From 6f8ce3c6617ee15f53e7358fffcf72e51bc11f91 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 3 Mar 2025 15:46:40 -0600 Subject: [PATCH 1/2] Updated to use SDKv1.0.0 Signed-off-by: Eddie Knight --- armory/armory.go | 58 -- armory/examples.go | 107 ---- armory/testSets.go | 309 ----------- evaluations/control-evaluations.go | 213 ++++++++ evaluations/data-collection.go | 11 + evaluations/evaluation-suites.go | 14 + example-config.yml | 12 - go.mod | 13 +- go.sum | 4 +- main.go | 35 +- .../my-cloud-service1/my-cloud-service1.log | 34 -- test_output/my-cloud-service1/tlp_red.yml | 501 ------------------ test_output/your-service/your-service.log | 11 + test_output/your-service/your-service.yaml | 194 +++++++ 14 files changed, 471 insertions(+), 1045 deletions(-) delete mode 100644 armory/armory.go delete mode 100644 armory/examples.go delete mode 100644 armory/testSets.go create mode 100644 evaluations/control-evaluations.go create mode 100644 evaluations/data-collection.go create mode 100644 evaluations/evaluation-suites.go delete mode 100644 example-config.yml delete mode 100644 test_output/my-cloud-service1/my-cloud-service1.log delete mode 100644 test_output/my-cloud-service1/tlp_red.yml create mode 100644 test_output/your-service/your-service.log create mode 100644 test_output/your-service/your-service.yaml diff --git a/armory/armory.go b/armory/armory.go deleted file mode 100644 index fbbb7d8..0000000 --- a/armory/armory.go +++ /dev/null @@ -1,58 +0,0 @@ -package armory - -import ( - "github.com/privateerproj/privateer-sdk/pluginkit" -) - -var ( - Armory = pluginkit.Armory{ - TestSuites: map[string][]pluginkit.TestSet{ - - "tlp_amber": { - CCC_C01_TR01, - CCC_C01_TR02, - CCC_C06_TR01, - CCC_C06_TR02, - CCC_C08_TR01, - CCC_C08_TR02, - CCC_C09_TR01, - CCC_C09_TR02, - CCC_C09_TR03, - CCC_C10_TR01, - }, - "tlp_clear": { - CCC_C01_TR01, - CCC_C01_TR02, - CCC_C06_TR01, - CCC_C06_TR02, - CCC_C09_TR01, - CCC_C09_TR02, - CCC_C09_TR03, - }, - "tlp_green": { - CCC_C01_TR01, - CCC_C01_TR02, - CCC_C06_TR01, - CCC_C06_TR02, - CCC_C08_TR01, - CCC_C08_TR02, - CCC_C09_TR01, - CCC_C09_TR02, - CCC_C09_TR03, - CCC_C10_TR01, - }, - "tlp_red": { - CCC_C01_TR01, - CCC_C01_TR02, - CCC_C06_TR01, - CCC_C06_TR02, - CCC_C08_TR01, - CCC_C08_TR02, - CCC_C09_TR01, - CCC_C09_TR02, - CCC_C09_TR03, - CCC_C10_TR01, - }, - }, - } -) diff --git a/armory/examples.go b/armory/examples.go deleted file mode 100644 index cb2065f..0000000 --- a/armory/examples.go +++ /dev/null @@ -1,107 +0,0 @@ -package armory - -import ( - "github.com/privateerproj/privateer-sdk/pluginkit" - "github.com/privateerproj/privateer-sdk/utils" -) - -// -// ! -// !! -// !!! -// -// This file is for reference purposes only -// These are not customized or generated for your use case -// Delete this as soon as you start adding your own changes -// -// !!! -// !! -// ! -// - -var globalObject interface{} - -// Example of a testSet that calls an invasive and non-invasive test. -// Any number or combination of tests can be called -func ExampleTestSet01() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "Example_TestSet_01" - result = pluginkit.TestSetResult{ - Description: "The service enforces the use of secure transport protocols for all network communications (e.g., TLS 1.2 or higher).", - Message: "TestSet has not yet started.", // This message will be overwritten by subsequent tests - DocsURL: "https://maintainer.com/docs/plugins/DEV", // This is an optional link to documentation that will help users better understand the testSet - ControlID: "CCC.C01", // This is the control ID that the testSet is testing against - Tests: make(map[string]pluginkit.TestResult), // This map will be populated with the results of each test - Passed: false, // This will be updated to true if a test passes, and back to false if a test fails - } - - result.ExecuteTest(ExampleTest0101) - - // if a test relies on another test to pass, add this type of condition - if result.Tests["ExampleTest0101"].Passed { - // if a test could potentially cause harm to the target env, flag it as invasive like this - result.ExecuteInvasiveTest(ExampleTest0102) - } - - return -} - -// ExampleTest0101 does not apply a change to the system -func ExampleTest0101() (testResult pluginkit.TestResult) { - // Pretend we're making some API call or other logic to determine if the test is applicable - customLogicResults := true - - testResult = pluginkit.TestResult{ - Description: "Making an API call to see if HTTPS is enforced.", - Function: utils.CallerPath(0), // This allows interested users to jump directly to the code that is executing this test - Passed: customLogicResults, - } - return -} - -// ExampleTest0102 applies an invasive change to the system. Not all changes are invasive, but this one is. -// Use ExecuteInvasiveTest() to ensure it is run only when the user has opted in to potentially destructive changes. -func ExampleTest0102() (testResult pluginkit.TestResult) { - // The functions here can be defined whereever you like - // If you have a lot of changes or plan to reuse them, you may want to put them in a separate file - change1 := pluginkit.NewChange( - "targetName", - "This change should create a new storage object", // For logging purposes. This will be overwritten by the result of a successful apply function. - applyChange, - revertChange, - ) - - // Any intended changes should be applied before returning the test result - change1.Apply() - - // A future release may have better object handling for objects returned by the change - // For now, toss it onto a global variable if you need to access it later - globalObject = change1.TargetObject - - // If the change is not needed for subsequent tests, revert it now - // A future release will use this logic to multi-thread the revert process - // Any changes that are not reverted within the test will be reverted together at the end of the testSet - change1.Revert() - - // Note that we are not setting Passed to true or false. That will be determined by ExecuteTest() or ExecuteInvasiveTest() - testResult = pluginkit.TestResult{ - Description: "Making an API call to see if HTTPS is enforced.", - Function: utils.CallerPath(0), // This allows interested users to jump directly to the code that is executing this test - Changes: map[string]*pluginkit.Change{ - "TestChange1": change1, - }, - } - return -} - -// Mock function to simulate applying a change -func applyChange() (modifiedObject interface{}, err error) { - // Replace with actual logic - return nil, nil -} - -// Mock function to simulate undoing a change -func revertChange() error { - // Replace with actual logic - return nil // Return an error here to simulate failure -} diff --git a/armory/testSets.go b/armory/testSets.go deleted file mode 100644 index d2c40d0..0000000 --- a/armory/testSets.go +++ /dev/null @@ -1,309 +0,0 @@ -package armory - -import ( - "github.com/privateerproj/privateer-sdk/pluginkit" - "github.com/privateerproj/privateer-sdk/utils" -) -// ---------- -// TestSets for Data Protection Control Family -// ---------- -// ----- -// TestSet and Tests for Requirement CCC_C01_TR01 -// ----- - -// CCC_C01_TR01 conforms to the TestSet function type -func CCC_C01_TR01() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C01.TR01" - result = pluginkit.TestSetResult{ - Description: "When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1_2 or higher_", - ControlID: "CCC.C01", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C01_TR01_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C01_TR01_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C01_TR01 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C01_TR02 -// ----- - -// CCC_C01_TR02 conforms to the TestSet function type -func CCC_C01_TR02() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C01.TR02" - result = pluginkit.TestSetResult{ - Description: "When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher_", - ControlID: "CCC.C01", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C01_TR02_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C01_TR02_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C01_TR02 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C06_TR01 -// ----- - -// CCC_C06_TR01 conforms to the TestSet function type -func CCC_C06_TR01() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C06.TR01" - result = pluginkit.TestSetResult{ - Description: "When a deployment request is made, the service MUST validate that the deployment region is not to a restricted or regions or availability zones_", - ControlID: "CCC.C06", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C06_TR01_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C06_TR01_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C06_TR01 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C06_TR02 -// ----- - -// CCC_C06_TR02 conforms to the TestSet function type -func CCC_C06_TR02() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C06.TR02" - result = pluginkit.TestSetResult{ - Description: "When a deployment request is made, the service MUST validate that replication of data, backups, and disaster recovery operations will not occur in restricted regions or availability zones_", - ControlID: "CCC.C06", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C06_TR02_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C06_TR02_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C06_TR02 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C08_TR01 -// ----- - -// CCC_C08_TR01 conforms to the TestSet function type -func CCC_C08_TR01() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C08.TR01" - result = pluginkit.TestSetResult{ - Description: "When data is stored, the service MUST ensure that data is replicated across multiple availability zones or regions_", - ControlID: "CCC.C08", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C08_TR01_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C08_TR01_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C08_TR01 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C08_TR02 -// ----- - -// CCC_C08_TR02 conforms to the TestSet function type -func CCC_C08_TR02() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C08.TR02" - result = pluginkit.TestSetResult{ - Description: "When data is replicated across multiple zones or regions, the service MUST be able to verify the replication state, including the replication