Skip to content

Expected Input

Jump to bottom
Kyle edited this page Jul 29, 2020 · 4 revisions

Input

Severity

Severity must match the following criteria to be translated into an Impact:

  • Must be a Float or a String
  • Float must be between 0.0 and 1.0
  • String much pass this RegEx

Mapping File for CSV and XLSX

A generic mapping file (mapping.yml) is generated with the generate_map sub-command. This mapping will probably not work for any XLSX or CSV out of the box. The point of generate_map is to just get some boilerplate out of the way. Below is the output from generate_map with some comments explaining the fields:

# Skip the header of the file, typically the first row of the XLSX or CSV will have a header. Your CSV will not work if
# it has additional more than 1 row of header information.
skip_csv_header: true  
width: 80

# The control identifier column. For example, a column containing STIG's V-#s would be the control.id
control.id: 1
control.title: 2
# The control description (desc).
control.desc: 5
# Contains a list of additional tags (i.e. metadata) that the control will be tagged with.
control.tags:
  # In each case, the format is tag_name: column_containing_value
  cis_controls: 11
  check: 8
  fix: 7
  ref: 13
  rationale: 6

Mapping file special keywords for XLSX (These will be generated automatically; do not include these in the mapping):

  • control.tags.cis_level: This is based on the sheet of the provided XLSX file and is based on a very specific CIS XLSX format.
  • control.tags.severity: This is based on the sheet of the provided XLSX file and is based on a very specific CIS XLSX format: If the control was found on sheet 1, it is a medium severity. If the control was found on sheet 2 it is a high severity.
  • control.impact: This number is based on the value of control.tags.severity.
  • control.tags.cis_rid: This is based on the data in the user provided control.id column.
  • control.tags.nist: This is based on the data extracted from the user provided control.tags.cis_controls column and is generated based on a mapping of CIS to NIST

Mapping file special keywords for CSV (These will be generated automatically; do not include these in the mapping):

  • control.tags.nist: This is based off user provided control.tags.cci and generated using the CCI to NIST mapping.
  • control.impact: This is based off the value in the user provided control.tags.severity column.

Important notes about the mapping file:

  • Your XLSX or CSV file will not convert if there are multiple header rows
  • Your XLSX or CSV file will not convert if control information spans multiple rows within the file
  • NIST tags (i.e. control.tags.nist) are derived from Common Control Indicator (CCI) numbers (i.e. control.tags.cci) or CIS Control numbers (i.e. control.tags.cis_controls)
Clone this wiki locally