Documentation
¶
Index ¶
- func NewId() string
- type Action
- type Activity
- type ActivityInformation
- type Actor
- type ActorType
- type Assets
- type Attestation
- type AuthorizationBoundary
- type BackMatter
- type Base64
- type Capability
- type Catalog
- type Characterization
- type Citation
- type CommonAuthorizedPrivilege
- type Component
- type ComponentType
- type Constraint
- type ConstraintTest
- type Control
- type ControlDefinitionStatement
- type ControlImplementation
- type ControlsAndObjectives
- type DataFlow
- type Definition
- type Diagram
- type DocumentIdentifier
- type Evidence
- type Facet
- type Finding
- type Group
- type Guideline
- type HowManyType
- type Impact
- type ImplementedRequirement
- type Import
- type InformationType
- type InformationTypeCategorization
- type InventoryItem
- type JobSpecification
- type LeveragedAuthorization
- type Link
- type LocalDefinition
- type LogEntry
- type Metadata
- type MitigatingFactor
- type NetworkArchitecture
- type Objective
- type ObjectiveSelection
- type Observation
- type ObservationMethod
- type ObservationType
- type OperationalStatus
- type Parameter
- type ParameterSelection
- type ParameterValue
- type Part
- type Party
- type PartyType
- type Plan
- type Platform
- type Profile
- type ProfileSelection
- type Property
- type Provider
- type Resource
- type Response
- type Result
- type Revision
- type Risk
- type RiskLogEntry
- type RiskStatus
- type Role
- type SecurityImpactLevel
- type Selection
- type Statement
- type Subject
- type SubjectMatchExpression
- type SubjectSelection
- type SubjectType
- type SystemCharacteristics
- type SystemImplementation
- type SystemInformation
- type SystemSecurityPlan
- type Target
- type TargetStatus
- type Task
- type TaskDependency
- type TaskInformation
- type TaskType
- type Threat
- type User
- type Uuid
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Action ¶
type Action struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Date time.Time `json:"date"`
ResponsiblePartyUuids []primitive.ObjectID `json:"responsiblePartyUuids"`
System string `json:"system"`
Type string `json:"type"`
}
type Activity ¶
type Activity struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
ResponsibleRoles []string `json:"responsibleRoles"`
Subjects SubjectSelection `json:"subjects"`
Provider Provider `json:"provider"`
}
type ActivityInformation ¶
type ActivityInformation struct {
Id string `json:"id"`
Title string `json:"title"`
Selector SubjectSelection `json:"selector"`
Provider Provider `json:"provider"`
}
type Actor ¶
type Actor struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
RoleId Uuid `json:"roleId"`
Type ActorType `json:"type"`
}
type Assets ¶
type Assets struct {
// Reference to component.Component
Components []primitive.ObjectID `json:"components"`
// Used to represent the toolset used to perform aspects of the assessment.
Platforms []primitive.ObjectID `json:"platforms"`
}
Assets Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
type Attestation ¶
type Attestation struct {
Parts []Part `json:"parts"`
ResponsibleParties []primitive.ObjectID `json:"responsibleParties"`
}
Attestation represents a formal assertion, declaration, or acknowledgment by an authoritative entity in the context of the OSCAL assessment schema. It confirms the accuracy or truth of assessment results, system configurations, or other relevant details. Each attestation is typically associated with specific assessment results, targets, or findings and may contain information about the party making the attestation and any relevant timestamps or metadata.
Example:
Attestor: Jane Smith, Chief Security Officer Date: 2023-10-31 Statement: I hereby attest to the accuracy and completeness of the assessment results for the production server environment dated 2023-10-30.
type AuthorizationBoundary ¶
type AuthorizationBoundary struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Diagrams is an optional collection of visual representations of the boundary.
Diagrams []Diagram `json:"diagrams,omitempty"`
}
AuthorizationBoundary defines the system's authorization boundary. It includes a description and optional diagrams illustrating the boundary. It can also contain links to additional resources and arbitrary properties. For example, the boundary of a cloud-based service might include the cloud infrastructure, network components, and hosted applications.
type BackMatter ¶
type BackMatter struct {
Resources []*Resource `json:"resources,omitempty"`
}
BackMatter represents the back matter of a document with associated resources.
type Base64 ¶
type Base64 struct {
Filename string `json:"filename,omitempty"` // Name of the file before it was encoded as Base64.
MediaType string `json:"media-type,omitempty"` // A label that indicates the nature of a resource.
Value string `json:"value"` // The Base64 encoded value.
