chef / automate

Chef Automate provides a full suite of enterprise capabilities for maintaining continuous visibility into application, infrastructure, and security automation.
https://automate.chef.io/
Apache License 2.0
227 stars 113 forks source link

update compliance reporting in Automate to match CVSS 3.0 standards #433

Open vjeffrey opened 5 years ago

vjeffrey commented 5 years ago

User Story

Chef InSpec itself does not assume status of a report or an individual profile results status in a report. It only reports the status of each control, leaving the consumer to interpret the impacts, failures, and passes the way they would like.

In Automate, we've been evaluating report (node and profile) status in Automate following the CVSS 2.0 standards:

Low | 0.0-0.3 (minor)
Medium | 0.4-0.7 (major)
High | 0.7-1.0 (critical)

Now that CVSS 3.0 standards are around, we should upgrade our logic to those numbers:

None | 0.0
Low | 0.1-3.9
Medium | 4.0-6.9
High | 7.0-8.9
Critical | 9.0-10.0

Added benefit: this introduces a "none" or "information" impact value. A 0 impact control (or information control) should not count against the overall profile or node status. These are for evaluation only. This can be used by those interested in exceptions, as the status of the control results will still be reported, it just won't count against the overall status of the profile/node.

UI WORK: The node results details page has button filters for the control impacts. This will need to be updated for the new statuses (we need some ux for this). The profile results details page also has some light logic for displaying the impact of the control which will need to be updated.

"Informational" will also need to be a new status in Automate in general. With the introduction of these new statuses, it could be possible to have a profile with only informational controls, and it is possible to only run an "informational" profile on a node. This means the possible statuses for nodes, profiles, and controls will be informational, skipped, passed, failed.

Definition of Done

Create a profile with at least one control of each new impact range Scan a node with Automate using the profile Expect the correct results. Informational control results should not contribute to overall status. Filter by control, see status updates Create a profile with only informational controls. Scan a node with the profile Expect "informational" status for both the node and profile.

Related Resources

https://nvd.nist.gov/vuln-metrics/cvss https://chef.aha.io/ideas/ideas/A2-I-32

Aha! Link: https://chef.aha.io/epics/A2-E-161

jonong1972 commented 5 years ago

For the UI bits, on the Compliance Nodes Details, first step what I would like to do is combine all the failed filters into just one filter button (critical/major/minor) so the filter bar would only show:

Total Controls | Failed Controls | Skipped Controls | Passed Controls | Informational(?) <-- not sure on this still.

UX team still has to design a pattern to allow a subset of filters for the Failed Controls.

Probably be some type of check-boxes with the values of: Critical | High | Medium | Low

vjeffrey commented 4 years ago

note: this work has not yet been done for a few reasons