-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3 from GSA/feature/external-constraints
Feature/external constraints
- Loading branch information
Showing
17 changed files
with
3,507 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <metaschema-meta-constraints xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0"> | ||
| <!-- ================== --> | ||
| <!-- FedRAMP Extensions --> | ||
| <!-- ================== --> | ||
| <context> | ||
| <metapath target="/profile/modify/alter/add/prop"/> | ||
| <metapath target="/profile/modify/alter/add//part/prop"/> | ||
| <metapath target="/catalog//control//part/prop"/> | ||
| <metapath target="/assessment-plan/local-definitions/objectives-and-methods//part/prop"/> | ||
| <metapath target="/assessment-results/local-definitions/objectives-and-methods//part/prop"/> | ||
|
|
||
| <context> | ||
| <metapath target=".[@ns='https://fedramp.gov/ns/oscal' and @name='response-point']"/> | ||
|
|
||
| <constraints> | ||
| <matches id="prop-response-point-matches-string" target="." datatype="string"/> | ||
| <!-- TODO: fix scope of enforcement for the prop --> | ||
| <has-cardinality id="prop-response-point-has-cardinality-one" target="." max-occurs="1"/> | ||
| <remarks> | ||
| <p>This appears in FedRAMP profiles and resolved profile catalogs.</p> | ||
| <p>For control statements, it signals to the CSP which statements require a response in the SSP.</p> | ||
| <p>For control objectives, it signals to the assessor which control objectives must appear in the assessment results, which aligns with the FedRAMP test case workbook.</p> | ||
| </remarks> | ||
| </constraints> | ||
| </context> | ||
| </context> | ||
| </metaschema-meta-constraints> |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # AwesomeCloud | ||
|
|
||
| The following is a notional example of a system security plan, assessment plan, assessment results, and plan of action and milestones in OSCAL. | ||
|
|
||
| This work will be used as a basis to provide a more complete FedRAMP example over time. |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <assessment-plan | ||
| xmlns="http://csrc.nist.gov/ns/oscal/1.0" | ||
| uuid="fc42e635-b55a-46d1-9c86-d4e154a01f06"> | ||
| <metadata> | ||
| <title>AwesomeCloud Security Assessment Plan</title> | ||
| <last-modified>2023-04-25T14:07:18.089242-04:00</last-modified> | ||
| <version>1.0</version> | ||
| <oscal-version>1.0.4</oscal-version> | ||
| </metadata> | ||
| <import-ssp href="AwesomeCloudSSP2.xml"> | ||
| <remarks><p>Links AwesomeCloud SAP to the AwesomeCloud SSP</p></remarks> | ||
| </import-ssp> | ||
| <reviewed-controls> | ||
| <control-selection> | ||
| <description> | ||
| <h1>Control Scope</h1> | ||
| <p>Monthly ConMon Assessment</p> | ||
| <p>Monthly ConMon assessment include a subset of controls as defined by FedRAMP for automated continuos monitoring</p> | ||
| </description> | ||
| <include-control control-id="cm-8"/> | ||
| </control-selection> | ||
| <control-objective-selection> | ||
| <include-objective objective-id="cm-8.a.1_obj"/> | ||
| <include-objective objective-id="cm-8.a.2_obj"/> | ||
| <include-objective objective-id="cm-8.a.3_obj"/> | ||
| <include-objective objective-id="cm-8.a.4_obj.1"/> | ||
| <include-objective objective-id="cm-8.a.4_obj.2"/> | ||
| <include-objective objective-id="cm-8.b_obj.1"/> | ||
| <include-objective objective-id="cm-8.b_obj.2"/> | ||
| </control-objective-selection> | ||
| </reviewed-controls> | ||
| </assessment-plan> |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,234 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <plan-of-action-and-milestones | ||
| xmlns="http://csrc.nist.gov/ns/oscal/1.0" | ||
| uuid="5f7afa40-3d9d-475b-9e34-47a768371be3"> | ||
| <metadata> | ||
| <title>AwesomeCloud Plan of Actions and Milestones</title> | ||
| <last-modified>2023-01-12T12:51:55.777232900-05:00</last-modified> | ||
| <version>1.0</version> | ||
| <oscal-version>1.0.4</oscal-version> | ||
| </metadata> | ||
|
|
||
| <import-ssp href="AwesomeCloudSSP2.xml"/> | ||
|
|
||
| <observation uuid="727fd8c7-8bb6-4e2d-add2-0cd32b022d17"> | ||
