Map rules to NIST 800-53 standard #394

crd1985 · 2019-05-13T15:59:04Z

This issue is similar to #392.

Taking advantage of current PCI DSS mapping and NIST 800-53 equivalences, we can map the current ruleset to NIST 800-53 Security Control Catalog, according to the following table:

PCI DSS 3.0	NIST 800-53
2,4	CA-7: Continuous Monitoring CM-8: Information System Component Inventory IA-3: Device Identification and Authentication SA-4: Acquisition Process SC-17: Public Key Infrastructure Certificates SI-4: Information System Monitoring PM-5: Information System Inventory
2,4	CA-7: Continuous Monitoring CM-2: Baseline Configuration CM-8: Information System Component Inventory CM-10: Software Usage Restrictions CM-11: User-Installed Software SA-4: Acquisition Process SC-18: Mobile Code SC-34: Non-Modifiable Executable Programs SI-4: Information System Monitoring PM-5: Information System Inventory
6.1 6.2 11.2	CA-2: Security Assessments CA-7: Continuous Monitoring RA-5: Vulnerability Scanning SC-34: Non-Modifiable Executable Programs SI-4: Information System Monitoring SI-7: Software, Firmware, and Information Integrity
2.1 7.1 - 7.3 8.1 - 8.3 8.7	AC-2: Account Management AC-6: Least Privilege AC-17: Remote Access AC-19: Access Control for Mobile Devices CA-7: Continuous Monitoring IA-2: Identification and Authentication (Organizational Users) IA-4: Identifier Management IA-5: Authenticator Management SI-4: Information System Monitoring
2.2 2.3 6.2 11.5	CA-7: Continuous Monitoring CM-2: Baseline Configuration CM-3: Configuration Change Control CM-5: Access Restrictions for Change CM-6: Configuration Settings CM-7: Least Functionality CM-8: Information System Component Inventory CM-9: Configuration Management Plan CM-11: User-Installed Software MA-4: Nonlocal Maintenance RA-5: Vulnerability Scanning SA-4: Acquisition Process SC-15: Collaborative Computing Devices SC-34: Non-Modifiable Executable Programs SI-2: Flaw Remediation SI-4: Information System Monitoring
10.1 - 10.9	AC-23: Data Mining Protection AU-2: Audit Events AU-3: Content of Audit Records AU-4: Audit Storage Capacity AU-5: Response to Audit Processing Failures AU-6: Audit Review, Analysis, and Reporting AU-7: Audit Reduction and Report Generation AU-8: Time Stamps AU-9: Protection of Audit Information AU-10: Non-repudiation AU-11: Audit Record Retention AU-12: Audit Generation AU-13: Monitoring for Information Disclosure AU-14: Session Audit CA-7: Continuous Monitoring IA-10: Adaptive Identification and Authentication SI-4: Information System Monitoring
2.2 2.3 6.2 11.5	CA-7: Continuous Monitoring CM-2: Baseline Configuration CM-3: Configuration Change Control CM-5: Access Restrictions for Change CM-6: Configuration Settings CM-7: Least Functionality CM-8: Information System Component Inventory CM-9: Configuration Management Plan CM-11: User-Installed Software MA-4: Nonlocal Maintenance RA-5: Vulnerability Scanning SA-4: Acquisition Process SC-15: Collaborative Computing Devices SC-34: Non-Modifiable Executable Programs SI-2: Flaw Remediation SI-4: Information System Monitoring
5.1 - 5.4	CA-7: Continuous Monitoring SC-39: Process Isolation SC-44: Detonation Chambers SI-3: Malicious Code Protection SI-4: Information System Monitoring SI-8: Spam Protection
1,4	AC-4: Information Flow Enforcement CA-7: Continuous Monitoring CA-9: Internal System Connections CM-2: Baseline Configuration CM-6: Configuration Settings CM-8: Information System Component Inventory SC-20: Secure Name /Address Resolution Service (Authoritative Source) SC-21: Secure Name /Address Resolution Service (Recursive or Caching Resolver) SC-22: Architecture and Provisioning for Name/Address Resolution Service SC-41: Port and I/O Device Access SI-4: Information System Monitoring
4.3 9.5 - 9.7	CP-9: Information System Backup CP-10: Information System Recovery and Reconstitution MP-4: Media Storage