}
Base64 represents a resource encoded using the Base64 alphabet defined by RFC 2045.
type Capability ¶
type Capability struct {
Uuid Uuid `json:"uuid" query:"uuid"`
Name string `json:"name" query:"name"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
IncorporatesComponents []Uuid `json:"incorporated_components" query:"incorporated_components"`
ControlImplementations []Uuid `json:"control_implementations" query:"control_implementations"`
Remarks string `json:"remarks" query:"remarks"`
}
type Catalog ¶
type Catalog struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title"` // Doesn't exist in OSCAL for some reason 🤷🏻
Metadata Metadata `json:"metadata"`
Params []Parameter `json:"params"`
Controls []Control `json:"controlUuids"` // Reference to controls. Controls is an array of objects in the database
Groups []Uuid `json:"groupUuids"` // Reference to groups
BackMatter BackMatter `json:"backMatter"`
}
func NewCatalog ¶
type Characterization ¶
type Characterization struct {
Links []Link `json:"links,omitempty"`
Props []Property `json:"props,omitempty"`
Facets []Facet `json:"facets"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
}
Characterization provides a classification or description of the nature of an observation or finding within the OSCAL assessment context. It helps in understanding the kind, type, or category of the observation.
Example:
Characterization: Configuration Setting Detail: Describes observations related to system configurations.
type Citation ¶
type Citation struct {
Links []Link `json:"links,omitempty"` // Links associated with the citation.
Props []Property `json:"props,omitempty"` // Properties of the citation.
Text string `json:"text"` // A line of citation text.
}
Citation represents an optional citation consisting of end note text using structured markup.
type CommonAuthorizedPrivilege ¶
type CommonAuthorizedPrivilege struct {
// A summary of the privilege's purpose within the system.
Description string `json:"description,omitempty"`
FunctionsPerformed []string `json:"functions-performed"`
// A human-readable name for the privilege.
Title string `json:"title"`
}
CommonAuthorizedPrivilege Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege. NOTE: This is subject to change if we decide to implement another type of identity system
type Component ¶
type Component struct {
Uuid Uuid `json:"uuid" query:"uuid"`
Type ComponentType `json:"type" query:"type"`
Title string `json:"title" query:"title"`
Description string `json:"description" query:"description"`
// A summary of the technological or business purpose of the component.
Purpose string `json:"purpose" query:"purpose"`
Props []Property `json:"props" query:"props"`
Links []Link `json:"links" query:"links"`
Implementations []Uuid `json:"control_implementations" query:"control_implementations"`
ResponsibleRoles []Uuid `json:"responsible_roles" query:"responsible_roles"`
}
Component A defined component that can be part of an implemented system. Notes: - Implemented Protocols from OSCAL is not implemented. They can always be added as props.
type ComponentType ¶
type ComponentType int
const ( InterconnectionComponentType ComponentType = iota SoftwareComponentType HardwareComponentType ServiceComponentType PolicyComponentType PhysicalComponentType ProcessProcedureComponentType PlanComponentType GuidanceComponentType StandardComponentType ValidationComponentType )
type Constraint ¶
type Constraint struct {
Description string `json:"description"`
Tests []ConstraintTest
}
type ConstraintTest ¶
type Control ¶
type Control struct {
Uuid Uuid `json:"uuid"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Parts []Part `json:"parts,omitempty"`
Class string `json:"class"`
Title string `json:"title"`
Params []Parameter `json:"params"`
Controls []Uuid `json:"controlUuids"` // Reference to controls
}
type ControlDefinitionStatement ¶
type ControlDefinitionStatement struct {
Uuid Uuid `json:"uuid" query:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
StatementId string `json:"statement_id" query:"statement_id"`
ResponsibleRoles []Uuid `json:"responsible_roles" query:"responsible_roles"`
Remarks string `json:"remarks" query:"remarks"`
}
type ControlImplementation ¶
type ControlImplementation struct {
Uuid Uuid `json:"uuid" query:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Source A reference to an OSCAL catalog or profile providing the referenced control or sub-control definition.
// Should be in the format `catalog/{catalog_uuid}` or `profile/{profile_uuid}`.
// TODO: Need to find a way to handle this in MongoDB. (Maybe add another field to store the source type?)
