From 11c48fd0b2c7140714c02e642efb97dc6496be6d Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 3 Jun 2025 10:36:56 -0500 Subject: [PATCH 1/3] Add basic JSON schema for compliance engine data --- sce-schema.json | 488 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 488 insertions(+) create mode 100644 sce-schema.json diff --git a/sce-schema.json b/sce-schema.json new file mode 100644 index 0000000..6489bf2 --- /dev/null +++ b/sce-schema.json @@ -0,0 +1,488 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://simp-project.com/docs/sce/schema.json", + "type": "object", + "default": {}, + "title": "Compliance Engine data", + "description": "Data for the Sicura Compliance Engine", + "required": [ + "version" + ], + "properties": { + "version": { + "type": "string", + "const": "2.0.0", + "title": "The SCE data version" + }, + "profiles": { + "type": "object", + "default": {}, + "title": "A checklist of the Checks, CEs, and Controls to add (or remove) from the profile.", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { + "type": "object", + "default": {}, + "title": "An SCE profile", + "properties": { + "title": { + "type": "string", + "default": "", + "title": "Optional. Short description of the profile.", + "examples": [ + "Level 1 - Server" + ] + }, + "description": { + "type": "string", + "default": "", + "title": "Optional. Longer description of the profile.", + "examples": [ + "Items in this profile intend to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means. This profile is intended for servers." + ] + }, + "ces": { + "type": "object", + "default": {}, + "title": "Key is a reference to an entry in the top-level ce hash. Enforced if value is true.", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { + "type": "boolean", + "default": false, + "title": "Entry in the top-level ce hash" + } + }, + "examples": [ + { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": true + } + ] + } + }, + "controls": {}, + "checks": {}, + "confine": {}, + "examples": [ + { + "title": "Level 1 - Server", + "description": "Items in this profile intend to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means. This profile is intended for servers.", + "ces": { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": true + } + } + ] + } + }, + "examples": [ + { + "cis:level:1:server": { + "title": "Level 1 - Server", + "description": "Items in this profile intend to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means. This profile is intended for servers.", + "ces": { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": true + } + } + } + ] + }, + "ce": { + "type": "object", + "default": {}, + "title": "The ce Schema", + "required": [ + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" + ], + "properties": { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": { + "type": "object", + "default": {}, + "title": "The oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1 Schema", + "required": [ + "controls", + "identifiers", + "oval-ids", + "title", + "description", + "imported_data", + "confine" + ], + "properties": { + "controls": { + "type": "object", + "default": {}, + "title": "The controls Schema", + "required": [ + "cis:el8:v1.0.0.1" + ], + "properties": { + "cis:el8:v1.0.0.1": { + "type": "boolean", + "default": false, + "title": "The cis:el8:v1.0.0.1 Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "cis:el8:v1.0.0.1": true + } + ] + }, + "identifiers": { + "type": "object", + "default": {}, + "title": "The identifiers Schema", + "required": [ + "cis" + ], + "properties": { + "cis": { + "type": "array", + "default": [], + "title": "The cis Schema", + "items": {}, + "examples": [ + [] + ] + } + }, + "examples": [ + { + "cis": [] + } + ] + }, + "oval-ids": { + "type": "array", + "default": [], + "title": "The oval-ids Schema", + "items": { + "type": "string", + "default": "", + "title": "A Schema", + "examples": [ + "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" + ] + }, + "examples": [ + [ + "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" + ] + ] + }, + "title": { + "type": "string", + "default": "", + "title": "The title Schema", + "examples": [ + "Ensure address space layout randomization (ASLR) is enabled" + ] + }, + "description": { + "type": "string", + "default": "", + "title": "The description Schema", + "examples": [ + "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." + ] + }, + "imported_data": { + "type": "object", + "default": {}, + "title": "The