Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
97a7844
Add Resource Inventory
anatheka Feb 7, 2025
732139c
Merge branch 'main' into 27-add-inventory-metrics
anatheka Jun 24, 2025
c41647d
Merge branch 'main' into 27-add-inventory-metrics
anatheka Jul 4, 2025
c737141
Merge branch 'main' into 27-add-inventory-metrics
immqu Jan 2, 2026
6bb2f9d
add inventory to ontology, add automatic discovery metric
immqu Jan 2, 2026
932005f
Add merged ontology file [skip ci]
github-actions[bot] Jan 2, 2026
826812c
Add generated proto file [skip ci]
github-actions[bot] Jan 2, 2026
8823d42
Merge branch 'main' into 27-add-inventory-metrics
anatheka Jan 8, 2026
7d0cd86
Merge main
anatheka Jan 27, 2026
42f6904
Add merged ontology file [skip ci]
github-actions[bot] Jan 27, 2026
853ec9b
Add generated proto file [skip ci]
github-actions[bot] Jan 27, 2026
82a9711
Clean up metrics
anatheka Jan 27, 2026
5e7ba5d
Merge branch '27-add-inventory-metrics' of github.com:Cybersecurity-C…
anatheka Jan 27, 2026
28c7f37
Clean up metric.rego files
anatheka Jan 27, 2026
90ace5b
Revert infrastructure.owx
anatheka Jan 27, 2026
fab73fa
Add merged ontology file [skip ci]
github-actions[bot] Jan 27, 2026
8755ec6
Add generated proto file [skip ci]
github-actions[bot] Jan 27, 2026
5d187e7
Add ontology object ResourceInventoryService
anatheka Jan 27, 2026
7f92021
Merge branch '27-add-inventory-metrics' of github.com:Cybersecurity-C…
anatheka Jan 27, 2026
a3182b7
Merge branch 'main' into 27-add-inventory-metrics
anatheka Jan 27, 2026
369ff79
Add merged ontology file [skip ci]
github-actions[bot] Jan 27, 2026
b8581a3
Add generated proto file [skip ci]
github-actions[bot] Jan 27, 2026
62de026
Fix labels
anatheka Jan 27, 2026
10515eb
Fix file extension
anatheka Jan 27, 2026
261df0c
Merge branch 'main' into 27-add-inventory-metrics
anatheka Jan 28, 2026
8b7b9f5
Merge branch 'main' into 27-add-inventory-metrics
anatheka Jan 30, 2026
b830a26
Auto-update merged ontology and proto files [skip ci]
github-actions[bot] Jan 30, 2026
028f786
Add yaml files
anatheka Jan 30, 2026
48e7103
Merge branch '27-add-inventory-metrics' of github.com:Cybersecurity-C…
anatheka Jan 30, 2026
c214ca8
Fix yaml files
anatheka Jan 30, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# ====== Metadata ======
id: 26F206B2-EF01-4183-A431-F17ED951A75E
name: ResourceInventoryAutomaticDiscoveryEnabled
description: This rule evaluates whether an [ResourceInventoryService] is [p1:automaticDiscoveryEnabled].
category: Inventory
version: "v1"
comments: An asset inventory is a tool to manage resources and their lifecycles, an is essential for maintaining security and compliance. This rule checks if automatic discovery is enabled for the asset inventory.
# ====== Configuration ======
configuration:
p1:
operator: ==
targetValue: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator" : "==",
"target_value" : true
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package cch.metrics.resource_inventory_automatic_discovery_enabled

