Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ This repository collects security metrics that can be used for continuous certif

The repository is structured as follows.
- api: this folder is still preliminary. The idea is to define the metric data format in a programmatic way, e.g., using a protobuf file
- catalogs: the catalogs folder holds files for different certification catalogs, benchmarks, etc. These files encode the requirements of the catalogs and map them to metrics. This way, continuous certification tools that apply the metrics can map assess the degree of compliance of a given catalog later.
- catalogs: the catalogs folder holds files for different certification catalogs, benchmarks, etc. These files encode the requirements of the catalogs and map them to metrics. This way, continuous certification tools that apply the metrics can map assess the degree of compliance of a given catalog later. Example files include `demo_catalog.json`, `cryptography_roles_catalog.json`, and `threat_vulnerability_management_catalog.json`.
- metrics: this folder holds the actual metrics. It is structured into domains first and each domain contains a number of metric folders. One of these metric folders in turn holds the following information.
- metric.yml: This file describes the metric data, e.g., a description and its target value (see the structure explanation below)
- metric.rego: This file encodes the metric data as a [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) file that can automatically be evaluated using the [OPA](https://www.openpolicyagent.org) engine.
Expand Down
36 changes: 36 additions & 0 deletions catalogs/threat_vulnerability_management_catalog.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
[
{
"id": "ThreatVulnerabilityManagementCatalog",
"name": "Threat & Vulnerability Management",
"description": "Catalog entries focused on malware protection policies and operational coverage.",
"metadata": {
"color": "#8E24AA"
},
"short_name": "TVM",
"assurance_levels": [
"baseline"
],
"all_in_scope": true,
"categories": [
{
"name": "Threat & Vulnerability Management",
"description": "Maintain effective malware protection controls for managed assets.",
"controls": [
{
"id": "TVM-02",
"name": "Malware Protection Policy and Procedures",
"description": "Establish, apply, and maintain malware protection policies and procedures for managed assets, reviewing them at least annually.",
"metrics": [
{
"id": "MalwareProtectionEnabled"
},
{
"id": "NumberOfThreatsFound"
}
]
}
]
}
]
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ id: MalwareProtectionEnabled
description: This rule assesses whether a [VirtualMachine] that offers the property [MalwareProtection], has [p1:enabled] configured correctly.
category: EndpointSecurity
version: "1.0"
comments: Resources like virtual machines may be protected by a malware protection solution, which should then be enabled.
comments: Resources like virtual machines may be protected by a malware protection solution, which should then be enabled; evidence collectors can source `malwareProtection.enabled` from agents such as Wazuh, Microsoft Defender for Endpoint, or other supported telemetry providers.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: True
targetValue: True
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ====== Metadata ======
id: NumberOfThreatsFound
description: This rule evaluates whether a [VirtualMachine] reporting [MalwareProtection] exposes the property [p1:numberOfThreatsFound] indicating no malware detections.
category: EndpointSecurity
version: "1.0"
comments: Antimalware tooling should surface zero active detections on managed endpoints; evidence collectors can draw from `malwareProtection.numberOfThreatsFound` emitted by Wazuh, Microsoft Defender for Endpoint, or other supported telemetry sources.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: 0
4 changes: 4 additions & 0 deletions metrics/EndpointSecurity/NumberOfThreatsFound/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator": "==",
"target_value": 0
}
17 changes: 17 additions & 0 deletions metrics/EndpointSecurity/NumberOfThreatsFound/metric.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package cch.metrics.number_of_threats_found

import data.cch.compare
import input.malwareProtection as mp

default applicable = false

default compliant = false

applicable if {
mp
}

compliant if {
detections := mp.numberOfThreatsFound
compare(data.operator, data.target_value, detections)
}
2 changes: 1 addition & 1 deletion ontology/1.0/ontology.proto
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import "google/protobuf/descriptor.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";

option go_package = "confirmate.io/confirmate/v1/api/ontology";
option go_package = "confirmate.io/core/api/ontology";

extend google.protobuf.MessageOptions {
repeated string resource_type_names = 60000;
Expand Down
Loading