Source string `json:"source" query:"source"`
SetParameters []ParameterValue `json:"set_parameters" query:"set_parameters"`
ImplementedRequirements []Uuid `json:"implemented_requirements" query:"implemented_requirements"`
ResponsibleRoles []Uuid `json:"responsible_roles" query:"responsible_roles"`
}
ControlImplementation Control Implementation Set: Defines how the component or capability supports a set of controls.
type ControlsAndObjectives ¶
type ControlsAndObjectives struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Objectives []ObjectiveSelection `json:"objectives"`
ControlSelections Selection `json:"controlSelections"`
}
type DataFlow ¶
type DataFlow struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Description is a summary of the system's data flow.
Diagrams []Diagram `json:"diagrams,omitempty"`
}
DataFlow describes the logical flow of information within the system and across its boundaries. For example, this could represent how data flows from user interfaces to backend services in a web application.
type Definition ¶
type Definition struct {
Uuid Uuid `json:"uuid" query:"uuid"`
Metadata Metadata
// ImportedDefinitions Loads a component definition from another resource.
// TODO: Does importing move all the definitions into the current definition or does it just reference them?
ImportedDefinitions []Uuid `json:"imported_definitions" query:"imported_definitions"`
Components []Uuid `json:"components" query:"components"`
Capabilities []Uuid `json:"capabilities" query:"capabilities"`
BackMatter BackMatter `json:"backmatter" query:"backmatter"`
}
Definition A collection of component descriptions, which may optionally be grouped by capability.
type Diagram ¶
type Diagram struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Caption provides a brief annotation for the diagram.
Caption string `json:"caption,omitempty"`
// Uuid is a machine-oriented, globally unique identifier that can be used to reference this diagram elsewhere in this or other OSCAL instances.
Uuid string `json:"uuid"`
}
Diagram provides a visual representation of the system, or some aspect of it. For example, a diagram could illustrate the system's network architecture.
type DocumentIdentifier ¶
type DocumentIdentifier struct {
Identifier string `json:"identifier"` // The document identifier.
Scheme interface{} `json:"scheme,omitempty"` // Qualifies the kind of document identifier using a URI.
}
DocumentIdentifier represents a document identifier qualified by an identifier scheme.
type Evidence ¶
type Evidence struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
}
Evidence represents data or records collected during an assessment to support findings, observations, or attestations within the OSCAL assessment context. Evidence can include documents, screenshots, logs, or any other proof that verifies the state or behavior of a system.
Example:
Evidence Type: Screenshot Description: Screenshot showing that the auto-update feature is enabled. URL: path/to/screenshot.png
type Facet ¶
type Facet struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Name string `json:"name"`
Value string `json:"value"`
// One of: http://fedramp.gov, http://fedramp.gov/ns/oscal, http://csrc.nist.gov/ns/oscal, http://csrc.nist.gov/ns/oscal/unknown, http://cve.mitre.org, http://www.first.org/cvss/v2.0, http://www.first.org/cvss/v3.0, http://www.first.org/cvss/v3.1
System string `json:"system"`
}
Facet represents specific aspects or dimensions of a characterization in the OSCAL assessment context. Facets offer more granular details about the nature, source, or implications of an observation or finding.
Example for a Configuration Setting Characterization:
Facet: Update Frequency Detail: Describes how often the configuration setting updates.
type Finding ¶
type Finding struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// ImplementationStatementId Reference to the implementation statement in the SSP to which this finding is related.
ImplementationStatementId primitive.ObjectID `json:"implementationStatementId"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
// Maps to the OSCAL "origins" property
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
TargetId primitive.ObjectID `json:"target"`
RelatedObservations []primitive.ObjectID `json:"relatedObservations"`
RelatedRisks []primitive.ObjectID `json:"relatedRisks"`
}
Finding represents a conclusion or determination drawn from one or more observations, typically indicating compliance or non-compliance with specific requirements. Findings often lead to recommendations or actions.
Example:
Finding: The "auto-update" feature's activation goes against the organization's policy of manually vetting and approving system updates. This poses a potential security risk as unvetted updates could introduce vulnerabilities.
type Group ¶
type Group struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Class string `json:"class"`
Params []Parameter `json:"params"`
Groups []Uuid `json:"groups"`
}
type ImplementedRequirement ¶
type ImplementedRequirement struct {
Uuid Uuid `json:"uuid" query:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
ControlId Uuid `json:"control_id" query:"control_id"`
SetParameters []ParameterValue `json:"set_parameters" query:"set_parameters"`
ResponsibleRoles []Uuid `json:"responsible_roles" query:"responsible_roles"`
Statements []ControlDefinitionStatement `json:"statements" query:"statements"`
}
ImplementedRequirement Describes how the containing component or capability implements an individual control.
type Import ¶
type Import struct {
// Href is the URI of the source catalog or profile. Should be in the format `catalog/{catalog_uuid}` or `profile/{profile_uuid}`.
