Skip to content
This repository has been archived by the owner on Sep 25, 2023. It is now read-only.

CMS ARS Overlay Development

Jump to bottom
Shivani Karikar edited this page Sep 11, 2023 · 1 revision

Structure

  overlay
  ├── controls
  │   └── overlay.rb
  ├── README.md
  └── inspec.yml

Templates

inspec.yml 
name: overlay-profile-name
title: overlay-profile-name
maintainer: CMS SAF Team
copyright: 
copyright_email: [email protected]
license: Apache-2.0
summary: CMS ARS 5.0 Overlay InSpec Validation Profile for <Component name> <STIG/CIS>
version: <STIG/ CIS version x.x.0>
inspec_version: ">= 4.0"

depends:
  - name: baseline-profile-name
    url: https://github.com/mitre/<baseline-profile-name>/archive/<branch-name>.tar.gz

inputs:
  - name: system_categorization
    desc: "Selected system baseline based on the environment variable"
    type: String
    value: <%= ENV['BASELINE'].nil? ? 'Moderate (Default)' : ENV['BASELINE'] %> 

  - name: org_name
    desc: "Name of the organization running this profile"
    type: string
    value: "CMS"
    profile: baseline-profile-name

    # Example input override
  - name: min_password_length # Baseline Control ID
    desc: "Minimum password length"
    type: Numeric
    <% if ['High-HVA', 'Moderate-HVA', 'Low-HVA'].include? ENV['BASELINE'] %>
    value: 20
    <% elsif ['High', 'Moderate', 'Low'].include? ENV['BASELINE'] || ENV['BASELINE'].nil? %>
    value: 15 # same as the baseline parameter (Feb 2023)
    <% end %>
    profile: baseline-profile-name

  - name: overlay_controls
    desc: 'List of inapplicable controls/requirements in ARS 5.0 based on the system categorization'
    type: Array
    <% if ENV['BASELINE'] == 'High-HVA' %>
    value:
      - "Control ID" # NIST ID
    <% elsif ENV['BASELINE'] == 'High' %>
    value: 
      - "Control ID" # NIST ID
    <% elsif ENV['BASELINE'] == 'Moderate-HVA' %>
    value:
      - "Control ID" # NIST ID
    <% elsif ENV['BASELINE'] == 'Moderate' || ENV['BASELINE'].nil? %> # Default
    value: 
      - "Control ID" # NIST ID
    <% elsif ENV['BASELINE'] == 'Low-HVA' %>
    value:
      - "Control ID" # NIST ID
    <% elsif ENV['BASELINE'] == 'Low' %>
    value:
      - "Control ID" # NIST ID
    <% end %>
overlay.rb 
overlay_controls = input('overlay_controls')
system_categorization = input('system_categorization')

include_controls '<baseline-profile-name>' do

  ## NIST tags updated due to changes between NIST SP 800-53 rev 4 and rev 5 (https://csrc.nist.gov/csrc/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r4-to-r5-comparison-workbook.xlsx)

  ## PL-9 incorporates withdrawn control AU-3 (2)
  control '<id>' do
    tag nist: ["PL-9"]
  end


  ## Example semantic changes

  control '<id>' do
    title "The MySQL Database Server 8.0 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services."
  end

  ## NA due to the requirement not included in CMS ARS 5.0
  unless overlay_controls.empty?
    overlay_controls.each do |overlay_control|
      control overlay_control do
        impact 0.0
        desc "caveat", "Not applicable for this CMS ARS 5.0 overlay, since the requirement is not included in CMS ARS 5.0"
      end
    end
  end
end

Pre-requisites

  • Complete filling out the tracker using the other wikis
  • Ensure that a repo is created under github.com/CMS-Enterprise and you have access to it
  • Create a branch named ars-5
  • On that branch:
    • Create the overlay structure (if it doesn't exist already)
    • Populate data from the templates
    • Push to that branch
    • Create a draft PR to the main branch

Development steps

Non-applicable controls

  • Navigate to the 'NA Caveats' sheet in the tracker
  • Looking at one system categorization at a time, find the highlighted NIST controls
    • Note: Highlighted NIST control means that it is present in the profile and not applicable to that system categorization
  • Find the corresponding STIG IDs in the first column that have those NIST controls
  • Note down the STIG IDs that have all of their NIST controls highlighted for that system categorization
    • Note: If a STIG ID has one NIST control that is highlighted but another one that isn't, it will still be applicable and does not need to be set as NA
  • Populate the overlay_controls input in inspec.yml by setting the STIG IDs that you noted down as NA for that system categorization
Example

I see AC-02(01) highlighted in Moderate. That NIST control is mapped to the following STIG IDs

V-111 | AC-02(01)

V-222 | AC-02, AC-02(01)

V-333 | AC-02(01), CM-06

In a scenario where AC-02 is also highlighted for Moderate but CM-06 is not highlighted/present for Moderate, the inspec.yml will look like this:

 - name: overlay_controls
    desc: 'List of inapplicable controls/requirements in ARS 5.0 based on the system categorization'
    type: Array
   ...
    <% elsif ENV['BASELINE'] == 'Moderate' || ENV['BASELINE'].nil? %> # Default
    value:
      - "V-111" # AC-02(01) Requirement NA
      - "V-222" # AC-02, AC-02(01) Requirement NA
   ...

Note that even if one NIST control is applicable (in this case CM-06), that STIG ID will not be listed for that system categorization

Input overrides

  • Create a branch named parameterize on the baseline profile repo and switch to it
  • Navigate to controls in your tracker that have ARS values for any inputs that are different from the baseline
  • Review the control file from your profile to find where the baseline value is used (title, description, check text, fix text, code logic, etc)
  • Replace all occurrences of that baseline value with a new or existing input (if new, declare that input in the baseline's inspec.yml)
  • In the overlay's inspec.yml, state the same input again but with an additional profile tag which points to the name of your baseline profile (listed at depends > name in overlay's inspec.yml)
  • Update input values using ERB conditions for system categorizations that have ARS values differing from the baseline
Example V-444: Temporary account expiration time Baseline - 30 days ARS overlay * All HVAs - 12 hours * High - 30 days * Moderate - 60 days * Low - NA

Overlay's inspec.yml:

  - name: temp_account_expiration # V-444
    desc: "Temporary account expiration period"
    type: Numeric
    <% if ['High-HVA', 'Moderate-HVA'].include? ENV['BASELINE'] %>
    value: 0.5
    <% elsif ENV['BASELINE'] == 'High' %>
    value: 30 # same as the baseline parameter (Feb 2023)
    <% elsif ENV['BASELINE'] == 'Moderate' || ENV['BASELINE'].nil? %>
    value: 60
    <% end %>
    profile: baseline-profile-name

Best practices

  • Files and directories must be named exactly as noted in the structure section above
  • Ensure that the data types for inputs in the overlay's inspec.yml match with the baseline's inspec.yml
  • Don't forget to account for ENV['BASELINE'].nil? conditions for inputs overrides if Moderate values are updated
Clone this wiki locally