Map rules to HIPAA Technical Safeguards

crd1985 commented 5 years ago

Taking advantage of current PCI DSS mapping and HIPAA equivalences, we can map the current ruleset to the HIPAA Technical Safeguards, according to the following table:

PCI DSS 3.0	HIPAA
2,4	164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
6.1 6.2 11.2	164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
2.1 7.1 - 7.3 8.1 - 8.3 8.7	164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
2.2 2.3 6.2 11.5	164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
10.1 - 10.7	164.308(a)(1): Security Management Process - Information System Activity Review R 164.308(a)(5): Security Awareness and Training - Log-in Monitoring A
2.2 2.3 6.2 11.5	164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
5.1 - 5.4	164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A 164.310(d)(1): Device and Media Controls - Accountability A 164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
1,4	164.310(b): Workstation Use - R 164.310(c): Workstation Security - R
4.3 9.5 - 9.7	164.308(a)(7): Contingency Plan - Data Backup Plan R 164.308(a)(7): Contingency Plan - Disaster Recovery Plan R 164.308(a)(7): Contingency Plan - Testing and Revision Procedure A 164.310(d)(1): Device and Media Controls - Data Backup and Storage A
3.6 4.1 - 4.3	164.308(a)(4): Information Access Management - Isolating Health care Clearinghouse Function R 164.310(d)(1): Device and Media Controls - Accountability A 164.312(a)(1): Access Control - Encryption and Decryption A 164.312(e)(1): Transmission Security - Integrity Controls A 164.312(e)(1): Transmission Security - Encryption A
1.3 - 1.4 4.3 7.1 - 7.3 8.7	164.308(a)(1): Security Management Process - Information System Activity Review R 164.308(a)(4): Information Access Management - Isolating Health care Clearinghouse Function R 164.308(a)(4): Information Access Management - Access Authorization A 164.312(a)(1): Access Control - Encryption and Decryption A 164.312(c)(1): Integrity - Mechanism to Authenticate Electronic Protected Health Information A 164.312(a)(1): Access Control - Automatic Logoff A 164.312(d): Person or Entity Authentication - R 164.312(e)(1): Transmission Security - Integrity Controls A 164.312(e)(1): Transmission Security - Encryption A
7.1 - 7.3 8.7 - 8.8	164.308(a)(1): Security Management Process - Information System Activity Review R 164.308(a)(4): Information Access Management - Access Authorization A 164.308(a)(4): Information Access Management - Access Establishment and Modification A 164.308(a)(5): Security Awareness and Training - Password Management A 164.312(a)(1): Access Control - Unique User Identification R 164.312(a)(1): Access Control - Automatic Logoff A 164.312(d): Person or Entity Authentication - R 164.312(e)(1): Transmission Security - Integrity Controls A 164.312(e)(1): Transmission Security - Encryption A
12,6	164.308(a)(5): Security Awareness and Training - Security Reminders A 164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A 164.308(a)(5): Security Awareness and Training - Log-in Monitoring A 164.308(a)(5): Security Awareness and Training - Password Management A
12.10	164.308(a)(6): Security Incident Procedures - Response and Reporting R

Tasks:

[x] Get equivalences 1-to-1 from PCI DSS to HIPAA using ruleset naming convention
[x] Write a Python script to do the mapping automatically
[x] Once mapping is done, review and test rules are applied properly

crd1985 commented 5 years ago

@santiago-bassett

This is the result of comparing PCI DSS 3.2 versus HIPAA security standards:

{
  "pci_dss_1.1.1": "hipaa_164.312.a.1",
  "pci_dss_1.3.4": "hipaa_164.312.a.1",
  "pci_dss_1.4": "hipaa_164.312.a.1",
  "pci_dss_10.1": "hipaa_164.312.b",
  "pci_dss_10.2.1": "hipaa_164.312.b",
  "pci_dss_10.2.2": "hipaa_164.312.b",
  "pci_dss_10.2.4": "hipaa_164.312.b",
  "pci_dss_10.2.5": "hipaa_164.312.b",
  "pci_dss_10.2.6": "hipaa_164.312.b",
  "pci_dss_10.2.7": "hipaa_164.312.b",
  "pci_dss_10.4": "hipaa_164.312.b",
  "pci_dss_10.5.2": "hipaa_164.312.b",
  "pci_dss_10.5.5": "hipaa_164.312.b",
  "pci_dss_10.6": "hipaa_164.312.b",
  "pci_dss_10.6.1": "hipaa_164.312.b",
  "pci_dss_11.4": "#N/A",
  "pci_dss_11.5": "hipaa_164.312.c.1,hipaa_164.312.c.2",
  "pci_dss_2.2": "#N/A",
  "pci_dss_2.2.3": "#N/A",
  "pci_dss_4.1": "hipaa_164.312.a.2.IV,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II",
  "pci_dss_5.1": "#N/A",
  "pci_dss_5.2": "#N/A",
  "pci_dss_6.2": "#N/A",
  "pci_dss_6.5": "#N/A",
  "pci_dss_6.5.1": "#N/A",
  "pci_dss_6.5.10": "#N/A",
  "pci_dss_6.5.2": "#N/A",
  "pci_dss_6.5.5": "#N/A",
  "pci_dss_6.5.7": "#N/A",
  "pci_dss_6.5.8": "#N/A",
  "pci_dss_6.6": "#N/A",
  "pci_dss_8.1.2": "hipaa_164.312.a.2.I,hipaa_164.312.a.2.II",
  "pci_dss_8.1.4": "hipaa_164.312.a.1",
  "pci_dss_8.1.5": "hipaa_164.312.a.1",
  "pci_dss_8.1.6": "hipaa_164.312.a.1",
  "pci_dss_8.1.8": "hipaa_164.312.a.2.III",
  "pci_dss_8.2.4": "hipaa_164.312.d",
  "pci_dss_8.7": "hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II"
}