Href string `json:"href"`
IncludeAll bool `json:"include_all"`
IncludeControls []Selection `json:"include_controls"`
ExcludeControls []Selection `json:"exclude_controls"`
}
Import Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.
type InformationType ¶
type InformationType struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
AvailabilityImpact Impact `json:"availability_impact"`
Categorizations []InformationTypeCategorization `json:"categorizations"`
ConfidentialityImpact Impact `json:"confidentiality_impact"`
IntegrityImpact Impact `json:"integrity_impact"`
}
type InformationTypeCategorization ¶
type InformationTypeCategorization struct {
Ids []string `json:"ids"` // NOTE: This part is a bit blurred
System string `json:"system"` // This is an enum but right now it has only one value: http://doi.org/10.6028/NIST.SP.800-60v2r1
}
type InventoryItem ¶
type InventoryItem struct {
Uuid Uuid `json:"uuid"`
// A summary of the inventory item stating its purpose within the system.
ImplementedComponents []Component `json:"implemented-components,omitempty"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Reference to Party docs
ResponsibleParties []Uuid `json:"responsible-parties,omitempty"`
}
InventoryItem A single managed inventory item within the system.
type JobSpecification ¶
type JobSpecification struct {
Id string `json:"id" yaml:"id"`
Title string `json:"title" yaml:"title"`
PlanId string `json:"assessment-plan-id" yaml:"assessment-plan-id"`
ComponentId string `json:"component-id" yaml:"component-id"`
ControlId string `json:"control-id" yaml:"control-id"`
Tasks []TaskInformation `json:"tasks"`
}
JobSpecification is the model used to communicate with the runtime It is used to publish a plan to the runtime. The runtime will then use the information to execute the activities and publish the results back to the control-plane. Here's an example tailored specifically for Azure Cloud: Task: "Assess Azure cloud's storage security configuration." Activities could include: - "Review the Azure Blob storage access policies and Private Endpoint settings." - "Check for encryption at rest and in transit for Azure storage accounts." - "Evaluate Azure Shared Access Signatures (SAS) and Azure Storage Service Encryption (SSE)." One more example: Task: "Verify Azure network security settings." Activities could include: - "Review Azure Network Security Groups (NSGs) to ensure least privilege access." - "Assess Virtual Private Network (VPN) and ExpressRoute configurations for secure connectivity." - "Check Azure DDoS Protection settings to ensure resilience against DDoS attacks." In this scenario, the task provides the overall direction for the assessment (e.g., assessing storage security or network security on Azure), while the activities break this task down into smaller, concrete steps to follow.
type LeveragedAuthorization ¶
type LeveragedAuthorization struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
DateAuthorized string `json:"date-authorized"`
// A machine-oriented identifier reference to the party that manages the leveraged system.
Party Uuid `json:"party-uuid"`
}
LeveragedAuthorization A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common catalog provider.
type LocalDefinition ¶
type LocalDefinition struct {
Remarks string `json:"remarks,omitempty"`
// Reference to Activity
Activities []string `json:"activities"`
// Reference to component.Component
Components []primitive.ObjectID `json:"components"`
// Reference to ssp.InventoryItem
InventoryItems []primitive.ObjectID `json:"inventoryItems"`
Objectives []Objective `json:"objectives"`
// Reference to identity.User
Users []primitive.ObjectID `json:"users"`
}
type LogEntry ¶
type LogEntry struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Identifies the start date and time of an event.
Start time.Time `json:"start"`
// Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.
End time.Time `json:"end"`
LoggedBy []primitive.ObjectID `json:"loggedBy"`
}
LogEntry represents a record in an assessment log that documents a specific event or action during the assessment. A log entry can contain various information, including observations or findings, but it's essentially a chronological record.
Example:
Date/Time: 2023-10-30 10:00 AM Activity: Review of system configuration settings. Actor: Jane Smith Notes: Started the review of system settings as per the assessment plan. No anomalies observed at this time.
type MitigatingFactor ¶
type MitigatingFactor struct {
Id primitive.ObjectID `json:"id"`
ImplementationId primitive.ObjectID `json:"implementationId"`
Description string `json:"description"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Subjects []primitive.ObjectID `json:"subjects"`
}
MitigatingFactor Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
type NetworkArchitecture ¶
type NetworkArchitecture struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Diagrams []Diagram `json:"diagrams,omitempty"`
}
NetworkArchitecture A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
type Objective ¶
type Objective struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Parts []Part `json:"parts,omitempty"`
Control primitive.ObjectID `json:"control"`
}
Objective A local objective is a security control or requirement that is specific to the system or organization under assessment.