import data.cch.compare
import rego.v1

default applicable = false

default compliant = false

enabled := input.resourceInventoryService.automaticDiscoveryEnabled

applicable if {
input.type[_] == "ResourceInventoryService"
}

compliant if {
compare(data.operator, data.target_value, enabled)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# ====== Metadata ======
id: F4A20D3F-AA5B-4FC2-B96D-9498AB8FB754
name: ResourceInventoryEnabled
description: This rule evaluates whether a [ResourceInventoryService] is [p1:enabled].
category: Inventory
version: "v1"
comments: An asset inventory is a tool to manage resources and their lifecycles, and is essential for maintaining security and compliance. This rule checks whether a resource inventory is enabled, but does not require that it be maintained through automatic discovery.
# ====== Configuration ======
configuration:
p1:
operator: ==
targetValue: true
4 changes: 4 additions & 0 deletions metrics/Inventory/ResourceInventoryEnabled/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator" : "==",
"target_value" : true
}
18 changes: 18 additions & 0 deletions metrics/Inventory/ResourceInventoryEnabled/metric.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package cch.metrics.resource_inventory_enabled

import data.cch.compare
import rego.v1

default applicable = false

default compliant = false

enabled := input.resourceInventoryService.enabled

applicable if {
input.type[_] == "ResourceInventoryService"
}

compliant if {
compare(data.operator, data.target_value, enabled)
}
24 changes: 24 additions & 0 deletions ontology/v1/ontology-merged.owx
Original file line number Diff line number Diff line change
Expand Up @@ -650,6 +650,9 @@
<Declaration>
<Class IRI="/classes/ResourceGroup"/>
</Declaration>
<Declaration>
<Class IRI="/classes/ResourceInventoryService"/>
</Declaration>
<Declaration>
<Class IRI="/classes/ResourceLogging"/>
</Declaration>
Expand Down Expand Up @@ -1415,6 +1418,9 @@
<Declaration>
<DataProperty IRI="/classes/errorCorrectionEnabled"/>
</Declaration>
<Declaration>
<DataProperty IRI="/properties/automaticDiscoveryEnabled"/>
</Declaration>
<Declaration>
<DataProperty IRI="/classes/evasionEfficacyLevel"/>
</Declaration>
Expand Down Expand Up @@ -4128,6 +4134,24 @@
<Class IRI="/classes/ResourceGroup"/>
<Class IRI="/classes/CloudResource"/>
</SubClassOf>
<SubClassOf>
<Class IRI="/classes/ResourceInventoryService"/>
<Class IRI="/classes/NetworkService"/>
</SubClassOf>
<SubClassOf>
<Class IRI="/classes/ResourceInventoryService"/>
<DataSomeValuesFrom>
<DataProperty IRI="/properties/automaticDiscoveryEnabled"/>
<Datatype abbreviatedIRI="xsd:boolean"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class IRI="/classes/ResourceInventoryService"/>
<DataSomeValuesFrom>
<DataProperty IRI="/properties/enabled"/>
<Datatype abbreviatedIRI="xsd:boolean"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class IRI="/classes/ResourceLogging"/>
<Class IRI="/classes/Logging"/>
Expand Down
35 changes: 35 additions & 0 deletions ontology/v1/ontology.proto
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,7 @@ message Infrastructure {
LoadBalancer load_balancer = 4201;
LoggingService logging_service = 14131;
MachineLearningService machine_learning_service = 16966;
ResourceInventoryService resource_inventory_service = 3821;
SecurityAdvisoryService security_advisory_service = 173;
DocumentDatabaseService document_database_service = 17950;
KeyValueDatabaseService key_value_database_service = 1004;
Expand Down Expand Up @@ -2742,6 +2743,7 @@ message NetworkService {
LoadBalancer load_balancer = 4201;
LoggingService logging_service = 14131;
MachineLearningService machine_learning_service = 16966;
ResourceInventoryService resource_inventory_service = 3821;
SecurityAdvisoryService security_advisory_service = 173;
DocumentDatabaseService document_database_service = 17950;
KeyValueDatabaseService key_value_database_service = 1004;
Expand All @@ -2763,6 +2765,7 @@ message Networking {
LoadBalancer load_balancer = 4201;
LoggingService logging_service = 14131;
MachineLearningService machine_learning_service = 16966;
ResourceInventoryService resource_inventory_service = 3821;
SecurityAdvisoryService security_advisory_service = 173;
DocumentDatabaseService document_database_service = 17950;
KeyValueDatabaseService key_value_database_service = 1004;
Expand Down Expand Up @@ -3434,6 +3437,7 @@ message Resource {
LoadBalancer load_balancer = 4201;
LoggingService logging_service = 14131;
MachineLearningService machine_learning_service = 16966;
ResourceInventoryService resource_inventory_service = 3821;
SecurityAdvisoryService security_advisory_service = 173;
DocumentDatabaseService document_database_service = 17950;
KeyValueDatabaseService key_value_database_service = 1004;
Expand Down Expand Up @@ -3505,6 +3509,37 @@ message ResourceGroup {
UsageStatistics usage_statistics = 16846;
}