imported_data Schema", + "required": [ + "fixtext" + ], + "properties": { + "fixtext": { + "type": "string", + "default": "", + "title": "The fixtext Schema", + "examples": [ + "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + ] + } + }, + "examples": [ + { + "fixtext": "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + } + ] + }, + "confine": { + "type": "object", + "default": {}, + "title": "The confine Schema", + "required": [ + "os.release.major", + "os.name" + ], + "properties": { + "os.release.major": { + "type": "array", + "default": [], + "title": "The os.release.major Schema", + "items": { + "type": "string", + "default": "", + "title": "A Schema", + "examples": [ + "8" + ] + }, + "examples": [ + [ + "8" + ] + ] + }, + "os.name": { + "type": "array", + "default": [], + "title": "The os.name Schema", + "items": { + "type": "string", + "default": "", + "title": "A Schema", + "examples": [ + "RedHat" + ] + }, + "examples": [ + [ + "RedHat" + ] + ] + } + }, + "examples": [ + { + "os.release.major": [ + "8" + ], + "os.name": [ + "RedHat" + ] + } + ] + } + }, + "examples": [ + { + "controls": { + "cis:el8:v1.0.0.1": true + }, + "identifiers": { + "cis": [] + }, + "oval-ids": [ + "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" + ], + "title": "Ensure address space layout randomization (ASLR) is enabled", + "description": "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.", + "imported_data": { + "fixtext": "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + }, + "confine": { + "os.release.major": [ + "8" + ], + "os.name": [ + "RedHat" + ] + } + } + ] + } + }, + "examples": [ + { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": { + "controls": { + "cis:el8:v1.0.0.1": true + }, + "identifiers": { + "cis": [] + }, + "oval-ids": [ + "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" + ], + "title": "Ensure address space layout randomization (ASLR) is enabled", + "description": "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.", + "imported_data": { + "fixtext": "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + }, + "confine": { + "os.release.major": [ + "8" + ], + "os.name": [ + "RedHat" + ] + } + } + } + ] + }, + "checks": { + "type": "object", + "default": {}, + "title": "The checks Schema", + "required": [ + "oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space" + ], + "properties": { + "oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space": { + "type": "object", + "default": {}, + "title": "The oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space Schema", + "required": [ + "settings", + "type", + "ces" + ], + "properties": { + "settings": { + "type": "object", + "default": {}, + "title": "The settings Schema", + "required": [ + "parameter", + "value" + ], + "properties": { + "parameter": { + "type": "string", + "default": "", + "title": "The parameter Schema", + "examples": [ + "simp::sysctl::kernel__randomize_va_space" + ] + }, + "value": { + "type": "integer", + "default": 0, + "title": "The value Schema", + "examples": [ + 2 + ] + } + }, + "examples": [ + { + "parameter": "simp::sysctl::kernel__randomize_va_space", + "value": 2 + } + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type Schema", + "examples": [ + "puppet-class-parameter" + ] + }, + "ces": { + "type": "array", + "default": [], + "title": "The ces Schema", + "items": { + "type": "string", + "default": "", + "title": "A Schema", + "examples": [ + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" + ] + }, + "examples": [ + [ + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" + ] + ] + } + }, + "examples": [ + { + "settings": { + "parameter": "simp::sysctl::kernel__randomize_va_space", + "value": 2 + }, + "type": "puppet-class-parameter", + "ces": [ + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" + ] + } + ] + } + }, + "examples": [ + { + "oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space": { + "settings": { + "parameter": "simp::sysctl::kernel__randomize_va_space", + "value": 2 + }, + "type": "puppet-class-parameter", + "ces": [ + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" + ] + } + } + ] + } + }, + "examples": [ + { + "version": "2.0.0", + "profiles": { + "cis:level:1:server": { + "title": "Level 1 - Server", + "description": "Items in this profile intend to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means. This profile is intended for servers.", + "ces": { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": true + } + } + }, + "ce": { + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": { + "controls": { + "cis:el8:v1.0.0.1": true + }, + "identifiers": { + "cis": [] + }, + "oval-ids": [ + "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" + ], + "title": "Ensure address space layout randomization (ASLR) is enabled", + "description": "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.", + "imported_data": { + "fixtext": "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + }, + "confine": { + "os.release.major": [ + "8" + ], + "os.name": [ + "RedHat" + ] + } + } + }, + "checks": { + "oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space": { + "settings": { + "parameter": "simp::sysctl::kernel__randomize_va_space", + "value": 2 + }, + "type": "puppet-class-parameter", + "ces": [ + "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" + ] + } + } + } + ] +} From c729cae067df5bc45d1ce3a7cd24bc609a56575c Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 3 Jun 2025 10:47:01 -0500 Subject: [PATCH 2/3] Round 1 of cleanup --- sce-schema.json | 110 +++++++++++++++++++++++++++++++----------------- 1 file changed, 72 insertions(+), 38 deletions(-) diff --git a/sce-schema.json b/sce-schema.json index 6489bf2..ab7bc3a 100644 --- a/sce-schema.json +++ b/sce-schema.json @@ -56,11 +56,64 @@ "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": true } ] + }, + "controls": { + "type": "object", + "default": {}, + "title": "Key is a reference to an entry in the top-level control hash. Enforced if value is true.", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { + "type": "boolean", + "default": false, + "title": "Entry in the top-level control hash" + } + }, + "examples": [ + { + "nist_800_53:rev4:AU-2": true + } + ] + }, + "checks": { + "type": "object", + "default": {}, + "title": "Key is a reference to an entry in the top-level checks hash. Enforced if value is true.", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { + "type": "boolean", + "default": false, + "title": "Entry in the top-level checks hash" + } + }, + "examples": [ + { + "widget_spinner_audit_logging": true + } + ] + }, + "confine": { + "type": "object", + "default": {}, + "title": "Conditions that confine this profile to specific environments", + "patternProperties": { + "^\\w(?:[\\.-]\\w+)*$": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "examples": [ + { + "os.release.major": [ + "8" + ], + "os.name": [ + "RedHat" + ] + } + ] } - }, - "controls": {}, - "checks": {}, - "confine": {}, "examples": [ { "title": "Level 1 - Server", @@ -87,40 +140,27 @@ "ce": { "type": "object", "default": {}, - "title": "The ce Schema", - "required": [ - "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" - ], - "properties": { - "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1": { + "title": "Collection of compliance engine entries", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { "type": "object", "default": {}, - "title": "The oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1 Schema", + "title": "A compliance engine entry", "required": [ "controls", - "identifiers", - "oval-ids", "title", - "description", - "imported_data", - "confine" + "description" ], "properties": { "controls": { "type": "object", "default": {}, - "title": "The controls Schema", - "required": [ - "cis:el8:v1.0.0.1" - ], - "properties": { - "cis:el8:v1.0.0.1": { + "title": "References to controls related to this CE", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { "type": "boolean", "default": false, - "title": "The cis:el8:v1.0.0.1 Schema", - "examples": [ - true - ] + "title": "Control reference" } }, "examples": [ @@ -132,19 +172,13 @@ "identifiers": { "type": "object", "default": {}, - "title": "The identifiers Schema", - "required": [ - "cis" - ], - "properties": { - "cis": { + "title": "External identifiers for this compliance control", + "patternProperties": { + "^\\w+$": { "type": "array", - "default": [], - "title": "The cis Schema", - "items": {}, - "examples": [ - [] - ] + "items": { + "type": ["string", "number"] + } } }, "examples": [ From 635f40e0a5dee8a23d0b60ec83b08f501eb8c818 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 3 Jun 2025 11:04:44 -0500 Subject: [PATCH 3/3] Round 2 of cleanup --- sce-schema.json | 119 +++++++++++++++++------------------------------- 1 file changed, 42 insertions(+), 77 deletions(-) diff --git a/sce-schema.json