type ObjectiveSelection ¶
type ObjectiveSelection struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
IncludeAll bool `json:"includeAll"`
Exclude []string `json:"exclude"`
Include []string `json:"include"`
}
type Observation ¶
type Observation struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Methods []ObservationMethod `json:"methods"`
Types []ObservationType `json:"types"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
Subjects []primitive.ObjectID `json:"subjects"`
RelevantEvidence []Evidence `json:"evidences"`
Collected time.Time `json:"collected"`
Expires time.Time `json:"expires"`
Remarks string `json:"remarks,omitempty"`
}
Observation represents a note or remark made by an assessor about something they noticed during the assessment. It is a neutral statement that captures what was seen or understood without necessarily assigning a value judgment.
Example:
During the system configuration review, it was observed that the "auto-update" feature was enabled.
type ObservationMethod ¶
type ObservationMethod string
const ( ObservationMethodExamine ObservationMethod = "examine" ObservationMethodInterview ObservationMethod = "interview" ObservationMethodTest ObservationMethod = "test" ObservationMethodUnknown ObservationMethod = "unknown" )
type ObservationType ¶
type ObservationType string
const ( ObservationTypeSSPStatementIssue ObservationType = "ssp-statement-issue" ObservationTypeControlObjective ObservationType = "control-objective" ObservationTypeMitigation ObservationType = "mitigation" ObservationTypeFinding ObservationType = "finding" ObservationTypeHistoric ObservationType = "historic" )
type OperationalStatus ¶
type OperationalStatus int
const ( Disposition OperationalStatus = iota Operational Other UnderDevelopment UnderMajorModification )
func (OperationalStatus) String ¶
func (os OperationalStatus) String() string
type Parameter ¶
type Parameter struct {
Uuid Uuid `json:"uuid"`
Class string `json:"class"`
Props []Property `json:"props"`
Links []Link `json:"links"`
Label string `json:"label"`
Usage string `json:"usage"`
Constraints []Constraint `json:"constraints"`
Guidelines []Guideline `json:"guidelines"`
Values []string `json:"values"`
Select ParameterSelection `json:"select"`
Remarks string `json:"remarks"`
}
type ParameterSelection ¶
type ParameterSelection struct {
HowMany HowManyType
Choices []string
}
type ParameterValue ¶
type Part ¶
type Part struct {
// An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.
Class string `json:"class,omitempty"`
// A unique identifier for the part.
Id string `json:"id,omitempty"`
Links []Link `json:"links,omitempty"`
// A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.
Name string `json:"name"`
// An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.
Ns string `json:"ns,omitempty"`
Props []Property `json:"props,omitempty"`
// Permits multiple paragraphs, lists, tables etc.
Prose string `json:"prose,omitempty"`
// An optional name given to the part, which may be used by a tool for display and navigation.
Title string `json:"title,omitempty"`
}
Part An annotated, markup-based textual element of a catalog's or catalog group's definition, or a child of another part.
type Party ¶
type Party struct {
Uuid string `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Parties represents the UUIDs of the child `Party` data
Parties []Uuid `json:"parties"`
// Roles represents the UUIDs of the `Role` responsible for the action.
Roles []Uuid `json:"roles"`
Type PartyType `json:"type"`
}
type Plan ¶
type Plan struct {
Id primitive.ObjectID `bson:"_id,omitempty" json:"id"`
// Status The status of the assessment plan, such as "active" or "inactive".
// These statuses are subject to change.
Status string `json:"status,omitempty"`
// We might switch to struct embedding for fields like Metadata, Props, etc.
Metadata Metadata `json:"metadata"`
// Tasks Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
Tasks []Task `json:"tasks"`
// Title A name given to the assessment plan. OSCAL doesn't have this, but we need it for our use case.
Title string `json:"title,omitempty"`
// The following fields are part of the OSCAL spec, but we don't use them yet.
// Assets Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions. Mostly CF in our case.
Assets Assets `json:"assets"`
// BackMatter A collection of resources that may be referenced from within the OSCAL document instance.
BackMatter BackMatter `json:"backMatter"`
// Reference to a System Security Plan
ImportSSP string `json:"importSSP"`
// LocalDefinitions Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
// Reference to LocalDefinition
LocalDefinitions LocalDefinition `json:"localDefinitions"`
// ReviewedControls Identifies the controls being assessed and their control objectives.