Some of the sections in PCI standard cannot be matched to a HIPAA one which could be OK because PCI DSS is much wider than HIPAA (considering only Technical Safeguards which are the ones regarding Wazuh).

@AdriiiPRodri is working on the script to automatically edit rules files using the mapping above.

AdriiiPRodri commented 5 years ago

Status update

A script has been added to map the new standard and add it to our ruleset, the script checks if the standard has been previously added or not, in such a way that it is also valid to update the ruleset as many times as necessary.

https://github.com/wazuh/wazuh-ruleset/blob/392-HIPAA-standard/tools/map-security-standard/map_standard.py

adriiiprodri@Wazuh:~/Desktop/git/wazuh-ruleset/tools/map-security-standard$ python map_standard.py -h
usage: map_standard.py [-h] [--path PATH] [--schema SCHEMA]

optional arguments:
  -h, --help       show this help message and exit
  -p PATH --path       Rules path
  -s SCHEMA --schema   Schema path

adriiiprodri@UnKnown:~/Desktop/git/wazuh-ruleset/tools/map-security-standard$ python map_standard.py 
[INFO] Processing 0500-owncloud_rules.xml
[INFO] Processing 0350-amazon_rules.xml
[INFO] Processing 0230-ms-se_rules.xml
[INFO] Processing 0025-sendmail_rules.xml
[INFO] Processing 0245-web_rules.xml
[INFO] Processing 0310-openbsd_rules.xml
[INFO] Processing 0016-wazuh_rules.xml
[INFO] Processing 0480-qualysguard_rules.xml
[INFO] Processing 0055-courier_rules.xml
[INFO] Processing 0430-ms_wdefender_rules.xml
[INFO] Processing 0585-win-application_rules.xml
[INFO] Processing 0510-ciscat_rules.xml
[INFO] Processing 0140-roundcube_rules.xml
[INFO] Processing 0525-openvas_rules.xml
[INFO] Processing 0085-pam_rules.xml
[INFO] Processing 0540-pfsense_rules.xml
[INFO] Processing 0605-win-mcafee_rules.xml
[INFO] Processing 0530-mysql_audit_rules.xml
[INFO] Processing 0365-auditd_rules.xml
[INFO] Processing 0175-proftpd_rules.xml
[INFO] Processing 0095-sshd_rules.xml
[INFO] Processing 0345-netscaler_rules.xml
[INFO] Processing 0470-vshell_rules.xml
[INFO] Processing 0075-cisco-ios_rules.xml
[INFO] Processing 0385-oscap_rules.xml
[INFO] Processing 0040-imapd_rules.xml
[INFO] Processing 0325-opensmtpd_rules.xml
[INFO] Processing 0360-serv-u_rules.xml
[INFO] Processing 0315-apparmor_rules.xml
[INFO] Processing 0320-clam_av_rules.xml
[INFO] Processing 0300-postgresql_rules.xml
[INFO] Processing 0450-mongodb_rules.xml
[INFO] Processing 0340-puppet_rules.xml
[INFO] Processing 0020-syslog_rules.xml
[INFO] Processing 0210-vpn_concentrator_rules.xml
[INFO] Processing 0120-symantec-av_rules.xml
[INFO] Processing 0435-ms_logs_rules.xml
[INFO] Processing 0010-rules_config.xml
[INFO] Processing 0080-sonicwall_rules.xml
[INFO] Processing 0110-ms_dhcp_rules.xml
[INFO] Processing 0580-win-security_rules.xml
[INFO] Processing 0295-mysql_rules.xml
[INFO] Processing 0185-vsftpd_rules.xml
[INFO] Processing 0555-azure_rules.xml
[INFO] Processing 0415-sophos_rules.xml
[INFO] Processing 0565-ms_ipsec_rules.xml
[INFO] Processing 0155-dovecot_rules.xml
[INFO] Processing 0425-cisco-estreamer_rules.xml
