-
Notifications
You must be signed in to change notification settings - Fork 0
/
result.go
353 lines (309 loc) · 15.9 KB
/
result.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
package domain
import (
"time"
"go.mongodb.org/mongo-driver/bson/primitive"
)
// In the realm of security and compliance assessments, "Risks" are identified and articulated based on the information presented in "Findings" and "Observations." Here's a breakdown of the process:
//
// Observations:
//
// Observations are typically the raw data or facts identified during the assessment. They capture what the assessor noticed, without necessarily assigning a value judgment.
// For instance, an observation might note that a certain server lacks a recent security patch.
// Findings:
//
// Findings are derived from observations and are more evaluative. They indicate whether an observation has implications for compliance, security, or other assessment criteria.
// Building on the previous example, a finding might state that the server's lack of a recent security patch makes it vulnerable to a specific known exploit.
// Risks:
//
// Risks are broader evaluations that consider the potential consequences and implications of findings. They look at the potential harm or impact that might result if the issues noted in findings aren't addressed.
// Continuing with our example, a risk might point out that the server's vulnerability could lead to a data breach, potentially exposing sensitive customer data and incurring legal penalties.
// In this sequence:
//
// Observations provide the factual basis.
// Findings offer an evaluative judgment based on those facts.
// Risks project forward to estimate the potential consequences and impacts of those findings.
// After an assessment, the risks identified based on findings and observations are typically used to prioritize remediation efforts. The most critical or high-impact risks might be addressed first, followed by less severe ones. This process helps organizations manage their security postures effectively and allocate resources where they are most needed.
type Result struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Start time.Time `json:"start"`
End time.Time `json:"end"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
LocalDefinitions LocalDefinition `json:"localDefinitions"`
ReviewedControls []ControlsAndObjectives `json:"reviewedControls"`
AssessmentLog []LogEntry `json:"assessmentLogEntries"`
Attestations []Attestation `json:"attestations"`
Observations []Observation `json:"observations"`
Risks []Risk `json:"risks"`
Findings []Finding `json:"findings"`
Remarks string `json:"remarks,omitempty"`
}
// Attestation represents a formal assertion, declaration, or acknowledgment by an authoritative
// entity in the context of the OSCAL assessment schema. It confirms the accuracy or truth of
// assessment results, system configurations, or other relevant details. Each attestation is
// typically associated with specific assessment results, targets, or findings and may contain
// information about the party making the attestation and any relevant timestamps or metadata.
//
// Example:
//
// Attestor: Jane Smith, Chief Security Officer
// Date: 2023-10-31
// Statement: I hereby attest to the accuracy and completeness of the assessment results
// for the production server environment dated 2023-10-30.
type Attestation struct {
Parts []Part `json:"parts"`
ResponsibleParties []primitive.ObjectID `json:"responsibleParties"`
}
// Characterization provides a classification or description of the nature
// of an observation or finding within the OSCAL assessment context. It helps
// in understanding the kind, type, or category of the observation.
//
// Example:
//
// Characterization: Configuration Setting
// Detail: Describes observations related to system configurations.
type Characterization struct {
Links []Link `json:"links,omitempty"`
Props []Property `json:"props,omitempty"`
Facets []Facet `json:"facets"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
}
// Facet represents specific aspects or dimensions of a characterization in
// the OSCAL assessment context. Facets offer more granular details about the
// nature, source, or implications of an observation or finding.
//
// Example for a Configuration Setting Characterization:
//
// Facet: Update Frequency
// Detail: Describes how often the configuration setting updates.
type Facet struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Name string `json:"name"`
Value string `json:"value"`
// One of: http://fedramp.gov, http://fedramp.gov/ns/oscal, http://csrc.nist.gov/ns/oscal, http://csrc.nist.gov/ns/oscal/unknown, http://cve.mitre.org, http://www.first.org/cvss/v2.0, http://www.first.org/cvss/v3.0, http://www.first.org/cvss/v3.1
System string `json:"system"`
}
// Finding represents a conclusion or determination drawn from one or more
// observations, typically indicating compliance or non-compliance with specific
// requirements. Findings often lead to recommendations or actions.
//
// Example:
//
// Finding: The "auto-update" feature's activation goes against the organization's policy
// of manually vetting and approving system updates. This poses a potential security risk
// as unvetted updates could introduce vulnerabilities.
type Finding struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// ImplementationStatementId Reference to the implementation statement in the SSP to which this finding is related.
ImplementationStatementId primitive.ObjectID `json:"implementationStatementId"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
// Maps to the OSCAL "origins" property
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
TargetId primitive.ObjectID `json:"target"`
RelatedObservations []primitive.ObjectID `json:"relatedObservations"`
RelatedRisks []primitive.ObjectID `json:"relatedRisks"`
}
// LogEntry represents a record in an assessment log that documents a specific
// event or action during the assessment. A log entry can contain various
// information, including observations or findings, but it's essentially a
// chronological record.
//
// Example:
//
// Date/Time: 2023-10-30 10:00 AM
// Activity: Review of system configuration settings.
// Actor: Jane Smith
// Notes: Started the review of system settings as per the assessment plan. No anomalies observed at this time.
type LogEntry struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Identifies the start date and time of an event.
