redteam-project / sckg Goto Github PK
View Code? Open in Web Editor NEWSecurity Control Knowledge Graph
License: GNU General Public License v3.0
sckg's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
emmandeb trevorbryant elavenrac gwx-oss ekmixon pombredanne dgfug swilliamx bluenevus omkarparkhe avenchen xee5ch umhau rgutwein tearfassckg's Issues
CMMC
I've extracted the controls in CMMC v1.02 for usability. We'll figure out what needs to be correlated from CMMC <> 800-171 <> 800-53.
800-53 baseline impact mappings are broken
Control names appear to be empty in the generated cypher
Comment and document
Code needs to be commented.
Readme and hacking docs are incomplete.
Templates are confusing
The cypher templates are confusing and need to be made consistent
Document how to add an additional regime
Populate the hacking doc with instructions on how to add arbitrary regimes
Add 800-53A and update DoD CCI mappings
There are numerous CCIs that map to 800-53A controls. For example:
<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.2 (i)" />Add 800-53A to the graph and update DoD CCI mappings, noting that some use logical and descriptions like:
<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.1 (i and ii)" />Add a CONTRIBUTING.MD file
Add guidelines to communicate how people should contribute to project.
Add EDB to the graph
Map in the Exploit Database to the graph
PCI DSS unittest fails
======================================================================
FAIL: test_control_count_pci_dss (test_regime_etl.TestConfigYaml)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jasoncallaway/PycharmProjects/sckg/tests/test_regime_etl.py", line 97, in test_control_count_pci_dss
self.assertEquals(r[0], r[1])
AssertionError: 598 != 513
----------------------------------------------------------------------
Add CVE-to-Control mappings
Add mappings from CVEs to NIST 800-53 controls that would mitigate the vulnerability from the CVE
notification test issue
CIS CSC unittest fails
======================================================================
FAIL: test_control_count_cis_csc (test_regime_etl.TestConfigYaml)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jasoncallaway/PycharmProjects/sckg/tests/test_regime_etl.py", line 90, in test_control_count_cis_csc
self.assertEquals(r[0], r[1])
AssertionError: 191 != 171
----------------------------------------------------------------------
DoD SRG mappings to sectional controls are broken
DoD Cloud Computing Security Requirements sectional controls should map to impact levels, but don't.
Reference:
Line 62 in bba5ec7
match (r:regime {name: 'DoD SRG'})-[:HAS]->(b:baseline) with r, b match p = (b)-[:HAS*]->(c:control) return r, b, p
Note lack of relationships from IL4, 5, and 6 nodes. For example, given the referenced source line above, 4, 5, and 6 should map to section 5.2.1.
Need better way to skip extant regimes
The best way to quickly work on a private regime is to comment out the regimes in config.yml. But if your private regime includes a baseline that references a regime in config.yml it doesn't work.
NIST 800-171
Add 800-171 to the graph just in case we need it for CMMC
CNSSI 1253 Privacy Overlay unittest fails
======================================================================
FAIL: test_control_count_cnssi_pii (test_regime_etl.TestConfigYaml)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jasoncallaway/PycharmProjects/sckg/tests/test_regime_etl.py", line 81, in test_control_count_cnssi_pii
self.assertEquals(r[0], r[1])
AssertionError: 231 != 129
----------------------------------------------------------------------
Add better error handling
Most functions don't properly catch and handle exceptions.
Also, some config validation should be added.
Add NVD to the graph
Add the National Vulnerability Database to the graph
Organization vs System controls
Is it possible to map which controls are organization controls opposed to controls that are system controls?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.