1.1 - 1.2 2.2 6.2	AC-4: Information Flow Enforcement CA-3: System Interconnections CA-7: Continuous Monitoring CA-9: Internal System Connections CM-2: Baseline Configuration CM-3: Configuration Change Control CM-5: Access Restrictions for Change CM-6: Configuration Settings CM-8: Information System Component Inventory MA-4: Nonlocal Maintenance SC-24: Fail in Known State SI-4: Information System Monitoring
1.1 - 1.3 8.3 10.9 11.4	AC-4: Information Flow Enforcement AC-17: Remote Access AC-20: Use of External Information Systems CA-3: System Interconnections CA-7: Continuous Monitoring CA-9: Internal System Connections CM-2: Baseline Configuration SA-9: External Information System Services SC-7: Boundary Protection SC-8: Transmission Confidentiality and Integrity SI-4: Information System Monitoring
3.6 4.1 - 4.3	AC-3: Access Enforcement AC-4: Information Flow Enforcement AC-23: Data Mining Protection CA-7: Continuous Monitoring CA-9: Internal System Connections IR-9: Information Spillage Response MP-5: Media Transport SA-18: Tamper Resistance and Detection SC-8: Transmission Confidentiality and Integrity SC-28: Protection of Information at Rest SC-31: Covert Channel Analysis SC-41: Port and I/O Device Access SI-4: Information System Monitoring
1.3 - 1.4 4.3 7.1 - 7.3 8.7	AC-1: Access Control Policy and Procedures AC-2: Account Management AC-3: Access Enforcement AC-6: Least Privilege AC-24: Access Control Decisions CA-7: Continuous Monitoring MP-3: Media Marking RA-2: Security Categorization SC-16: Transmission of Security Attributes SI-4: Information System Monitoring
4.3 11.1	AC-18: Wireless Access AC-19: Access Control for Mobile Devices CA-3: System Interconnections CA-7: Continuous Monitoring CM-2: Baseline Configuration IA-3: Device Identification and Authentication SC-8: Transmission Confidentiality and Integrity SC-17: Public Key Infrastructure Certificates SC-40: Wireless Link Protection SI-4: Information System Monitoring
7.1 - 7.3 8.7 - 8.8	AC-2: Account Management AC-3: Access Enforcement AC-7: Unsuccessful Logon Attempts AC-11: Session Lock AC-12: Session Termination CA-7: Continuous Monitoring IA-5: Authenticator Management IA-10: Adaptive Identification and Authentication SC-17: Public Key Infrastructure Certificates SC-23: Session Authenticity SI-4: Information System Monitoring
12,6	AT-1: Security Awareness and Training Policy and Procedures AT-2: Security Awareness Training AT-3: Role-Based Security Training AT-4: Security Training Records SA-11: Developer Security Testing and Evaluation SA-16: Developer-Provided Training PM-13: Information Security Workforce PM-14: Testing, Training, & Monitoring PM-16: Threat Awareness Program
6.3 6.5 - 6.7	SA-13: Trustworthiness SA-15: Development Process, Standards, and Tools SA-16: Developer-Provided Training SA-17: Developer Security Architecture and Design SA-20: Customized Development of Critical Components SA-21: Developer Screening SC-39: Process Isolation SI-10: Information Input Validation SI-11: Error Handling SI-15: Information Output Filtering SI-16: Memory Protection
12.10	IR-1: Incident Response Policy and Procedures IR-2: Incident Response Training IR-3: Incident Response Testing IR-4: Incident Handling IR-5: Incident Monitoring IR-6: Incident Reporting IR-7: Incident Response Assistance IR-8: Incident Response Plan IR-10: Integrated Information Security Analysis Team
11,3	CA-2: Security Assessments CA-5: Plan of Action and Milestones CA-6: Security Authorization CA-8: Penetration Testing RA-6: Technical Surveillance Countermeasures Survey SI-6: Security Function Verification PM-6: Information Security Measures of Performance PM-14: Testing, Training, & Monitoring

Tasks:

Get equivalences 1-to-1 from PCI DSS to NIST 800-53 using ruleset naming convention
Run Python script developed in Map rules to HIPAA Technical Safeguards #392
Once mapping is done, review and test rules are applied properly

crd1985 · 2019-05-14T11:45:20Z

Status update

Summary

Currently, performing mapping between PCI DSS and NIST 800 53. Slowly due to manual process and further reading. The mapping table is quite difuse.

