Skip to content

Expected Input

Jump to bottom
Kyle edited this page Jul 29, 2020 · 4 revisions

Input

Severity

Severity must match the following criteria to be translated into an Impact:

  • Must be a Float or a String
  • Float must be between 0.0 and 1.0
  • String much pass this RegEx

Mapping File for CSV and XLSX

A generic mapping file (mapping.yml) is generated with the generate_map sub-command. This mapping will probably not work for any XLSX or CSV out of the box. The point of generate_map is to just get some boilerplate out of the way. Below is the output from generate_map with some comments explaining the fields:

# Skip the header of the file, typically the first row of the XLSX or CSV will have a header. Your CSV will not work if
# it has additional more than 1 row of header information.
skip_csv_header: true  
width: 80

# The control identifier column. For example, a column containing STIG's V-#s would be the control.id
control.id: 1
control.title: 2
# The control description (desc).
control.desc: 5
# Contains a list of additional tags (i.e. metadata) that the control will be tagged with.
control.tags:
  # In each case, the format is tag_name: column_containing_value
  cis_controls: 11
  check: 8
  fix: 7
  ref: 13
  rationale: 6

The following is a list of top level keywords (i.e. control.<keyword>) that are parsed and included in the output:

  • control.id
  • control.title
  • control.desc
  • control.ref (XLSX only)

The following is a list of tag-level keywords (i.e. control.tags.<keyword) that are parsed:

  • control.tags.rationale
  • control.tags.severity
  • control.tags.cis_controls (XLSX only)
  • control.tags.cci (CSV only)
  • control.tags.check
  • control.tags.fix

Besides the exceptions below, values within control.tags can be anything as long as data is present at that row and column within the XLSX or CSV.

Mapping file special keywords for XLSX (These will be generated automatically; do not include these in the mapping):

  • control.tags.cis_level: This is based on the sheet of the provided XLSX file and is based on a very specific CIS XLSX format.
  • control.tags.severity: This is based on the sheet of the provided XLSX file and is based on a very specific CIS XLSX format: If the control was found on sheet 1, it is a medium severity. If the control was found on sheet 2 it is a high severity.
  • control.impact: This number is based on the value of control.tags.severity.
  • control.tags.cis_rid: This is based on the data in the user provided control.id column.
  • control.tags.nist: This is based on the data extracted from the user provided control.tags.cis_controls column and is generated based on a mapping of CIS to NIST
  • control.tags.ref is based off user provided control.ref and will copy the information into a tag.

Mapping file special keywords for CSV (These will be generated automatically; do not include these in the mapping):

  • control.tags.nist: This is based off user provided control.tags.cci and generated using the CCI to NIST mapping.
  • control.impact: This is based off the value in the user provided control.tags.severity column.

Important notes about the mapping file:

  • Your XLSX or CSV file will not convert if there are multiple header rows
  • Your XLSX or CSV file will not convert if control information spans multiple rows within the file
  • NIST tags (i.e. control.tags.nist) are derived from Common Control Indicator (CCI) numbers (i.e. control.tags.cci) or CIS Control numbers (i.e. control.tags.cis_controls)
Clone this wiki locally