ReviewedControls []ControlsAndObjectives `json:"reviewedControls"`
// TermsAndConditions Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.
TermsAndConditions []Part `json:"termsAndConditions"`
Results []Result `json:"results"`
}
Plan An assessment plan, such as those provided by a FedRAMP assessor. Here are some real-world examples for Assets, Platforms, Subjects and Inventory Items within an OSCAL Assessment Plan: 1. Assets: This could be something like a customer database within a retail company. It's an asset because it's crucial to the business operation, storing all the essential customer details such as addresses, contact information, and purchase history. 2. Platforms: This could be the retail company's online E-commerce platform which hosts their online store, and where transactions occur. The platform might involve web servers, database servers, or a cloud environment. 3. Subjects: If the company is performing a security assessment, the subject could be the encryption method or security protocols used to protect the customer data while in transit or at rest in the database. 4. Inventory Items: These could be the individual servers or workstations used within the company. Inventory workstations are the physical machines or software applications used by employees that may have vulnerabilities or exposure to risk that need to be tracked and mitigated.
Relation between Tasks, Activities and Steps:
Scenario: Conducting a cybersecurity assessment of an organization's systems.
1. Task: The major task could be "Conduct vulnerability scanning on servers." 2. Activity: Within this task, an activity could be "Prepare servers for vulnerability scan." 3. Step: The steps that make up this activity could be things like:
- "Identify all servers"
- "Ensure necessary permissions are in place for scanning"
- "Check that scanning software is properly installed and updated."
Another activity under the same task could be "Execute vulnerability scanning," and steps for that activity might include:
1. "Begin scanning process through scanning software." 2. "Monitor progress of scan." 3. "Document any issues or vulnerabilities identified."
The process would continue like this with tasks broken down into activities, and activities broken down into steps.
These concepts still apply in the context of automated tools or systems. In fact, the OSCAL model is designed to support both manual and automated processes. 1. Task: The major task could be “Automated Compliance Checking” 2. Activity: This task could have multiple activities such as: ▪ “Configure Automated Tool with necessary parameters” ▪ “Run Compliance Check” ▪ “Collect and Analyze Compliance Data” 3. Step: In each of these activities, there are several subprocesses or actions (Steps). For example, under “Configure Automated Tool with necessary parameters”, the steps could be: ▪ “Define the criteria based on selected standards” ▪ “Set the scope or target systems for the assessment” ▪ “Specify the output (report) format” In context of an automated compliance check, the description of Task, Activity, and Step provides a systematic plan or procedure that the tool is expected to follow. This breakdown of tasks, activities, and steps could also supply useful context and explain the tool’s operation and results to system admins, auditors or other stakeholders. It also allows for easier troubleshooting in the event of problems.
func (*Plan) JobSpecification ¶
func (p *Plan) JobSpecification() JobSpecification
type Platform ¶
type Platform struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// Reference to component.Component
UsesComponents []string `json:"usesComponents"`
}
type Profile ¶
type Profile struct {
Uuid Uuid `json:"uuid"`
Metadata
Imports []Import `json:"imports"`
BackMatter BackMatter `json:"backmatter"`
}
Profile is a collection of controls and metadata that can be used to create a new overlay or baseline. Note: The "Merge" and "Modify" are being skipped for now, as it doesn't make any sense to store the instructions for merging and modifying, rather than the result of applying them. They can be added as audit logs, holding all the details of the merge and modify operations.
type ProfileSelection ¶
type ProfileSelection struct {
WithChildControls bool `json:"with_child_controls"`
WithIds []Uuid `json:"with_ids"`
Matching []struct {
Pattern string `json:"pattern"`
} `json:"matching"`
}
ProfileSelection Selects a control or controls from an imported control set (Profile | Catalog).
type Resource ¶
type Resource struct {
Base64 *Base64 `json:"base64,omitempty"` // A resource encoded using the Base64 alphabet.
Citation *Citation `json:"citation,omitempty"` // An optional citation associated with the resource.
Description string `json:"description,omitempty"` // An optional short summary of the resource.
DocumentIds []DocumentIdentifier `json:"document-ids,omitempty"` // Document identifiers associated with the resource.
Props []Property `json:"props,omitempty"` // Properties of the resource.
Remarks string `json:"remarks,omitempty"` // Remarks about the resource.
Rlinks []Link `json:"rlinks,omitempty"` // Related links of the resource.
Title string `json:"title,omitempty"` // An optional name given to the resource.
Uuid Uuid `json:"uuid"` // A unique identifier for a resource.