[INFO] Processing 0220-msauth_rules.xml
[INFO] Processing 0560-docker_integration_rules.xml
[INFO] Processing 0485-cylance_rules.xml
[INFO] Processing 0030-postfix_rules.xml
[INFO] Processing 0600-win-wdefender_rules.xml
[INFO] Processing 0135-hordeimp_rules.xml
[INFO] Processing 0160-vmpop3d_rules.xml
[INFO] Processing 0195-named_rules.xml
[INFO] Processing 0335-unbound_rules.xml
[INFO] Processing 0065-pix_rules.xml
[INFO] Processing 0620-win-generic_rules.xml
[INFO] Processing 0105-asterisk_rules.xml
[INFO] Processing 0305-dropbear_rules.xml
[INFO] Processing 0115-arpwatch_rules.xml
[INFO] Processing 0165-vpopmail_rules.xml
[INFO] Processing 0235-vmware_rules.xml
[INFO] Processing 0270-web_appsec_rules.xml
[INFO] Processing 0045-mailscanner_rules.xml
[INFO] Processing 0455-docker_rules.xml
[INFO] Processing 0255-zeus_rules.xml
[INFO] Processing 0515-exim_rules.xml
[INFO] Processing 0285-systemd_rules.xml
[INFO] Processing 0125-symantec-ws_rules.xml
[INFO] Processing 0375-usb_rules.xml
[INFO] Processing 0390-fortigate_rules.xml
[INFO] Processing 0410-imperva_rules.xml
[INFO] Processing 0380-redis_rules.xml
[INFO] Processing 0420-freeipa_rules.xml
[INFO] Processing 0215-policy_rules.xml
[INFO] Processing 0170-ftpd_rules.xml
[INFO] Processing 0490-virustotal_rules.xml
[INFO] Processing 0405-rsa-auth-manager_rules.xml
[INFO] Processing 0200-smbd_rules.xml
[INFO] Processing 0615-win-ms-se_rules.xml
[INFO] Processing 0050-ms-exchange_rules.xml
[INFO] Processing 0575-win-base_rules.xml
[INFO] Processing 0610-win-ms_logs_rules.xml
[INFO] Processing 0130-trend-osce_rules.xml
[INFO] Processing 0535-mariadb_rules.xml
[INFO] Processing 0505-vuls_rules.xml
[INFO] Processing 0260-nginx_rules.xml
[INFO] Processing 0240-ids_rules.xml
[INFO] Processing 0440-ms_sqlserver_rules.xml
[INFO] Processing 0590-win-system_rules.xml
[INFO] Processing 0550-kaspersky_rules.xml
[INFO] Processing 0290-firewalld_rules.xml
[INFO] Processing 0395-hp_rules.xml
[INFO] Processing 0190-ms_ftpd_rules.xml
[INFO] Processing 0445-identity_guard_rules.xml
[INFO] Processing 0520-vulnerability-detector_rules.xml
[INFO] Processing 0330-sysmon_rules.xml
[INFO] Processing 0090-telnetd_rules.xml
[INFO] Processing 0100-solaris_bsm_rules.xml
[INFO] Processing 0015-ossec_rules.xml
[INFO] Processing 0225-mcafee_av_rules.xml
[INFO] Processing 0400-openvpn_rules.xml
[INFO] Processing 0265-php_rules.xml
[INFO] Processing 0250-apache_rules.xml
[INFO] Processing 0495-proxmox-ve_rules.xml
[INFO] Processing 0070-netscreenfw_rules.xml
[INFO] Processing 0275-squid_rules.xml
[INFO] Processing 0180-pure-ftpd_rules.xml
[INFO] Processing 0545-osquery_rules.xml
[INFO] Processing 0035-spamd_rules.xml
[INFO] Processing 0205-racoon_rules.xml
[INFO] Processing 0145-wordpress_rules.xml
[INFO] Processing 0460-jenkins_rules.xml
[INFO] Processing 0060-firewall_rules.xml
[INFO] Processing 0595-win-sysmon_rules.xml
[INFO] Processing 0570-sca_rules.xml
[INFO] Processing 0475-suricata_rules.xml
[INFO] Processing 0150-cimserver_rules.xml
[INFO] Processing 0280-attack_rules.xml

wazuh / wazuh-ruleset

Map rules to HIPAA Technical Safeguards #392

Status update