locations and data synchronization status_", - ControlID: "CCC.C08", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C08_TR02_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C08_TR02_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C08_TR02 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C09_TR01 -// ----- - -// CCC_C09_TR01 conforms to the TestSet function type -func CCC_C09_TR01() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C09.TR01" - result = pluginkit.TestSetResult{ - Description: "When access logs are stored, the service MUST ensure that access logs cannot be accessed without proper authorization_", - ControlID: "CCC.C09", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C09_TR01_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C09_TR01_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C09_TR01 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C09_TR02 -// ----- - -// CCC_C09_TR02 conforms to the TestSet function type -func CCC_C09_TR02() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C09.TR02" - result = pluginkit.TestSetResult{ - Description: "When access logs are stored, the service MUST ensure that access logs cannot be modified without proper authorization_", - ControlID: "CCC.C09", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C09_TR02_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C09_TR02_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C09_TR02 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C09_TR03 -// ----- - -// CCC_C09_TR03 conforms to the TestSet function type -func CCC_C09_TR03() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C09.TR03" - result = pluginkit.TestSetResult{ - Description: "When access logs are stored, the service MUST ensure that access logs cannot be deleted without proper authorization_", - ControlID: "CCC.C09", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C09_TR03_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C09_TR03_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C09_TR03 - return -} - -// ----- -// TestSet and Tests for Requirement CCC_C10_TR01 -// ----- - -// CCC_C10_TR01 conforms to the TestSet function type -func CCC_C10_TR01() (testSetName string, result pluginkit.TestSetResult) { - // set default return values - testSetName = "CCC.C10.TR01" - result = pluginkit.TestSetResult{ - Description: "When data is replicated, the service MUST ensure that replication is restricted to explicitly trusted destinations_", - ControlID: "CCC.C10", - Tests: make(map[string]pluginkit.TestResult), - } - - result.ExecuteTest(CCC_C10_TR01_T01) - // TODO: Additional test calls go here - - return -} - -func CCC_C10_TR01_T01() (testResult pluginkit.TestResult) { - testResult = pluginkit.TestResult{ - Description: "This test is still under construction", - Function: utils.CallerPath(0), - } - - // TODO: Use this section to write a single step or test that contributes to CCC_C10_TR01 - return -} - diff --git a/evaluations/control-evaluations.go b/evaluations/control-evaluations.go new file mode 100644 index 0000000..527b452 --- /dev/null +++ b/evaluations/control-evaluations.go @@ -0,0 +1,213 @@ +package evaluations + +import ( + "fmt" + + "github.com/revanite-io/sci/pkg/layer4" +) + + +// +// Data Protection Control Family + +func CCC_C01() (evaluation *layer4.ControlEvaluation) { + evaluation = &layer4.ControlEvaluation{ + Control_Id: "CCC.C01", + Remediation_Guide: "", + } + + evaluation.AddAssessment( + "CCC.C01.TR01", + "When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.2 or higher.", + []string{ + "tlp_clear", + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + evaluation.AddAssessment( + "CCC.C01.TR02", + "When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher.", + []string{ + "tlp_clear", + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + return +} + +func CCC_C06() (evaluation *layer4.ControlEvaluation) { + evaluation = &layer4.ControlEvaluation{ + Control_Id: "CCC.C06", + Remediation_Guide: "", + } + + evaluation.AddAssessment( + "CCC.C06.TR01", + "When a deployment request is made, the service MUST validate that the deployment region is not to a restricted or regions or availability zones.", + []string{ + "tlp_clear", + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + evaluation.AddAssessment( + "CCC.C06.TR02", + "When a deployment request is made, the service MUST validate that replication of data, backups, and disaster recovery operations will not occur in restricted regions or availability zones.", + []string{ + "tlp_clear", + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + return +} + +func CCC_C08() (evaluation *layer4.ControlEvaluation) { + evaluation = &layer4.ControlEvaluation{ + Control_Id: "CCC.C08", + Remediation_Guide: "", + } + + evaluation.AddAssessment( + "CCC.C08.TR01", + "When data is stored, the service MUST ensure that data is replicated across multiple availability zones or regions.", + []string{ + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + evaluation.AddAssessment( + "CCC.C08.TR02", + "When data is replicated across multiple zones or regions, the service MUST be able to verify the replication state, including the replication locations and data synchronization status.", + []string{ + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + return +} + +func CCC_C09() (evaluation *layer4.ControlEvaluation) { + evaluation = &layer4.ControlEvaluation{ + Control_Id: "CCC.C09", + Remediation_Guide: "", + } + + evaluation.AddAssessment( + "CCC.C09.TR01", + "When access logs are stored, the service MUST ensure that access logs cannot be accessed without proper authorization.", + []string{ + "tlp_amber", + "tlp_red", + "tlp_green", + "tlp_clear", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + evaluation.AddAssessment( + "CCC.C09.TR02", + "When access logs are stored, the service MUST ensure that access logs cannot be modified without proper authorization.", + []string{ + "tlp_amber", + "tlp_red", + "tlp_green", + "tlp_clear", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + evaluation.AddAssessment( + "CCC.C09.TR03", + "When access logs are stored, the service MUST ensure that access logs cannot be deleted without proper authorization.", + []string{ + "tlp_amber", + "tlp_red", + "tlp_green", + "tlp_clear", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + return +} + +func CCC_C10() (evaluation *layer4.ControlEvaluation) { + evaluation = &layer4.ControlEvaluation{ + Control_Id: "CCC.C10", + Remediation_Guide: "", + } + + evaluation.AddAssessment( + "CCC.C10.TR01", + "When data is replicated, the service MUST ensure that replication is restricted to explicitly trusted destinations.", + []string{ + "tlp_green", + "tlp_amber", + "tlp_red", + }, + []layer4.AssessmentStep{ + reusable_step_example, + }, + ) + + return +} + + +// TODO: This is only for reference, and should be deleted +type PayloadTypeExample struct { + Organization struct { + RequiresTwoFactorAuthentication bool `json:"requiresTwoFactorAuthentication"` + } `json:"organization"` +} + +// TODO: This is only for reference, and should be deleted +func reusable_step_example(payloadData interface{}, changes map[string]*layer4.Change) (result layer4.Result, message string) { + payload, ok := payloadData.(*CustomDataObject) + if !ok { + return layer4.Unknown, fmt.Sprintf("Malformed assessment: expected payload type %T, got %T (%v)", &CustomDataObject{}, payloadData, payloadData) + } + if payload.yourData != "" { + return layer4.Passed, fmt.Sprint("Your data ", payload.yourData) + } + return layer4.Unknown, "Not implemented" +} diff --git a/evaluations/data-collection.go b/evaluations/data-collection.go new file mode 100644 index 0000000..470ae03 --- /dev/null +++ b/evaluations/data-collection.go @@ -0,0 +1,11 @@ +package evaluations + +type CustomDataObject struct { + yourData string +} + +func LoadData() *CustomDataObject { + return &CustomDataObject{ + yourData: "is here", + } +} \ No newline at end of file diff --git a/evaluations/evaluation-suites.go b/evaluations/evaluation-suites.go new file mode 100644 index 0000000..62187a8 --- /dev/null +++ b/evaluations/evaluation-suites.go @@ -0,0 +1,14 @@ +package evaluations + +import "github.com/revanite-io/sci/pkg/layer4" + +var ( + FINOS_CCC = []*layer4.ControlEvaluation{ + CCC_C01(), + CCC_C06(), + CCC_C08(), + CCC_C09(), + CCC_C10(), + + } +) diff --git a/example-config.yml b/example-config.yml deleted file mode 100644 index 05b211c..0000000 --- a/example-config.yml +++ /dev/null @@ -1,12 +0,0 @@ -loglevel: Debug -write-directory: test_output -write: true -output: yaml -services: - my-cloud-service1: - plugin: example-plugin - test-suites: - - tlp_red - # - tlp_amber - # - tlp_green - # - tlp_clear diff --git a/go.mod b/go.mod index 6b10653..e62b3c7 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,11 @@ -module github.com/privateerproj/privateer-plugin-example-plugin // Replace this globally with your module name +module plugin-example-plugin // Replace this globally with your module name -go 1.23 +go 1.23.4 -require github.com/privateerproj/privateer-sdk v0.7.0 +require ( + github.com/privateerproj/privateer-sdk v1.0.0 + github.com/revanite-io/sci v0.1.7 +) require ( github.com/fatih/color v1.14.1 // indirect @@ -41,5 +44,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect ) -// Uncomment if you're working locally on a privateer SDK improvement +// Uncomment if you're working on a dependency locally // replace github.com/privateerproj/privateer-sdk => ../../privateer-sdk + +// replace github.com/revanite-io/sci => ../sci diff --git a/go.sum b/go.sum index 8b1ca74..44b7e32 100644 --- a/go.sum +++ b/go.sum @@ -54,8 +54,8 @@ github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/privateerproj/privateer-sdk v0.7.0 h1:8Kdf8i+4TplU4jN2jIy7Y+SigAKMqvU6oahcy56S5o4= -github.com/privateerproj/privateer-sdk v0.7.0/go.mod h1:SqFAkYGvTIf9ZNJpWw/PSbC5fvTZoEWGeO6jPUdx3Oo= +github.com/revanite-io/sci v0.1.7 h1:sCBtzcLzPoNtQge3VZNH8N2yZU/+tqZ5qc+OgAihonw= +github.com/revanite-io/sci v0.1.7/go.mod h1:KNBMtb28TKYJ0aq6P0jX1XaIBYQdAziTvnI7uU2H+5Q= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= diff --git a/main.go b/main.go index eb59847..4400b39 100644 --- a/main.go +++ b/main.go @@ -5,10 +5,10 @@ import ( "os" - "github.com/privateerproj/privateer-plugin-example-plugin/armory" + "plugin-example-plugin/evaluations" "github.com/privateerproj/privateer-sdk/command" - "github.com/privateerproj/privateer-sdk/config" + "github.com/privateerproj/privateer-sdk/pluginkit" ) var ( @@ -28,30 +28,29 @@ var ( "variables", } - runCmd = command.NewPluginCommands( - PluginName, - Version, - VersionPostfix, - GitCommitHash, - &armory.Armory, - initializer, - RequiredVars, - ) ) -// initializer is a custom function to run after the config has been read -// this could be omitted or replaced by something like armory.SetupArmory(c) -func initializer(c *config.Config) (err error) { - return -} - func main() { if VersionPostfix != "" { Version = fmt.Sprintf("%s-%s", Version, VersionPostfix) } + // NewVessel may take a payload for all suites to reference + pvtrVessel := pluginkit.NewVessel(PluginName, evaluations.LoadData(), RequiredVars) + + // Evaluation Suite may optionally take a payload to selectively override the data specified in NewVessel + pvtrVessel.AddEvaluationSuite("FINOS_CCC", nil, evaluations.FINOS_CCC) + + runCmd := command.NewPluginCommands( + PluginName, + Version, + VersionPostfix, + GitCommitHash, + pvtrVessel, + ) + err := runCmd.Execute() if err != nil { os.Exit(1) } -} +} \ No newline at end of file diff --git a/test_output/my-cloud-service1/my-cloud-service1.log b/test_output/my-cloud-service1/my-cloud-service1.log deleted file mode 100644 index cf97f6c..0000000 --- a/test_output/my-cloud-service1/my-cloud-service1.log +++ /dev/null @@ -1,34 +0,0 @@ -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.369-0600 [ERROR] testSet did not return a result, and may still be under development -2024-12-28T12:46:17.371-0600 [INFO] 2024/12/28 12:46:17 tlp_red: 0/33 test sets succeeded diff --git a/test_output/my-cloud-service1/tlp_red.yml b/test_output/my-cloud-service1/tlp_red.yml deleted file mode 100644 index ad0bfc1..0000000 --- a/test_output/my-cloud-service1/tlp_red.yml +++ /dev/null @@ -1,501 +0,0 @@ -testsuitename: tlp_red -starttime: 2024-12-28 12:46:17.369081 -0600 CST m=+0.003992876 -endtime: 2024-12-28 12:46:17.369867 -0600 CST m=+0.004778668 -testsetresults: - CCC_C01_TR01: - passed: false - description: When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.2 or higher. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C01 - tests: - CCC_C01_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C01_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C01_TR02: - passed: false - description: When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C01 - tests: - CCC_C01_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C01_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C02_TR01: - passed: false - description: When data is stored at rest, the service MUST be configured to encrypt data at rest using the latest industry-standard encryption methods. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C02 - tests: - CCC_C02_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C02_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C03_TR01: - passed: false - description: When an entity attempts to modify the service, the service MUST attempt to verify the client's identity through an authentication process. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C03 - tests: - CCC_C03_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C03_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C03_TR02: - passed: false - description: When an entity attempts to view information presented by the service, service, the service MUST attempt to verify the client's identity through an authentication process. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C03 - tests: - CCC_C03_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C03_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C03_TR03: - passed: false - description: When an entity attempts to view information on the service through a user interface, the authentication process MUST require multiple identifying factors from the user. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C03 - tests: - CCC_C03_TR03_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C03_TR03_T01 - value: null - changes: {} - badstatealert: false - CCC_C03_TR04: - passed: false - description: When an entity attempts to modify the service through an API endpoint, the authentication process MUST be limited to a specific allowed network. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C03 - tests: - CCC_C03_TR04_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C03_TR04_T01 - value: null - changes: {} - badstatealert: false - CCC_C03_TR05: - passed: false - description: When an entity attempts to view information on the service through an API endpoint, the authentication process MUST be limited to a specific allowed network. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C03 - tests: - CCC_C03_TR05_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C03_TR05_T01 - value: null - changes: {} - badstatealert: false - CCC_C03_TR06: - passed: false - description: When an entity attempts to modify the service through a user interface, the authentication process MUST require multiple identifying factors from the user. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C03 - tests: - CCC_C03_TR06_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C03_TR06_T01 - value: null - changes: {} - badstatealert: false - CCC_C04_TR01: - passed: false - description: When any access attempt is made to the service, the service MUST log the client identity, time, and result of the attempt. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C04 - tests: - CCC_C04_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C04_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C04_TR02: - passed: false - description: When any change is made to the service configuration, the service MUST log the change, including the client, time, previous state, and the new state following the change. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C04 - tests: - CCC_C04_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C04_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C05_TR01: - passed: false - description: When access to sensitive resources is attempted, the service MUST block requests from untrusted sources, including IP addresses, domains, or networks that are not explicitly included in a pre-approved allowlist. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C05 - tests: - CCC_C05_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C05_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C05_TR02: - passed: false - description: When administrative access is attempted, the service MUST validate that the request originates from an explicitly allowed source as defined in the allowlist. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C05 - tests: - CCC_C05_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C05_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C05_TR03: - passed: false - description: When resources are accessed in a multi-tenant environment, the service MUST enforce isolation by allowing access only to explicitly allowlisted tenants. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C05 - tests: - CCC_C05_TR03_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C05_TR03_T01 - value: null - changes: {} - badstatealert: false - CCC_C05_TR04: - passed: false - description: When an access attempt from an untrusted source is blocked, the service MUST log the event, including the source details, time, and reason for denial. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C05 - tests: - CCC_C05_TR04_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C05_TR04_T01 - value: null - changes: {} - badstatealert: false - CCC_C06_TR01: - passed: false - description: When a deployment request is made, the service MUST validate that the deployment region is not to a restricted or regions or availability zones. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C06 - tests: - CCC_C06_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C06_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C06_TR02: - passed: false - description: When a deployment request is made, the service MUST validate that replication of data, backups, and disaster recovery operations will not occur in restricted regions or availability zones. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C06 - tests: - CCC_C06_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C06_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C07_TR01: - passed: false - description: When suspicious enumeration activities are detected, the service MUST generate real-time alerts to notify security personnel. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C07 - tests: - CCC_C07_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C07_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C07_TR02: - passed: false - description: When suspicious enumeration activities are detected, the service MUST log the event, including the source details, time, and nature of the activity. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C07 - tests: - CCC_C07_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C07_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C08_TR01: - passed: false - description: When data is stored, the service MUST ensure that data is replicated across multiple availability zones or regions. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C08 - tests: - CCC_C08_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C08_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C08_TR02: - passed: false - description: When data is replicated across multiple zones or regions, the service MUST be able to verify the replication state, including the replication locations and data synchronization status. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C08 - tests: - CCC_C08_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C08_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C09_TR01: - passed: false - description: When access logs are stored, the service MUST ensure that access logs cannot be accessed without proper authorization. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C09 - tests: - CCC_C09_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C09_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C09_TR02: - passed: false - description: When access logs are stored, the service MUST ensure that access logs cannot be modified without proper authorization. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C09 - tests: - CCC_C09_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C09_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C09_TR03: - passed: false - description: When access logs are stored, the service MUST ensure that access logs cannot be deleted without proper authorization. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C09 - tests: - CCC_C09_TR03_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C09_TR03_T01 - value: null - changes: {} - badstatealert: false - CCC_C10_TR01: - passed: false - description: When data is replicated, the service MUST ensure that replication is restricted to explicitly trusted destinations. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C10 - tests: - CCC_C10_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C10_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C11_TR01: - passed: false - description: When encryption keys are used, the service MUST verify that all encryption keys use approved cryptographic algorithms as per organizational standards. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C11 - tests: - CCC_C11_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C11_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_C11_TR02: - passed: false - description: When encryption keys are used, the service MUST verify that encryption keys are rotated at a frequency compliant with organizational policies. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C11 - tests: - CCC_C11_TR02_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C11_TR02_T01 - value: null - changes: {} - badstatealert: false - CCC_C11_TR03: - passed: false - description: When encrypting data, the service MUST verify that customer-managed encryption keys (CMEKs) are used. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C11 - tests: - CCC_C11_TR03_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C11_TR03_T01 - value: null - changes: {} - badstatealert: false - CCC_C11_TR04: - passed: false - description: When encryption keys are accessed, the service MUST verify that access to encryption keys is restricted to authorized personnel and services, following the principle of least privilege. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.C11 - tests: - CCC_C11_TR04_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_C11_TR04_T01 - value: null - changes: {} - badstatealert: false - CCC_VPC_C01_TR01: - passed: false - description: When a subscription is created, the subscription MUST NOT contain default network resources. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.VPC.C01 - tests: - CCC_VPC_C01_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_VPC_C01_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_VPC_C02_TR01: - passed: false - description: When a resource is created in a public subnet, that resource MUST NOT be assigned an external IP address by default. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.VPC.C02 - tests: - CCC_VPC_C02_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_VPC_C02_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_VPC_C03_TR01: - passed: false - description: When a VPC peering connection is requested, the service MUST prevent connections from VPCs that are not explicitly allowed. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.VPC.C03 - tests: - CCC_VPC_C03_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_VPC_C03_TR01_T01 - value: null - changes: {} - badstatealert: false - CCC_VPC_C04_TR01: - passed: false - description: When any network traffic goes to or from an interface in the VPC, the service MUST capture and log all relevant information. - message: testSet did not return a result, and may still be under development - docsurl: "" - controlid: CCC.VPC.C04 - tests: - CCC_VPC_C04_TR01_T01: - passed: false - description: This test is still under construction - message: "" - function: github.com/privateerproj/privateer-plugin-example/armory.CCC_VPC_C04_TR01_T01 - value: null - changes: {} - badstatealert: false -passed: false -badstatealert: false diff --git a/test_output/your-service/your-service.log b/test_output/your-service/your-service.log new file mode 100644 index 0000000..2388289 --- /dev/null +++ b/test_output/your-service/your-service.log @@ -0,0 +1,11 @@ +2025-03-03T15:20:08.589-0600 [INFO] CCC.C01.TR01: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C01.TR02: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C06.TR01: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C06.TR02: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C08.TR01: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C08.TR02: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C09.TR01: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C09.TR02: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C09.TR03: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] CCC.C10.TR01: Your data is here +2025-03-03T15:20:08.589-0600 [INFO] > your-service_FINOS_CCC: 5/5 control evaluations passed diff --git a/test_output/your-service/your-service.yaml b/test_output/your-service/your-service.yaml new file mode 100644 index 0000000..8a2a11b --- /dev/null +++ b/test_output/your-service/your-service.yaml @@ -0,0 +1,194 @@ +service_name: your-service +plugin_name: example-plugin +payload: + data: {} +evaluation_suites: + - name: your-service_FINOS_CCC + catalog_id: FINOS_CCC + start_time: 2025-03-03 15:20:08.589133 -0600 CST m=+0.004983793 + end_time: 2025-03-03 15:20:08.589679 -0600 CST m=+0.005529793 + result: Passed + corrupted_state: false + control_evaluations: + - name: "" + control_id: CCC.C01 + result: Passed + message: Your data is here + corrupted_state: false + remediation_guide: "" + assessments: + - requirement_id: CCC.C01.TR01 + applicability: + - tlp_clear + - tlp_green + - tlp_amber + - tlp_red + description: When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.2 or higher. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 12.125µs + value: null + changes: {} + - requirement_id: CCC.C01.TR02 + applicability: + - tlp_clear + - tlp_green + - tlp_amber + - tlp_red + description: When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 291ns + value: null + changes: {} + - name: "" + control_id: CCC.C06 + result: Passed + message: Your data is here + corrupted_state: false + remediation_guide: "" + assessments: + - requirement_id: CCC.C06.TR01 + applicability: + - tlp_clear + - tlp_green + - tlp_amber + - tlp_red + description: When a deployment request is made, the service MUST validate that the deployment region is not to a restricted or regions or availability zones. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 417ns + value: null + changes: {} + - requirement_id: CCC.C06.TR02 + applicability: + - tlp_clear + - tlp_green + - tlp_amber + - tlp_red + description: When a deployment request is made, the service MUST validate that replication of data, backups, and disaster recovery operations will not occur in restricted regions or availability zones. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 167ns + value: null + changes: {} + - name: "" + control_id: CCC.C08 + result: Passed + message: Your data is here + corrupted_state: false + remediation_guide: "" + assessments: + - requirement_id: CCC.C08.TR01 + applicability: + - tlp_green + - tlp_amber + - tlp_red + description: When data is stored, the service MUST ensure that data is replicated across multiple availability zones or regions. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 375ns + value: null + changes: {} + - requirement_id: CCC.C08.TR02 + applicability: + - tlp_green + - tlp_amber + - tlp_red + description: When data is replicated across multiple zones or regions, the service MUST be able to verify the replication state, including the replication locations and data synchronization status. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 125ns + value: null + changes: {} + - name: "" + control_id: CCC.C09 + result: Passed + message: Your data is here + corrupted_state: false + remediation_guide: "" + assessments: + - requirement_id: CCC.C09.TR01 + applicability: + - tlp_amber + - tlp_red + - tlp_green + - tlp_clear + description: When access logs are stored, the service MUST ensure that access logs cannot be accessed without proper authorization. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 292ns + value: null + changes: {} + - requirement_id: CCC.C09.TR02 + applicability: + - tlp_amber + - tlp_red + - tlp_green + - tlp_clear + description: When access logs are stored, the service MUST ensure that access logs cannot be modified without proper authorization. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 167ns + value: null + changes: {} + - requirement_id: CCC.C09.TR03 + applicability: + - tlp_amber + - tlp_red + - tlp_green + - tlp_clear + description: When access logs are stored, the service MUST ensure that access logs cannot be deleted without proper authorization. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 125ns + value: null + changes: {} + - name: "" + control_id: CCC.C10 + result: Passed + message: Your data is here + corrupted_state: false + remediation_guide: "" + assessments: + - requirement_id: CCC.C10.TR01 + applicability: + - tlp_green + - tlp_amber + - tlp_red + description: When data is replicated, the service MUST ensure that replication is restricted to explicitly trusted destinations. + result: Passed + message: Your data is here + steps: + - plugin-example-plugin/evaluations.reusable_step_example + steps_executed: 1 + run_duration: 334ns + value: null + changes: {} From 0b1244a0de68a2e8bb9a912cb4fba0906c203e09 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 3 Mar 2025 16:49:44 -0600 Subject: [PATCH 2/2] updated go.mod Signed-off-by: Eddie Knight --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 44b7e32..e84fe8f 100644 --- a/go.sum +++ b/go.sum @@ -54,6 +54,8 @@ github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/privateerproj/privateer-sdk v1.0.0 h1:yOXxc9lLXCCnJ7m+8aN7Q5Gqk1sV/zGp0WPvlNiP7Vk= +github.com/privateerproj/privateer-sdk v1.0.0/go.mod h1:4y2jCmuKE1q4pHEaQCOgdc2RlxaA36ETcpKEtgCTLFo= github.com/revanite-io/sci v0.1.7 h1:sCBtzcLzPoNtQge3VZNH8N2yZU/+tqZ5qc+OgAihonw= github.com/revanite-io/sci v0.1.7/go.mod h1:KNBMtb28TKYJ0aq6P0jX1XaIBYQdAziTvnI7uU2H+5Q= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=