Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

📃 describe types of indicators for risk factors #1257

Merged
merged 1 commit into from
Apr 17, 2024
Merged

📃 describe types of indicators for risk factors #1257

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions policy/cnspec_policy.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,65 @@ message RiskFactor {
bool is_absolute = 72;
repeated SoftwareSelector software = 73;
repeated ResourceSelector resources = 74;
// Risk Factor indicators are freely configurable. Currently we support:
//
// 1. Contextual risks
//
// - Internet-facing asset [internet-facing]
// Any assets that are facing the internet may be at risk of being breached
//
// - Asset or service in use [asset-in-use]
// Assets or services that are currently being used. If vulnerabilities
// are found on an asset in use, their priority is increased. However,
// vulnerabilities on an asset not in use may be reduced in priority.
//
// - Exploitable vulnerabilities [exploitable]
// Exploitable vulnerabilities are detected on the asset. These are more
// likely to lead to a breach.
//
// - Code Execution risks [code-execution]
// Vulnerabilities are detected which contain (remote) code executions.
// These can cause serious damage to other resources on the asset.
//
// - End of life [eol]
// The asset or some of its resources have reach their end of life and
// no longer receive security updates. Vulnerability analysis is
// unreliable and may not be actionable.
//
// - Defensive countermeasures [defensive]
// Defensive countermeasures have been detected on the asset. These may
// contain security modules, firewalls, or other mitigations.
//
// 2. Downstream exposure
//
// - DB access [db-access]
// Databases are downstream exposures that may hold valuable customer data
//
// - User risks [user-risk]
// Users, often with elevated privileges, that are at risk
//
// - Sensitive data [sensitive-data]
// The asset contains sensitivie data, which an attacker may access if
// they manage to breach it.
//
// - Credential risks [credentials]
// Credentials are found on the asset that attackers may use to elevate
// their privileges or breach other systems.
//
// - Containers or Kubernetes [containers]
// Containers or Kuberenetes environments are found ont he asset. Attackers
// may expand their attacks to these virtual systems.
//
// 3. Misc
//
// - Tagged assets [tagged]
// Tagged assets may be increased or decreased in priority, depending on
// a users' needs. For example: Critical production infrastructure may
// increase the risk of findings.
//
// - Other risks [uncategorized]
// This captures any other type of risk factor, that doesn't fit the above
// risk categories.
string indicator = 75;
}

Expand Down
Loading