-
Notifications
You must be signed in to change notification settings - Fork 184
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
More touch-ups to rules model and examples (#1444)
* Updates to model and examples for #1364. * [WIP] Example SSP w/ rules for #1364. * Add missing assembly refs for rule-impl in c-i statement. * Add example meeting from 20220902 model meeting.
- Loading branch information
1 parent
6a134f0
commit a158725
Showing
3 changed files
with
144 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="46126f22-0bca-4a16-b6b1-8cb7e1915292"> | ||
<metadata> | ||
<title>Example System Security Plan with Rules and Tests</title> | ||
<last-modified>2022-08-23T00:00:00.000000001-04:00</last-modified> | ||
<version>0.0.1-alpha</version> | ||
<oscal-version>1.2.0</oscal-version> | ||
</metadata> | ||
<import-profile href="#9aa67a14-d18e-461f-8eee-d7b661703a9f"/> | ||
<system-characteristics> | ||
<system-id identifier-type="http://ietf.org/rfc/rfc4122">103e77a8-ab96-4767-9625-19940fefde5f</system-id> | ||
<system-name>Example System</system-name> | ||
<description> | ||
<p>This is an example system to demonstrate a system security plan with rules, tests, and relations to control implementation requirements as evidence.</p> | ||
</description> | ||
<date-authorized>2022-08-23</date-authorized> | ||
<security-sensitivity-level>fips-199-moderate</security-sensitivity-level> | ||
<system-information> | ||
<information-type> | ||
<title>Summary of System Development Information in Example System</title> | ||
<description> | ||
<p>This application contains system development data.</p> | ||
</description> | ||
<confidentiality-impact> | ||
<base>fips-199-low</base> | ||
<selected>fips-199-low</selected> | ||
</confidentiality-impact> | ||
<integrity-impact> | ||
<base>fips-199-low</base> | ||
<selected>fips-199-low</selected> | ||
</integrity-impact> | ||
<availability-impact> | ||
<base>fips-199-low</base> | ||
<selected>fips-199-low</selected> | ||
</availability-impact> | ||
</information-type> | ||
</system-information> | ||
<security-impact-level> | ||
<security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality> | ||
<security-objective-integrity>fips-199-moderate</security-objective-integrity> | ||
<security-objective-availability>fips-199-moderate</security-objective-availability> | ||
</security-impact-level> | ||
<status state="under-development"/> | ||
<authorization-boundary> | ||
<description> | ||
<p>There is no authorization boundary for the application.</p> | ||
</description> | ||
<remarks> | ||
<p>This is a notional example that will be permenantely in a development state. No authorization boundary will be defined.</p> | ||
</remarks> | ||
</authorization-boundary> | ||
</system-characteristics> | ||
<system-implementation> | ||
<user uuid="a2276e8d-f8f1-43c3-9e5a-4165ba37476e"> | ||
<authorized-privilege> | ||
<title>System Developer Privilege</title> | ||
<function-performed>add functionality</function-performed> | ||
<function-performed>modify functionality</function-performed> | ||
<function-performed>maintain deploy system in environment</function-performed> | ||
</authorized-privilege> | ||
</user> | ||
<rule uuid="0d0b4ba7-02ff-4c2c-8a32-19790fb5c12b"> | ||
<title>Monitoring System Logging for Indicators of Compromise Commands in Privileged Contacts</title> | ||
<description> | ||
<p>When threat actors want to confirm they have successfully performed privilege escalation, they will want to confirm they have elevated system privileges.</p> | ||
<p>Responsible staff for a given role must monitor systems logs in a centralized logging system to confirm organizationally-recommended commands have not been run in a privileged context.</p> | ||
<ul> | ||
<li>whoami</li> | ||
<li>id</li> | ||
<li>groups</li> | ||
<li>env</li> | ||
</ul> | ||
</description> | ||
<prop name="ioc-command" class="query-parameter" value="whoami"/> | ||
<prop name="ioc-command" class="query-parameter" value="id"/> | ||
<prop name="ioc-command" class="query-parameter" value="groups"/> | ||
<prop name="ioc-command" class="query-parameter" value="env"/> | ||
</rule> | ||
<test uuid="a3ec79e6-ab61-4dd7-94d5-fd99d7e9b539"> | ||
<description> | ||
<p>This test documents which Splunk commands you will run to look for commands associated with indicators of compromise.</p> | ||
</description> | ||
<remarks> | ||
<p>The internal structure of structuring and passing parameters of the query is yet to be determined.</p> | ||
</remarks> | ||
</test> | ||
<testing-scenario uuid="886adeea-8cb9-4a78-9ab6-b3562cbc9e9f" rule-uuid="0d0b4ba7-02ff-4c2c-8a32-19790fb5c12b"> | ||
<test-reference test-uuid="a3ec79e6-ab61-4dd7-94d5-fd99d7e9b539" /> | ||
</testing-scenario> | ||
<component uuid="2d885d41-7356-4ebd-bd16-a33eef3cc9d5" type="this-system"> | ||
<title>Example System Core Component</title> | ||
<description> | ||
<p>This component documents Example System, an information system under development that makes use of automated system evaluation with rules.</p> | ||
</description> | ||
<status state="under-development"/> | ||
<responsible-role role-id="system-engineer"/> | ||
<remarks> | ||
<p>This is an example system to demonstrate the use of rules for auditing requirements.</p> | ||
</remarks> | ||
</component> | ||
</system-implementation> | ||
<control-implementation> | ||
<description> | ||
<p>Example System follows the Risk Management Framework as defined in SP 800-37 and 800-53 for risk management, privacy, and security guidance.</p> | ||
</description> | ||
<implemented-requirement uuid="2060f510-e178-40ce-8e61-8cd1ec16c348" control-id="au-6.8"> | ||
<by-component component-uuid="2d885d41-7356-4ebd-bd16-a33eef3cc9d5" uuid="1bbea228-c161-410f-a70e-3e287b38460c"> | ||
<description> | ||
<p>This describes how Example System requires system operators to perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.</p> | ||
</description> | ||
<implementation-status state="implemented"/> | ||
|
||
</by-component> | ||
</implemented-requirement> | ||
</control-implementation> | ||
<back-matter> | ||
<resource uuid="9aa67a14-d18e-461f-8eee-d7b661703a9f"> | ||
<rlink href="https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml"/> | ||
</resource> | ||
</back-matter> | ||
</system-security-plan> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters