📃 describe types of indicators for risk factors (#1257)

This is added to the proto as a reference for the currently supported risk factors. Every category of risk factory may have multiple specific implementations. Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
mondoohq · Apr 17, 2024 · 8327b62 · 8327b62
1 parent fe3964a
commit 8327b62
Showing 1 changed file with 59 additions and 0 deletions.
diff --git a/policy/cnspec_policy.proto b/policy/cnspec_policy.proto
@@ -194,6 +194,65 @@ message RiskFactor {
  bool is_absolute = 72;
  repeated SoftwareSelector software = 73;
  repeated ResourceSelector resources = 74;
+ // Risk Factor indicators are freely configurable. Currently we support:
+ //
+ // 1. Contextual risks
+ //
+ // - Internet-facing asset [internet-facing]
+ // Any assets that are facing the internet may be at risk of being breached
+ //
+ // - Asset or service in use [asset-in-use]
+ // Assets or services that are currently being used. If vulnerabilities
+ // are found on an asset in use, their priority is increased. However,
+ // vulnerabilities on an asset not in use may be reduced in priority.
+ //
+ // - Exploitable vulnerabilities [exploitable]
+ // Exploitable vulnerabilities are detected on the asset. These are more
+ // likely to lead to a breach.
+ //
+ // - Code Execution risks [code-execution]
+ // Vulnerabilities are detected which contain (remote) code executions.
+ // These can cause serious damage to other resources on the asset.
+ //
+ // - End of life [eol]
+ // The asset or some of its resources have reach their end of life and
+ // no longer receive security updates. Vulnerability analysis is
+ // unreliable and may not be actionable.
+ //
+ // - Defensive countermeasures [defensive]
+ // Defensive countermeasures have been detected on the asset. These may
+ // contain security modules, firewalls, or other mitigations.
+ //
+ // 2. Downstream exposure
+ //
+ // - DB access [db-access]
+ // Databases are downstream exposures that may hold valuable customer data
+ //
+ // - User risks [user-risk]
+ // Users, often with elevated privileges, that are at risk
+ //
+ // - Sensitive data [sensitive-data]
+ // The asset contains sensitivie data, which an attacker may access if
+ // they manage to breach it.
+ //
+ // - Credential risks [credentials]
+ // Credentials are found on the asset that attackers may use to elevate
+ // their privileges or breach other systems.
+ //
+ // - Containers or Kubernetes [containers]
+ // Containers or Kuberenetes environments are found ont he asset. Attackers
+ // may expand their attacks to these virtual systems.
+ //
+ // 3. Misc
+ //
+ // - Tagged assets [tagged]
+ // Tagged assets may be increased or decreased in priority, depending on
+ // a users' needs. For example: Critical production infrastructure may
+ // increase the risk of findings.
+ //
+ // - Other risks [uncategorized]
+ // This captures any other type of risk factor, that doesn't fit the above
+ // risk categories.
  string indicator = 75;
 }