0e7245..7da3fc08 100644 --- a/ontology/v1/core/framework.owx +++ b/ontology/v1/core/framework.owx @@ -348,11 +348,6 @@ core:lastActivity lastActivity - - - core:length - length - core:local diff --git a/ontology/v1/core/functionality.owx b/ontology/v1/core/functionality.owx index 98e67725..1e999de9 100644 --- a/ontology/v1/core/functionality.owx +++ b/ontology/v1/core/functionality.owx @@ -2620,11 +2620,6 @@ core:lastActivity lastActivity - - - core:length - length - core:local diff --git a/ontology/v1/core/properties.owx b/ontology/v1/core/properties.owx index d4814e78..99a360fa 100644 --- a/ontology/v1/core/properties.owx +++ b/ontology/v1/core/properties.owx @@ -639,6 +639,11 @@ res:lastActivity lastActivity + + + res:length + The length refers to the length of the given class, e.g. password length + res:length diff --git a/ontology/v1/core/security.owx b/ontology/v1/core/security.owx index 472977e9..fcdb63ea 100644 --- a/ontology/v1/core/security.owx +++ b/ontology/v1/core/security.owx @@ -235,6 +235,9 @@ + + + @@ -274,6 +277,18 @@ + + + + + + + + + + + + @@ -406,6 +421,13 @@ + + + + + + + @@ -740,6 +762,13 @@ + + + + + + + @@ -1479,11 +1508,6 @@ core:lastActivity lastActivity - - - core:length - length - core:local @@ -1642,7 +1666,17 @@ core:rotationInterval - Maximum password rotation interval in months + rotationInterval is given in days + + + + core:rotationInterval + rotationInterval + + + + core:rotationInterval + rotationInterval diff --git a/ontology/v1/ontology-merged.owx b/ontology/v1/ontology-merged.owx index c22d9f09..7af30dcb 100644 --- a/ontology/v1/ontology-merged.owx +++ b/ontology/v1/ontology-merged.owx @@ -1064,6 +1064,9 @@ + + + @@ -1394,6 +1397,9 @@ + + + @@ -1629,6 +1635,13 @@ + + + + + + + @@ -3465,6 +3478,13 @@ + + + + + + + @@ -6922,6 +6942,11 @@ name = metadata.name /classes/leftPrincipal leftPrincipal + + + /classes/length + The length refers to the length of the given class, e.g. password length + /classes/length @@ -7140,7 +7165,7 @@ name = metadata.name /classes/rotationInterval - Maximum password rotation interval in months + rotationInterval is given in days diff --git a/ontology/v1/ontology.owx b/ontology/v1/ontology.owx index 4d9406cb..edb9431b 100644 --- a/ontology/v1/ontology.owx +++ b/ontology/v1/ontology.owx @@ -14,4 +14,9 @@ https://ontology.cybersecuritycertcluster.eu/core https://ontology.cybersecuritycertcluster.eu/resource - \ No newline at end of file + + + + + + diff --git a/ontology/v1/ontology.proto b/ontology/v1/ontology.proto index 41dd5156..a10d0a22 100644 --- a/ontology/v1/ontology.proto +++ b/ontology/v1/ontology.proto @@ -475,7 +475,8 @@ message CertificateBasedAuthentication { bool context_is_checked = 14958; bool enabled = 11983; - // Maximum password rotation interval in months + int32 length = 974; + // rotationInterval is given in days int32 rotation_interval = 9404; } @@ -2042,7 +2043,8 @@ message JwtAuthentication { bool context_is_checked = 3538; bool enabled = 3085; bool enforced = 13206; - // Maximum password rotation interval in months + int32 length = 9933; + // rotationInterval is given in days int32 rotation_interval = 3257; optional string token_id = 17648; } @@ -2547,6 +2549,7 @@ message MalwareProtection { google.protobuf.Duration duration_since_active = 18754; bool enabled = 18004; int32 number_of_threats_found = 11973; + int32 scan_interval = 3356; ApplicationLogging application_logging = 12380; } @@ -2643,7 +2646,8 @@ message MultiFactorAuthentiation { option (resource_type_names) = "SecurityFeature"; bool context_is_checked = 17335; - // Maximum password rotation interval in months + int32 length = 2084; + // rotationInterval is given in days int32 rotation_interval = 11722; repeated Authenticity authenticities = 14430; } @@ -2782,7 +2786,8 @@ message NoAuthentication { option (resource_type_names) = "SecurityFeature"; bool context_is_checked = 12023; - // Maximum password rotation interval in months + int32 length = 968; + // rotationInterval is given in days int32 rotation_interval = 11214; } @@ -2809,7 +2814,8 @@ message OTPBasedAuthentication { bool activated = 7456; bool context_is_checked = 18913; - // Maximum password rotation interval in months + int32 length = 6810; + // rotationInterval is given in days int32 rotation_interval = 12621; } @@ -3013,7 +3019,8 @@ message PasswordBasedAuthentication { bool activated = 11798; bool context_is_checked = 1362; - // Maximum password rotation interval in months + int32 length = 17797; + // rotationInterval is given in days int32 rotation_interval = 9048; } @@ -3779,7 +3786,8 @@ message SingleSignOn { bool context_is_checked = 14488; bool enabled = 10569; - // Maximum password rotation interval in months + int32 length = 7846; + // rotationInterval is given in days int32 rotation_interval = 9185; } diff --git a/ontology/v1/resource/infrastructure.owx b/ontology/v1/resource/infrastructure.owx index 43d41aa2..ab4942a7 100644 --- a/ontology/v1/resource/infrastructure.owx +++ b/ontology/v1/resource/infrastructure.owx @@ -1970,11 +1970,6 @@ name = metadata.name cl:lastActivity lastActivity - - - cl:length - length - cl:local