}
Resource represents a resource associated with content in the containing document instance.
type Response ¶
type Response struct {
Id primitive.ObjectID `json:"id"`
// Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.
// One of: recommendation, planned, completed
Lifecycle string `json:"lifecycle"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
}
Response Describes either recommended or an actual plan for addressing the risk. TODO: Needs more work
type Result ¶
type Result struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Start time.Time `json:"start"`
End time.Time `json:"end"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
LocalDefinitions LocalDefinition `json:"localDefinitions"`
ReviewedControls []ControlsAndObjectives `json:"reviewedControls"`
AssessmentLog []LogEntry `json:"assessmentLogEntries"`
Attestations []Attestation `json:"attestations"`
Observations []Observation `json:"observations"`
Risks []Risk `json:"risks"`
Findings []Finding `json:"findings"`
Remarks string `json:"remarks,omitempty"`
}
type Revision ¶
type Revision struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Published time.Time `json:"published"`
LastModified time.Time `json:"lastModified"`
Version string `json:"version"`
OscalVersion string `json:"oscalVersion"`
}
type Risk ¶
type Risk struct {
Id primitive.ObjectID `json:"id"`
// The title for this risk.
Title string `json:"title,omitempty"`
// A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.
Description string `json:"description,omitempty"`
// A summary of impact for how the risk affects the system.
Statement string `json:"statement,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
// Describes the status of the risk.
Status RiskStatus `json:"status"`
// Actors / Tasks Identify the source of the finding, such as a tool, interviewed person, or activity
Actors []primitive.ObjectID `json:"originActors"`
Tasks []primitive.ObjectID `json:"relatedTasks"`
Threats []primitive.ObjectID `json:"threats"`
Characterizations []Characterization `json:"characterizations"`
MitigatingFactors []primitive.ObjectID `json:"mitigatingFactors"`
Deadline time.Time `json:"deadline"`
Remediations []Response `json:"remediations"`
Log []RiskLogEntry `json:"riskLog"`
RelatedObservations []primitive.ObjectID `json:"relatedObservations"`
}
Risk represents a potential event or circumstance that may exploit a vulnerability in a system or its environment. Risks often have associated impacts and likelihoods, which help in determining their severity and priority.
A risk is typically identified from findings and can lead to recommendations or mitigating actions to address or reduce the potential impact.
Example:
Risk: Due to the "auto-update" feature being enabled, there's a chance that unvetted system updates could introduce vulnerabilities. Impact: High - This could compromise the integrity of the system. Likelihood: Medium - Based on past updates and the frequency of potentially harmful updates.
type RiskLogEntry ¶
type RiskLogEntry struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Start time.Time `json:"start"`
End time.Time `json:"end"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
LoggedBy Actor `json:"loggedBy"`
}
type RiskStatus ¶
type RiskStatus string
const ( RiskStatusOpen RiskStatus = "open" RiskStatusInvestigating RiskStatus = "investigating" RiskStatusRemediating RiskStatus = "remediating" RiskStatusDeviationRequested RiskStatus = "deviation-requested" RiskStatusDeviationApproved RiskStatus = "deviation-approved" RiskStatusClosed RiskStatus = "closed" )
type Role ¶
type Role struct {
Uuid string `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
// PartyUuids holds the UUIDs of the `Party` data. Supports many-to-many relationship.
PartyUuids []string `json:"partyUuids"`
}
type SecurityImpactLevel ¶
type Statement ¶
type Statement struct {
// TODO: By-components
Uuid Uuid `json:"uuid"`
Id string `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
ResponsibleRoles []Uuid `json:"responsibleRoles"`
}
type Subject ¶
type Subject struct {
Id primitive.ObjectID `json:"id"`
SubjectId string `json:"subjectId"`
Type SubjectType `json:"type"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
}
Subject Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment.
type SubjectMatchExpression ¶
type SubjectSelection ¶
type SubjectSelection struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Query string `json:"query,omitempty"`
Labels map[string]string `json:"labels,omitempty"`
Expressions []SubjectMatchExpression `json:"expressions,omitempty"`
Ids []string `json:"ids,omitempty"`
}
SubjectSelection Identifies system elements being assessed, such as components, inventory items, and locations by specifying a selection criteria. We do not directly store SubjectIds as we might not know the actual subjects before running the assessment. The assessment runtime evaluates the selection by running the providers and returns back with subject ids.