b/sce-schema.json index ab7bc3a..7e58c30 100644 --- a/sce-schema.json +++ b/sce-schema.json @@ -114,6 +114,7 @@ } ] } + }, "examples": [ { "title": "Level 1 - Server", @@ -190,14 +191,11 @@ "oval-ids": { "type": "array", "default": [], - "title": "The oval-ids Schema", + "title": "OVAL identifiers for this compliance control", "items": { "type": "string", "default": "", - "title": "A Schema", - "examples": [ - "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" - ] + "title": "OVAL identifier" }, "examples": [ [ @@ -208,7 +206,7 @@ "title": { "type": "string", "default": "", - "title": "The title Schema", + "title": "Title of the compliance control", "examples": [ "Ensure address space layout randomization (ASLR) is enabled" ] @@ -216,7 +214,7 @@ "description": { "type": "string", "default": "", - "title": "The description Schema", + "title": "Description of the compliance control", "examples": [ "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." ] @@ -224,20 +222,18 @@ "imported_data": { "type": "object", "default": {}, - "title": "The imported_data Schema", - "required": [ - "fixtext" - ], + "title": "Data imported from external sources", "properties": { "fixtext": { "type": "string", "default": "", - "title": "The fixtext Schema", + "title": "Text describing how to fix compliance issues", "examples": [ "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" ] } }, + "additionalProperties": true, "examples": [ { "fixtext": "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" @@ -247,47 +243,13 @@ "confine": { "type": "object", "default": {}, - "title": "The confine Schema", - "required": [ - "os.release.major", - "os.name" - ], - "properties": { - "os.release.major": { - "type": "array", - "default": [], - "title": "The os.release.major Schema", - "items": { - "type": "string", - "default": "", - "title": "A Schema", - "examples": [ - "8" - ] - }, - "examples": [ - [ - "8" - ] - ] - }, - "os.name": { + "title": "Conditions that confine this control to specific environments", + "patternProperties": { + "^\\w(?:[\\.-]\\w+)*$": { "type": "array", - "default": [], - "title": "The os.name Schema", "items": { - "type": "string", - "default": "", - "title": "A Schema", - "examples": [ - "RedHat" - ] - }, - "examples": [ - [ - "RedHat" - ] - ] + "type": "string" + } } }, "examples": [ @@ -362,42 +324,32 @@ "checks": { "type": "object", "default": {}, - "title": "The checks Schema", - "required": [ - "oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space" - ], - "properties": { - "oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space": { + "title": "Collection of compliance checks", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { "type": "object", "default": {}, - "title": "The oval:com.puppet.forge.simp.cis.simp.sysctl.kernel__randomize_va_space Schema", + "title": "A compliance check", "required": [ - "settings", - "type", - "ces" + "type" ], "properties": { "settings": { "type": "object", "default": {}, - "title": "The settings Schema", - "required": [ - "parameter", - "value" - ], + "title": "Settings for the compliance check", "properties": { "parameter": { "type": "string", "default": "", - "title": "The parameter Schema", + "title": "The parameter to check", "examples": [ "simp::sysctl::kernel__randomize_va_space" ] }, "value": { - "type": "integer", - "default": 0, - "title": "The value Schema", + "type": ["integer", "string", "boolean", "array"], + "title": "The expected value of the parameter", "examples": [ 2 ] @@ -413,7 +365,7 @@ "type": { "type": "string", "default": "", - "title": "The type Schema", + "title": "The type of check", "examples": [ "puppet-class-parameter" ] @@ -421,20 +373,33 @@ "ces": { "type": "array", "default": [], - "title": "The ces Schema", + "title": "References to compliance engine entries", "items": { "type": "string", - "default": "", - "title": "A Schema", - "examples": [ - "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" - ] + "title": "Reference to a CE entry" }, "examples": [ [ "oval:simp.cis.el8.1.6.2_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1" ] ] + }, + "controls": { + "type": "object", + "default": {}, + "title": "References to controls related to this check", + "patternProperties": { + "^\\w(?:[-\\w]*\\w)?(?::\\w(?:[-\\w]*\\w)?)*$": { + "type": "boolean", + "default": false, + "title": "Control reference" + } + }, + "examples": [ + { + "nist_800_53:rev4:AU-2": true + } + ] } }, "examples": [