Tasks

Reading standards and finding equivalences to translate into mapping.

Difficulties

Slowly reading process. Large standard definitions.

Pending

Finishing mapping (about 25% to complete the task)
Execute python script to edit ruleset automatically

crd1985 · 2019-05-14T14:21:18Z

Just sharing the mapping:

{
  "pci_dss_1.1.1": "nist_800_53_CM.3",
  "pci_dss_1.3.4": "nist_800_53_CA.3,nist_800_53_SC.7",
  "pci_dss_1.4": "nist_800_53_SC.7",
  "pci_dss_10.1": "nist_800_53_AU.1",
  "pci_dss_10.2.1": "nist_800_53_AU.3,nist_800_53_IA.10",
  "pci_dss_10.2.2": "nist_800_53_AU.3,nist_800_53_IA.10",
  "pci_dss_10.2.4": "nist_800_53_AU.3,nist_800_53_IA.10",
  "pci_dss_10.2.5": "nist_800_53_AU.3,nist_800_53_IA.10",
  "pci_dss_10.2.6": "nist_800_53_AU.3,nist_800_53_IA.10",
  "pci_dss_10.2.7": "nist_800_53_AU.3,nist_800_53_IA.10",
  "pci_dss_10.4": "nist_800_53_AU.8",
  "pci_dss_10.5.2": "nist_800_53_AU.9",
  "pci_dss_10.5.5": "nist_800_53_AU.9",
  "pci_dss_10.6": "nist_800_53_AU.6",
  "pci_dss_10.6.1": "nist_800_53_AU.6",
  "pci_dss_11.4": "nist_800_53_SC.7",
  "pci_dss_11.5": "nist_800_53_SI.7",
  "pci_dss_2.2": "nist_800_53_CM.1",
  "pci_dss_2.2.3": "nist_800_53_CM.1",
  "pci_dss_4.1": "nist_800_53_SC.8",
  "pci_dss_5.1": "nist_800_53_SI.5",
  "pci_dss_5.2": "nist_800_53_SI.5",
  "pci_dss_6.2": "nist_800_53_MA.2",
  "pci_dss_6.5": "nist_800_53_SA.11",
  "pci_dss_6.5.1": "nist_800_53_SA.11",
  "pci_dss_6.5.10": "nist_800_53_SA.11",
  "pci_dss_6.5.2": "nist_800_53_SA.11",
  "pci_dss_6.5.5": "nist_800_53_SA.11",
  "pci_dss_6.5.7": "nist_800_53_SA.11",
  "pci_dss_6.5.8": "nist_800_53_SA.11",
  "pci_dss_6.6": "nist_800_53_SI.10,nist_800_53_SI.11,nist_800_53_SI.15,nist_800_53_SI.16",
  "pci_dss_8.1.2": "nist_800_53_AC.2,nist_800_53_IA.4",
  "pci_dss_8.1.4": "nist_800_53_AC.2",
  "pci_dss_8.1.5": "nist_800_53_AC.2",
  "pci_dss_8.1.6": "nist_800_53_AC.7",
  "pci_dss_8.1.8": "nist_800_53_AC.12",
  "pci_dss_8.2.4": "nist_800_53_IA.5",
  "pci_dss_8.7": "nist_800_53_SC.2"
}

crd1985 · 2019-06-03T07:04:40Z

Need to improve NIST mapping.

crd1985 · 2019-06-03T16:00:09Z

This is the improved version of the mapping:

{
  "pci_dss_1.1.1": "nist_800_53_CM.3,nist_800_53_CM.5",
  "pci_dss_1.3.4": "nist_800_53_CA.3",
  "pci_dss_1.4": "nist_800_53_SC.7",
  "pci_dss_10.1": "nist_800_53_AU.12",
  "pci_dss_10.2.1": "nist_800_53_IA.10",
  "pci_dss_10.2.2": "nist_800_53_IA.10,nist_800_53_AC.6",
  "pci_dss_10.2.4": "nist_800_53_IA.10,nist_800_53_AC.7",
  "pci_dss_10.2.5": "nist_800_53_IA.10,nist_800_53_AC.7",
  "pci_dss_10.2.6": "nist_800_53_IA.10,nist_800_53_AU.5",
  "pci_dss_10.2.7": "nist_800_53_IA.10",
  "pci_dss_10.4": "nist_800_53_AU.8",
  "pci_dss_10.5.2": "nist_800_53_AU.9",
  "pci_dss_10.5.5": "nist_800_53_AU.9",
  "pci_dss_10.6": "nist_800_53_AU.6",
  "pci_dss_10.6.1": "nist_800_53_AU.6",
  "pci_dss_11.4": "nist_800_53_IA.10",
  "pci_dss_11.5": "nist_800_53_SI.7",
  "pci_dss_2.2": "nist_800_53_CM.1",
  "pci_dss_2.2.3": "nist_800_53_CM.1",
  "pci_dss_4.1": "nist_800_53_SC.8",
  "pci_dss_5.1": "nist_800_53_SI.3",
  "pci_dss_5.2": "nist_800_53_SI.3",
  "pci_dss_6.2": "nist_800_53_SI.2",
  "pci_dss_6.5": "nist_800_53_SA.11",
  "pci_dss_6.5.1": "nist_800_53_SA.11",
  "pci_dss_6.5.10": "nist_800_53_SA.11",
  "pci_dss_6.5.2": "nist_800_53_SA.11",
  "pci_dss_6.5.5": "nist_800_53_SA.11",
  "pci_dss_6.5.7": "nist_800_53_SA.11",
  "pci_dss_6.5.8": "nist_800_53_SA.11",
  "pci_dss_8.1.2": "nist_800_53_AC.2,nist_800_53_IA.4",
  "pci_dss_8.1.4": "nist_800_53_AC.2",
  "pci_dss_8.1.5": "nist_800_53_AC.2",
  "pci_dss_8.1.6": "nist_800_53_AC.7",
  "pci_dss_8.1.8": "nist_800_53_AC.12",
  "pci_dss_8.2.4": "nist_800_53_IA.5",
  "pci_dss_8.7": "nist_800_53_SC.2"
}

The next step will be resetting the nist rules and re-run the script to edit the ruleset.

crd1985 · 2019-07-15T08:26:20Z

Need to update to the following improved mapping:

{
  "pci_dss_1.1.1": "nist_800_53_CM.3,nist_800_53_CM.5",
  "pci_dss_1.3.4": "nist_800_53_CA.3",
  "pci_dss_1.4": "nist_800_53_SC.7",
  "pci_dss_10.1": "nist_800_53_AU.12",
  "pci_dss_10.2.1": "nist_800_53_AU.14",
  "pci_dss_10.2.2": "nist_800_53_AU.14,nist_800_53_AC.6",
  "pci_dss_10.2.4": "nist_800_53_AU.14,nist_800_53_AC.7",
  "pci_dss_10.2.5": "nist_800_53_AU.14,nist_800_53_AC.7",
  "pci_dss_10.2.6": "nist_800_53_AU.14,nist_800_53_AU.5",
  "pci_dss_10.2.7": "nist_800_53_AU.14",
  "pci_dss_10.4": "nist_800_53_AU.8",
  "pci_dss_10.5.2": "nist_800_53_AU.9",
  "pci_dss_10.5.5": "nist_800_53_AU.9",
  "pci_dss_10.6": "nist_800_53_AU.6",
  "pci_dss_10.6.1": "nist_800_53_AU.6",
  "pci_dss_11.4": "nist_800_53_SI.4",
  "pci_dss_11.5": "nist_800_53_SI.7",
  "pci_dss_2.2": "nist_800_53_CM.1",
  "pci_dss_2.2.3": "nist_800_53_CM.1",
  "pci_dss_4.1": "nist_800_53_SC.8",
  "pci_dss_5.1": "nist_800_53_SI.3",
  "pci_dss_5.2": "nist_800_53_SI.3",
  "pci_dss_6.2": "nist_800_53_SI.2",
  "pci_dss_6.5": "nist_800_53_SA.11",
  "pci_dss_6.5.1": "nist_800_53_SA.11",
  "pci_dss_6.5.10": "nist_800_53_SA.11",
  "pci_dss_6.5.2": "nist_800_53_SA.11",
  "pci_dss_6.5.5": "nist_800_53_SA.11",
  "pci_dss_6.5.7": "nist_800_53_SA.11",
  "pci_dss_6.5.8": "nist_800_53_SA.11",
  "pci_dss_8.1.2": "nist_800_53_AC.2,nist_800_53_IA.4",
  "pci_dss_8.1.4": "nist_800_53_AC.2",
  "pci_dss_8.1.5": "nist_800_53_AC.2",
  "pci_dss_8.1.6": "nist_800_53_AC.7",
  "pci_dss_8.1.8": "nist_800_53_AC.12",
  "pci_dss_8.2.4": "nist_800_53_IA.5",
  "pci_dss_8.7": "nist_800_53_SC.2",
  "pci_dss_2.2.2": "nist_800_53_CM.1",
  "pci_dss_2.2.4": "nist_800_53_CM.1",
  "pci_dss_6.6": "nist_800_53_SC.5,nist_800_53_SI.3"
}

crd1985 added enhancement rules Rules related issues labels May 13, 2019

crd1985 self-assigned this May 13, 2019

crd1985 added this to the 20th week milestone May 14, 2019

crd1985 mentioned this issue May 15, 2019

Add NIST 800 53 compliance rules to ruleset #399

Merged

This was referenced May 15, 2019

Support to HIPAA and NIST 800 53 rule groups wazuh/wazuh#3326

Closed

Modify API to get HIPAA and NIST 800 53 rule groups wazuh/wazuh-api#386

Closed

crd1985 closed this as completed May 29, 2019

crd1985 mentioned this issue May 29, 2019

Add HIPAA and NIST 800 53 to compliance in SCA policies #411

Closed

crd1985 reopened this Jun 3, 2019

crd1985 modified the milestones: 20th week, 23rd week Jun 3, 2019

crd1985 mentioned this issue Jun 4, 2019

Fix some NIST 800 53 mappings #418

Merged

crd1985 closed this as completed Jun 4, 2019

crd1985 reopened this Jul 15, 2019

crd1985 closed this as completed Jul 15, 2019

danimegar mentioned this issue Jul 6, 2020

correction on 0380-windows_decoders.xml, the parsing of the GET and POST methods of the IIS #688

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Map rules to NIST 800-53 standard #394

Map rules to NIST 800-53 standard #394

crd1985 commented May 13, 2019 •

edited

Loading

crd1985 commented May 14, 2019

crd1985 commented May 14, 2019 •

edited

Loading

crd1985 commented Jun 3, 2019

crd1985 commented Jun 3, 2019

crd1985 commented Jul 15, 2019 •

edited

Loading

Map rules to NIST 800-53 standard #394

Map rules to NIST 800-53 standard #394

Comments

crd1985 commented May 13, 2019 • edited Loading

crd1985 commented May 14, 2019

Status update

Summary

Tasks

Difficulties

Pending

crd1985 commented May 14, 2019 • edited Loading

crd1985 commented Jun 3, 2019

crd1985 commented Jun 3, 2019

crd1985 commented Jul 15, 2019 • edited Loading

crd1985 commented May 13, 2019 •

edited

Loading

crd1985 commented May 14, 2019 •

edited

Loading

crd1985 commented Jul 15, 2019 •

edited

Loading