| <description> | ||
| <p>Examined the AwesomeCloud System Security Plan (SSP) and determined that the inventory of information system components has not been updated within the last 30 days. </p> | ||
| </description> | ||
| <method>Examine</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
| <observation uuid="c6d956e2-e6fa-412a-8143-dbc85d56713e"> | ||
| <description> | ||
| <p>The remote server's SSL certificate has already expired.</p> | ||
| </description> | ||
| <method>Test</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
| <observation uuid="5904569a-6efc-4842-ae7c-69199ed7c2bd"> | ||
| <description> | ||
| <p>The remote host leaks memory in network packets (Etherleak).</p> | ||
| </description> | ||
| <method>Test</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
| <observation uuid="82a52a6f-cd50-47ba-837a-fefd455da4e8"> | ||
| <description> | ||
| <p>The SSL certificate in the certificate chain has been signed using a weak hash algorithm.</p> | ||
| </description> | ||
| <method>Test</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
| <observation uuid="7f9cb6de-5c98-4c2b-a433-4759c034f7a0"> | ||
| <description> | ||
| <p>Signing is not set to "Required" on the remote SMB server.</p> | ||
| </description> | ||
| <method>Test</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
| <observation uuid="0f8ae9c9-3355-4d47-bbd2-e4b4cba484d1"> | ||
| <description> | ||
| <p>The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.</p> | ||
| </description> | ||
| <method>Test</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
| <observation uuid="ddec6e55-d009-4491-bd95-f0077957f51b"> | ||
| <description> | ||
| <p>The remote service encrypts traffic using an older version of TLS.</p> | ||
| </description> | ||
| <method>Test</method> | ||
| <collected>2023-01-13T17:35:25.107056-05:00</collected> | ||
| </observation> | ||
|
|
||
| <risk uuid="0683df1e-880b-469c-a146-2bd8a25019dd"> | ||
| <title>Asset Inventory Out of Date</title> | ||
| <description> | ||
| <p>The AwesomeCloud Asset Inventory has not been updated in accordance with the defined FedRAMP frequency (i.e., at least monthly)</p> | ||
| </description> | ||
| <statement> | ||
| <p>Failure to maintain a current inventory of information system components could cause degradation of other security cabalities (e.g. vulnerability management, configutation settings management)</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="0e4cdd8b-b973-49fb-bb67-0f7b90b2ae0d"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="moderate"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="moderate"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="727fd8c7-8bb6-4e2d-add2-0cd32b022d17"/> | ||
| </risk> | ||
| <risk uuid="5811184c-af7c-46fa-aaef-c9eef1a043ac"> | ||
| <title>SSL Certificate Expiry</title> | ||
| <description> | ||
| <p>The remote server's SSL certificate has already expired.</p> | ||
| </description> | ||
| <statement> | ||
| <p>SSL certificates grant authentication to your websites or domains and are critical for ensuring proper encryption of internet traffic and verified server identity. Without these certificates, end users will have no way of knowing if the website they are currently browsing is what it claims to be.</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="ddb1bf31-810f-44e4-93aa-44fcf33030c2"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="moderate"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="moderate"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="c6d956e2-e6fa-412a-8143-dbc85d56713e"/> | ||
| </risk> | ||
| <risk uuid="2eb9e124-1997-4806-8a39-50903bce2c94"> | ||
| <title>Ethernet Driver Information Disclosure</title> | ||
| <description> | ||
| <p>The remote host leaks memory in network packets (Etherleak).</p> | ||
| </description> | ||
| <statement> | ||
