-
Notifications
You must be signed in to change notification settings - Fork 31
Expected Input
Severity must match the following criteria to be translated into an Impact:
- Must be a
Float
or aString
-
Float
must be between 0.0 and 1.0 -
String
much pass this RegEx
A generic mapping file (mapping.yml
) is generated with the generate_map
sub-command. This mapping will probably not work for any XLSX or CSV out of the box. The point of generate_map
is to just get some boilerplate out of the way. Below is the output from generate_map
with some comments explaining the fields:
# Skip the header of the file, typically the first row of the XLSX or CSV will have a header. Your CSV will not work if
# it has additional more than 1 row of header information.
skip_csv_header: true
width: 80
# The control identifier column. For example, a column containing STIG's V-#s would be the control.id
control.id: 1
control.title: 2
# The control description (desc).
control.desc: 5
# Contains a list of additional tags (i.e. metadata) that the control will be tagged with.
control.tags:
# In each case, the format is tag_name: column_containing_value
cis_controls: 11
check: 8
fix: 7
ref: 13
rationale: 6
The following is a list of top level keywords (i.e. control.<keyword>
) that are parsed and included in the output:
control.id
control.title
control.desc
-
control.ref
(XLSX only)
The following is a list of tag-level keywords (i.e. control.tags.<keyword
) that are parsed:
control.tags.rationale
control.tags.severity
-
control.tags.cis_controls
(XLSX only) -
control.tags.cci
(CSV only) control.tags.check
control.tags.fix
Besides the exceptions below, values within control.tags
can be anything as long as data is present at that row and column within the XLSX or CSV.
Mapping file special keywords for XLSX (These will be generated automatically; do not include these in the mapping):
-
control.tags.cis_level
: This is based on the sheet of the provided XLSX file and is based on a very specific CIS XLSX format. -
control.tags.severity
: This is based on the sheet of the provided XLSX file and is based on a very specific CIS XLSX format: If the control was found on sheet 1, it is a medium severity. If the control was found on sheet 2 it is a high severity. -
control.impact
: This number is based on the value ofcontrol.tags.severity
. -
control.tags.cis_rid
: This is based on the data in the user providedcontrol.id
column. -
control.tags.nist
: This is based on the data extracted from the user providedcontrol.tags.cis_controls
column and is generated based on a mapping of CIS to NIST -
control.tags.ref
is based off user providedcontrol.ref
and will copy the information into a tag.
Mapping file special keywords for CSV (These will be generated automatically; do not include these in the mapping):
-
control.tags.nist
: This is based off user providedcontrol.tags.cci
and generated using the CCI to NIST mapping. -
control.impact
: This is based off the value in the user providedcontrol.tags.severity
column.
Important notes about the mapping file:
- Your XLSX or CSV file will not convert if there are multiple header rows
- Your XLSX or CSV file will not convert if control information spans multiple rows within the file
- NIST tags (i.e. control.tags.nist) are derived from Common Control Indicator (CCI) numbers (i.e.
control.tags.cci
) or CIS Control numbers (i.e.control.tags.cis_controls
)