redteam-project / sckg Goto Github PK
View Code? Open in Web Editor NEWSecurity Control Knowledge Graph
License: GNU General Public License v3.0
Security Control Knowledge Graph
License: GNU General Public License v3.0
I've extracted the controls in CMMC v1.02 for usability. We'll figure out what needs to be correlated from CMMC <> 800-171 <> 800-53.
Control names appear to be empty in the generated cypher
Code needs to be commented.
Readme and hacking docs are incomplete.
The cypher templates are confusing and need to be made consistent
Populate the hacking doc with instructions on how to add arbitrary regimes
There are numerous CCIs that map to 800-53A controls. For example:
<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.2 (i)" />
Add 800-53A to the graph and update DoD CCI mappings, noting that some use logical and descriptions like:
<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.1 (i and ii)" />
Add guidelines to communicate how people should contribute to project.
Map in the Exploit Database to the graph
======================================================================
FAIL: test_control_count_pci_dss (test_regime_etl.TestConfigYaml)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jasoncallaway/PycharmProjects/sckg/tests/test_regime_etl.py", line 97, in test_control_count_pci_dss
self.assertEquals(r[0], r[1])
AssertionError: 598 != 513
----------------------------------------------------------------------
Add mappings from CVEs to NIST 800-53 controls that would mitigate the vulnerability from the CVE
======================================================================
FAIL: test_control_count_cis_csc (test_regime_etl.TestConfigYaml)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jasoncallaway/PycharmProjects/sckg/tests/test_regime_etl.py", line 90, in test_control_count_cis_csc
self.assertEquals(r[0], r[1])
AssertionError: 191 != 171
----------------------------------------------------------------------
DoD Cloud Computing Security Requirements sectional controls should map to impact levels, but don't.
Reference:
Line 62 in bba5ec7
match (r:regime {name: 'DoD SRG'})-[:HAS]->(b:baseline) with r, b match p = (b)-[:HAS*]->(c:control) return r, b, p
Note lack of relationships from IL4, 5, and 6 nodes. For example, given the referenced source line above, 4, 5, and 6 should map to section 5.2.1.
The best way to quickly work on a private regime is to comment out the regimes in config.yml. But if your private regime includes a baseline that references a regime in config.yml it doesn't work.
Add 800-171 to the graph just in case we need it for CMMC
======================================================================
FAIL: test_control_count_cnssi_pii (test_regime_etl.TestConfigYaml)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jasoncallaway/PycharmProjects/sckg/tests/test_regime_etl.py", line 81, in test_control_count_cnssi_pii
self.assertEquals(r[0], r[1])
AssertionError: 231 != 129
----------------------------------------------------------------------
Most functions don't properly catch and handle exceptions.
Also, some config validation should be added.
Add the National Vulnerability Database to the graph
Is it possible to map which controls are organization controls opposed to controls that are system controls?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.