| <p>The remote host uses a network device driver that pads ethernet frames with data which vary from one packet to another, likely taken from kernel memory, system memory allocated to the device driver, or a hardware buffer on its network interface card. Known as 'Etherleak', this information disclosure vulnerability may allow an attacker to collect sensitive information from the affected host provided he is on the same physical subnet as that host.</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="8a5f01fe-5331-426a-a374-e6f7304f968a"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="low"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="low"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="5904569a-6efc-4842-ae7c-69199ed7c2bd"/> | ||
| </risk> | ||
| <risk uuid="2a59c148-5c5d-4905-852c-fe5ac19850aa"> | ||
| <title>Weak hash algorithm of the SSL certificate</title> | ||
| <description> | ||
| <p>The SSL certificate in the certificate chain has been signed using a weak hash algorithm.</p> | ||
| </description> | ||
| <statement> | ||
| <p>The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service. Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm. Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="c16ce8fa-18ae-4597-a1c4-b5f561a9f134"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="high"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="high"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="82a52a6f-cd50-47ba-837a-fefd455da4e8"/> | ||
| </risk> | ||
| <risk uuid="df607526-c3b5-4891-857f-e6f2956b7410"> | ||
| <title>SMB Signing Enforcement</title> | ||
| <description> | ||
| <p>Signing is not set to "Required" on the remote SMB server.</p> | ||
| </description> | ||
| <statement> | ||
| <p>Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="56eec14e-cf74-4bea-9e1a-4b95008fc808"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="moderate"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="moderate"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="7f9cb6de-5c98-4c2b-a433-4759c034f7a0"/> | ||
| </risk> | ||
| <risk uuid="f4520307-1f24-4843-999c-ca778bf4c320"> | ||
| <title>RSA Keys Less Than 2048 Bits</title> | ||
| <description> | ||
| <p>The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.</p> | ||
| </description> | ||
| <statement> | ||
| <p>At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits. Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014. Note that Nessus will not flag root certificates with RSA keys less than 2048 bits if they were issued prior to December 31, 2010, as the standard considers them exempt.</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="0589be87-1120-4125-99c6-a6af0d994c9d"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="low"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="low"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="0f8ae9c9-3355-4d47-bbd2-e4b4cba484d1"/> | ||
| </risk> | ||
| <risk uuid="6b595947-145b-4fbe-9f84-0645a076c859"> | ||
| <title>TLS Version 1.0 Protocol</title> | ||
| <description> | ||
| <p>The remote service encrypts traffic using an older version of TLS.</p> | ||
| </description> | ||
| <statement> | ||
| <p>The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible. As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors. PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.</p> | ||
| </statement> | ||
| <status>open</status> | ||
| <characterization> | ||
| <origin> | ||
| <actor type="party" actor-uuid="474cac17-8e2c-4329-a13e-a74940e4ac8e"/> | ||
| </origin> | ||
| <facet name="likelihood" system="https://awesomecloud.com" value="moderate"/> | ||
| <facet name="impact" system="https://awesomecloud.com" value="moderate"/> | ||
| </characterization> | ||
| <related-observation observation-uuid="ddec6e55-d009-4491-bd95-f0077957f51b"/> | ||
| </risk> | ||
|
|
||
| <poam-item uuid="a908cb44-446a-450d-970d-73c968fd5389"> | ||
| <title>Asset Inventory Out of Date</title> | ||
| <description/> | ||
| <related-observation observation-uuid="727fd8c7-8bb6-4e2d-add2-0cd32b022d17"/> | ||
| <associated-risk risk-uuid="0683df1e-880b-469c-a146-2bd8a25019dd"/> | ||
| </poam-item> | ||
| <poam-item uuid="7b3a39fb-3450-4230-8c34-70d3d8a4f8b5"> | ||
| <title>SSL Certificate Expiry</title> | ||
| <description/> | ||