Start time.Time `json:"start"`
// Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.
End time.Time `json:"end"`
LoggedBy []primitive.ObjectID `json:"loggedBy"`
}
// Evidence represents data or records collected during an assessment to support
// findings, observations, or attestations within the OSCAL assessment context.
// Evidence can include documents, screenshots, logs, or any other proof that
// verifies the state or behavior of a system.
//
// Example:
//
// Evidence Type: Screenshot
// Description: Screenshot showing that the auto-update feature is enabled.
// URL: path/to/screenshot.png
type Evidence struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
}
type ObservationMethod string
const (
ObservationMethodExamine ObservationMethod = "examine"
ObservationMethodInterview ObservationMethod = "interview"
ObservationMethodTest ObservationMethod = "test"
ObservationMethodUnknown ObservationMethod = "unknown"
)
type ObservationType string
const (
ObservationTypeSSPStatementIssue ObservationType = "ssp-statement-issue"
ObservationTypeControlObjective ObservationType = "control-objective"
ObservationTypeMitigation ObservationType = "mitigation"
ObservationTypeFinding ObservationType = "finding"
ObservationTypeHistoric ObservationType = "historic"
)
// Observation represents a note or remark made by an assessor about something
// they noticed during the assessment. It is a neutral statement that captures
// what was seen or understood without necessarily assigning a value judgment.
//
// Example:
//
// During the system configuration review, it was observed that the "auto-update" feature was enabled.
type Observation struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Methods []ObservationMethod `json:"methods"`
Types []ObservationType `json:"types"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
Subjects []primitive.ObjectID `json:"subjects"`
RelevantEvidence []Evidence `json:"evidences"`
Collected time.Time `json:"collected"`
Expires time.Time `json:"expires"`
Remarks string `json:"remarks,omitempty"`
}
type RiskStatus string
const (
RiskStatusOpen RiskStatus = "open"
RiskStatusInvestigating RiskStatus = "investigating"
RiskStatusRemediating RiskStatus = "remediating"
RiskStatusDeviationRequested RiskStatus = "deviation-requested"
RiskStatusDeviationApproved RiskStatus = "deviation-approved"
RiskStatusClosed RiskStatus = "closed"
)
// Risk represents a potential event or circumstance that may exploit a vulnerability
// in a system or its environment. Risks often have associated impacts and likelihoods,
// which help in determining their severity and priority.
//
// A risk is typically identified from findings and can lead to recommendations
// or mitigating actions to address or reduce the potential impact.
//
// Example:
//
// Risk: Due to the "auto-update" feature being enabled, there's a chance that
// unvetted system updates could introduce vulnerabilities.
// Impact: High - This could compromise the integrity of the system.
// Likelihood: Medium - Based on past updates and the frequency of potentially harmful updates.
type Risk struct {
Id primitive.ObjectID `json:"id"`
// The title for this risk.
Title string `json:"title,omitempty"`
// A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.
Description string `json:"description,omitempty"`
// A summary of impact for how the risk affects the system.
Statement string `json:"statement,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
// Describes the status of the risk.
Status RiskStatus `json:"status"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
Threats []primitive.ObjectID `json:"threats"`
Characterizations []Characterization `json:"characterizations"`
MitigatingFactors []primitive.ObjectID `json:"mitigatingFactors"`
Deadline time.Time `json:"deadline"`
Remediations []Response `json:"remediations"`
Log []RiskLogEntry `json:"riskLog"`
RelatedObservations []primitive.ObjectID `json:"relatedObservations"`
}
type RiskLogEntry struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Start time.Time `json:"start"`
End time.Time `json:"end"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
LoggedBy Actor `json:"loggedBy"`
// TODO: More fields should be important from the OSCAL schema
}
// MitigatingFactor Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
type MitigatingFactor struct {
Id primitive.ObjectID `json:"id"`
ImplementationId primitive.ObjectID `json:"implementationId"`
Description string `json:"description"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Subjects []primitive.ObjectID `json:"subjects"`
}
// Response Describes either recommended or an actual plan for addressing the risk.
// TODO: Needs more work
type Response struct {
Id primitive.ObjectID `json:"id"`
// Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.
// One of: recommendation, planned, completed
Lifecycle string `json:"lifecycle"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
}
// Target Captures an assessor's conclusions regarding the degree to which an objective is satisfied.
// It represents an item or entity that is the subject of an assessment within the OSCAL context.
// It can be a system component, process, configuration, or any other element that has undergone assessment.
// Each target has a unique identifier and may contain additional metadata or details relevant to the assessment.
//
// Example:
//
// TargetId ID: server-1234
// Type: System Component
// Description: Primary web server running in the production environment.
type Target struct {
TargetId primitive.ObjectID `json:"targetId"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Status TargetStatus `json:"status"`
}
type TargetStatus struct {
// An indication whether the objective is satisfied or not. [Pass/Fail/Other]
State string `json:"state"`
Reason string `json:"reason"`
Remarks string `json:"remarks"`
}
type Threat struct {
Id primitive.ObjectID `json:"id"`
System string `json:"system"`
Href string `json:"href"`
}