Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xlsx2inspec doesn't map CIS to NIST tags properly #91

Open
ejaronne opened this issue Dec 31, 2021 · 2 comments
Open

xlsx2inspec doesn't map CIS to NIST tags properly #91

ejaronne opened this issue Dec 31, 2021 · 2 comments
Assignees
@camdenmoors
Labels
bug Something isn't working

Comments

@ejaronne
Copy link
Contributor

Many CIS benchmarks cite multiple CIS CSC security controls in their benchmarks. In addition, some cite from different versions of the CIS CSC security controls, often citing a version 6 CSC security control and a version 7 CSC security control in for the same requirement (inspec control). The mappings between CIS and NIST are cited in these two documents, one for version 6 and one for version 7 of the CSC security control families. (Note: a version 6 number can be completely different than the same number in version 7. They heavily restructured and re-used CSC control numbers between versions.)

https://github.com/mitre/inspec_tools/blob/master/lib/data/NIST_Map_09212017B_CSC-CIS_Critical_Security_Controls_VER_6.1_Excel_9.1.2016.xlsx

https://github.com/mitre/inspec_tools/blob/master/lib/data/NIST_Map_02052020_CIS_Controls_Version_7.1_Implementation_Groups_1.2.xlsx

Currently, this converter only seems to map from one of these 2 spreadsheets for the entire benchmark conversion (seemingly based on version of the first CSC security control encountered, not sure) and only captures the first CSC security control if more than one is listed for a requirement. Consequently, it will incorrectly map a version 6 CSC control to a NIST control from the version 7 spreadsheet, as found with the EKS CIS benchmark spreadsheet.

Please capture all CSC security controls for each benchmark requirement and correctly map using the proper mapping spreadsheet, such as for requirement 4.1.4 below:

image
@ejaronne ejaronne added the bug Something isn't working label Dec 31, 2021
@wdower
Copy link
Contributor

wdower commented Jan 3, 2022

@ejaronne @aaronlippold and I talked about how the cis_controls tag should be recorded in an InSpec control, and agreed on an array of hashes. This is because there are CIS benchmarks that map a single control to cis_controls from different versions. For example, looking at the control 4.1.4 in the above spreadsheet, it has two listed CIS controls, one for each revision 6 and 7. So the InSpec control should tag it with:

  tag cis_controls: [
    { 6 => [5.1] },
    { 7 => [5.2] }
  ]

If the same control had more than one cis_control aligned to the same revision number, it would be something like:

  tag cis_controls: [
    { '6' => ['5.1'] },
    { '7' => ['5.2', '5.3'] }
  ]

etc.

The NIST tags should just be an array that is the set of all NIST controls that correspond to each cis_control in the hash array. Don't worry about aligning a particular NIST control to a cis_control.

  tag nist: ['AC-6 (9)', 'CM-2']

@camdenmoors camdenmoors transferred this issue from mitre/inspec_tools Feb 3, 2022
@camdenmoors
Copy link
Collaborator

This requires updated mappings for CIS to NIST controls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@camdenmoors camdenmoors

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rx294 @ejaronne @wdower @camdenmoors