Support new compliance groups HIPAA and NIST 800 53

[crd1985]

This issue is related to:

• Modify API to get HIPAA and NIST 800 53 rule groups wazuh-api#386

App must consider new groups that are being added to the ruleset:

• hipaa
• nist-800-53

Furthermore, Elastic templates should be reviewed to fit the new format.

[jesusgn90]

Proposal

• Two new dashboards for both HIPAA and NIST-800-53 as well, under Regulatory Compliance
  • Overview, Agents
• Review known fields for index pattern
• Review Elasticsearch template

[juankaromo]

Update

Today I have been researching what these two new regulations that we have to support are and what they are intended for.

I have added these two new regulations as extensions:

And I have added them to the Overview general in the Regulatory Compliance panel:

Since at the moment we do not have the API calls to obtain the requirements, I have fake the answer to check that the requirements selector works:

        const response = {
          "body": {
            "error": 0,
            "data": {
              "items": [
                "AU.3",
                "IA.10"
              ],
              "totalItems": 2
            }
          }
        }

And at the moment it looks like this

[juankaromo]

Update

Today I added support for these two new regulations in the agents overview. I have created fake alerts to index data on Elasticsearch and see visualizations on dashboards:

{"timestamp":"2019-05-29T10:48:25.8+0000","rule":{"level":3,"description":"Test Alert HIPAA","id":"9999","firedtimes":1,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"]},"agent":{"id":"001","name":"master"},"manager":{"name":"master"},"id":"1557820890.267954","cluster":{"name":"wazuh","node":"node01"},"full_log":"May 29 07:21:24 localhost sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su","predecoder":{"program_name":"sudo","timestamp":"May 29 07:21:24","hostname":"localhost"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"vagrant","dstuser":"root","tty":"pts/1","pwd":"/home/vagrant","command":"/bin/su"},"location":"/var/log/secure"}

On the other hand, I've added the possibility of filtering by these regulations in the management > rules search filter bar:

At the moment this issue is blocked until the API requirements calls are available, and the rules add these new fields to the alerts. In that moment we will change the fake data for the real implementations.

[juankaromo]

Update

Today I have tested the new endpoints GET /rules/nist-800-53 and GET /rules/hipaa with the new filters available for GET /rules

[juankaromo]

Update

The endpoints of get call to obtain requirements have been implemented by the API team and now we are able to show this 'real' requirements with their descriptions.

On the other hand, in the 3.10 branch alerts have been generated so we are showing real data in the dashboard's visualizations.