| <related-observation observation-uuid="c6d956e2-e6fa-412a-8143-dbc85d56713e"/> | ||
| <associated-risk risk-uuid="5811184c-af7c-46fa-aaef-c9eef1a043ac"/> | ||
| </poam-item> | ||
| <poam-item uuid="19343c6e-742d-43e0-9f47-133eba174f00"> | ||
| <title>Ethernet Driver Information Disclosure</title> | ||
| <description/> | ||
| <related-observation observation-uuid="5904569a-6efc-4842-ae7c-69199ed7c2bd"/> | ||
| <associated-risk risk-uuid="2eb9e124-1997-4806-8a39-50903bce2c94"/> | ||
| </poam-item> | ||
| <poam-item uuid="52b2726f-8cf9-4773-befe-2c1c412b1712"> | ||
| <title>Weak hash algorithm of the SSL certificate</title> | ||
| <description/> | ||
| <related-observation observation-uuid="82a52a6f-cd50-47ba-837a-fefd455da4e8"/> | ||
| <associated-risk risk-uuid="2a59c148-5c5d-4905-852c-fe5ac19850aa"/> | ||
| </poam-item> | ||
| <poam-item uuid="fc16a330-a930-4dc5-a473-089a1da2e81c"> | ||
| <title>SMB Signing Enforcement</title> | ||
| <description/> | ||
| <related-observation observation-uuid="7f9cb6de-5c98-4c2b-a433-4759c034f7a0"/> | ||
| <associated-risk risk-uuid="df607526-c3b5-4891-857f-e6f2956b7410"/> | ||
| </poam-item> | ||
| <poam-item uuid="fc16a330-a930-4dc5-a473-089a1da2e81c"> | ||
| <title>RSA Keys Less Than 2048 Bits</title> | ||
| <description/> | ||
| <related-observation observation-uuid="0f8ae9c9-3355-4d47-bbd2-e4b4cba484d1"/> | ||
| <associated-risk risk-uuid="f4520307-1f24-4843-999c-ca778bf4c320"/> | ||
| </poam-item> | ||
| <poam-item uuid="3ef1747e-374c-42f3-a1aa-021cdc2d5271"> | ||
| <title>TLS Version 1.0 Protocol</title> | ||
| <description/> | ||
| <related-observation observation-uuid="ddec6e55-d009-4491-bd95-f0077957f51b"/> | ||
| <associated-risk risk-uuid="6b595947-145b-4fbe-9f84-0645a076c859"/> | ||
| </poam-item> | ||
|
|
||
| </plan-of-action-and-milestones> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <assessment-plan | ||
| xmlns="http://csrc.nist.gov/ns/oscal/1.0" | ||
| uuid="fc42e635-b55a-46d1-9c86-d4e154a01f06"> | ||
| <metadata> | ||
| <title>AwesomeCloud Security Assessment Plan</title> | ||
| <last-modified>2023-01-12T12:24:13-05:00</last-modified> | ||
| <version>1.0</version> | ||
| <oscal-version>1.0.4</oscal-version> | ||
| </metadata> | ||
| <import-ssp href="AwesomeCloudSSP1.xml"> | ||
| <remarks><p>Links AwesomeCloud SAP to the AwesomeCloud SSP</p></remarks> | ||
| </import-ssp> | ||
| <reviewed-controls> | ||
| <control-selection> | ||
| <description> | ||
| <h1>Control Scope</h1> | ||
| <p>Monthly ConMon Assessment</p> | ||
| <p>Monthly ConMon assessment include a subset of controls as defined by FedRAMP for automated continuos monitoring</p> | ||
| </description> | ||
| <include-control control-id="cm-8"/> | ||
| <include-control control-id="ra-5"/> | ||
| </control-selection> | ||
| <control-objective-selection> | ||
| <!--Control CM-8--> | ||
| <include-objective objective-id="cm-8.a.1_obj"/> | ||
| <include-objective objective-id="cm-8.a.2_obj"/> | ||
| <include-objective objective-id="cm-8.a.3_obj"/> | ||
| <include-objective objective-id="cm-8.a.4_obj.1"/> | ||
| <include-objective objective-id="cm-8.a.4_obj.2"/> | ||
| <include-objective objective-id="cm-8.b_obj.1"/> | ||
| <include-objective objective-id="cm-8.b_obj.2"/> | ||
| <!--Control RA-5--> | ||
| <include-objective objective-id="ra-5.a_obj.1"/> | ||
| <include-objective objective-id="ra-5.a_obj.2"/> | ||
| <include-objective objective-id="ra-5.a_obj.3"/> | ||
| <include-objective objective-id="ra-5.b.1_obj"/> | ||
| <include-objective objective-id="ra-5.b.2_obj"/> | ||
| <include-objective objective-id="ra-5.b.3_obj"/> | ||
| <include-objective objective-id="ra-5.c_obj.1"/> | ||
| <include-objective objective-id="ra-5.c_obj.2"/> | ||
| <include-objective objective-id="ra-5.d_obj.1"/> | ||
| <include-objective objective-id="ra-5.d_obj.2"/> | ||
| <include-objective objective-id="ra-5.e_obj.1"/> | ||
| <include-objective objective-id="ra-5.e_obj.2"/> | ||
| <include-objective objective-id="ra-5.e_obj.3"/> | ||
| </control-objective-selection> | ||
| </reviewed-controls> | ||
| </assessment-plan> |
Oops, something went wrong.