// ResourceInventoryService is an entity class in our ontology. It can be instantiated and contains all of its properties as well of its implemented interfaces.
message ResourceInventoryService {
option (resource_type_names) = "ResourceInventoryService";
option (resource_type_names) = "NetworkService";
option (resource_type_names) = "Networking";
option (resource_type_names) = "Infrastructure";
option (resource_type_names) = "Resource";

bool automatic_discovery_enabled = 12229;
google.protobuf.Timestamp creation_time = 920;
string description = 12086;
bool enabled = 9833;
string id = 9382 [ (buf.validate.field).required = true ];
bool internet_accessible_endpoint = 14221;
repeated string ips = 3324;
map<string, string> labels = 10962;
string name = 4569 [ (buf.validate.field).required = true ];
repeated uint32 ports = 5032;
// The raw field contains the raw information that is used to fill in the fields of the ontology.
string raw = 13845;
Authenticity authenticity = 8309;
repeated string compute_ids = 5467;
GeoLocation geo_location = 16565;
repeated Logging loggings = 6688;
repeated Redundancy redundancies = 14267;
optional string parent_id = 860;
optional string service_metadata_document_id = 14719;
TransportEncryption transport_encryption = 11296;
UsageStatistics usage_statistics = 10584;
}

// ResourceLogging is an entity class in our ontology. It can be instantiated and contains all of its properties as well of its implemented interfaces.
message ResourceLogging {
option (resource_type_names) = "ResourceLogging";
Expand Down
21 changes: 21 additions & 0 deletions ontology/v1/resource/infrastructure.owx
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,9 @@
<Declaration>
<Class abbreviatedIRI="cl:ResourceGroup"/>
</Declaration>
<Declaration>
<Class abbreviatedIRI="cl:ResourceInventoryService"/>
</Declaration>
<Declaration>
<Class abbreviatedIRI="cl:RoleAssignment"/>
</Declaration>
Expand Down Expand Up @@ -613,6 +616,24 @@
<Class abbreviatedIRI="cl:GenericNetworkService"/>
<Class abbreviatedIRI="cl:NetworkService"/>
</SubClassOf>
<SubClassOf>
<Class abbreviatedIRI="cl:ResourceInventoryService"/>
<Class abbreviatedIRI="cl:NetworkService"/>
</SubClassOf>
<SubClassOf>
<Class abbreviatedIRI="cl:ResourceInventoryService"/>
<DataSomeValuesFrom>
<DataProperty abbreviatedIRI="prop:enabled"/>
<Datatype abbreviatedIRI="xsd:boolean"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class abbreviatedIRI="cl:ResourceInventoryService"/>
<DataSomeValuesFrom>
<DataProperty abbreviatedIRI="prop:automaticDiscoveryEnabled"/>
<Datatype abbreviatedIRI="xsd:boolean"/>
</DataSomeValuesFrom>
</SubClassOf>
<SubClassOf>
<Class abbreviatedIRI="cl:Identifiable"/>
<Class abbreviatedIRI="cl:CloudResource"/>
Expand Down