func (*SubjectSelection) Valid ¶
func (s *SubjectSelection) Valid() bool
type SubjectType ¶
type SubjectType string
const ( SubjectTypeComponent SubjectType = "component" SubjectTypeInventoryItem SubjectType = "inventoryItem" SubjectTypeLocation SubjectType = "location" SubjectTypeParty SubjectType = "party" SubjectTypeUser SubjectType = "user" )
type SystemCharacteristics ¶
type SystemCharacteristics struct {
Uuid Uuid `json:"uuid"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Metadata
AuthorizationBoundary AuthorizationBoundary `json:"authorization_boundary"`
ControlImplementation []Uuid `json:"control_implementation"`
DataFlow DataFlow `json:"data_flow"`
DateAuthorized time.Time `json:"date_authorized"`
ImportProfile []Uuid `json:"import_profile"`
NetworkArchitecture NetworkArchitecture `json:"network_architecture"`
ResponsibleParties []Uuid `json:"responsible_parties"`
SecurityImpactLevel SecurityImpactLevel `json:"security_impact_level"`
// The overall information system sensitivity categorization, such as defined by FIPS-199.
SecuritySensitivityLevel string `json:"security_sensitivity_level"`
Status OperationalStatus `json:"status"`
// One of http://fedramp.gov/ns/oscal, https://fedramp.gov", http://ietf.org/rfc/rfc4122", https://ietf.org/rfc/rfc4122
SystemIds []string `json:"system_ids"`
SystemInformation SystemInformation `json:"system_information"`
// The full name of the system.
SystemName string `json:"system_name"`
// A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.
SystemNameShort string `json:"system_name_short"`
}
SystemCharacteristics Contains the characteristics of the system, such as its name, purpose, and security impact level.
type SystemImplementation ¶
type SystemImplementation struct {
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Components []Component `json:"components"`
InventoryItems []InventoryItem `json:"inventory-items,omitempty"`
LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"`
Users []User `json:"users"`
}
SystemImplementation Provides information as to how the system is implemented.
type SystemInformation ¶
type SystemInformation struct {
// Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
InformationTypes []InformationType `json:"information_types"`
Links []Link `json:"links"`
Props []Property `json:"props"`
Uuid Uuid `json:"uuid"`
}
type SystemSecurityPlan ¶
type SystemSecurityPlan struct {
Title string `json:"title"`
Uuid Uuid `json:"uuid"`
BackMatter BackMatter `json:"backmatter"`
Metadata
// Reference to the control implementation
ControlImplementation []Uuid `json:"control_implementation"`
// Reference to a profile
ImportProfile Uuid `json:"import_profile"`
SystemCharacteristics SystemCharacteristics `json:"system_characteristics"`
}
type Target ¶
type Target struct {
TargetId primitive.ObjectID `json:"targetId"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Status TargetStatus `json:"status"`
}
Target Captures an assessor's conclusions regarding the degree to which an objective is satisfied. It represents an item or entity that is the subject of an assessment within the OSCAL context. It can be a system component, process, configuration, or any other element that has undergone assessment. Each target has a unique identifier and may contain additional metadata or details relevant to the assessment.
Example:
TargetId ID: server-1234 Type: System Component Description: Primary web server running in the production environment.
type TargetStatus ¶
type Task ¶
type Task struct {
Id primitive.ObjectID `json:"id"`
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
Type TaskType `json:"type"`
Activities []Activity `json:"activities"`
Dependencies []TaskDependency `json:"dependencies"`
ResponsibleRoles []Uuid `json:"responsibleRoles"`
// Subjects hold all the subjects that the activities act upon.
Subjects []primitive.ObjectID `json:"subjects"`
Tasks []Uuid `json:"tasks"`
Schedule string `json:"schedule"`
}
func (*Task) AddActivity ¶
type TaskDependency ¶
type TaskInformation ¶
type TaskInformation struct {
Id string `json:"id"`
Title string `json:"title"`
Schedule string `json:"schedule"`
Activities []ActivityInformation `json:"activities"`
}
type User ¶
type User struct {
AuthorizedPrivileges []CommonAuthorizedPrivilege `json:"authorized-privileges,omitempty"`
// A summary of the user's purpose within the system.
Description string `json:"description,omitempty"`
Props []Property `json:"props,omitempty"`
Links []Link `json:"links,omitempty"`
Remarks string `json:"remarks,omitempty"`
RoleIds []string `json:"role-ids,omitempty"`
// A short common name, abbreviation, or acronym for the user.
ShortName string `json:"short-name,omitempty"`
// A name given to the user, which may be used by a tool for display and navigation.
Title string `json:"title,omitempty"`
// A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.
Uuid string `json:"uuid"`
}
User A type of user that interacts with the system based on an associated role.
Source Files