From 20a41a7915fc1ceba0a5d63ae367c52e4d555a9a Mon Sep 17 00:00:00 2001 From: DimitriZhurkin Date: Fri, 20 Dec 2024 14:46:01 -0700 Subject: [PATCH 1/3] Add connection-security constraint (issue #961) --- features/fedramp_extensions.feature | 3 +++ .../fedramp-external-allowed-values.xml | 18 ++++++++++++++++++ .../unit-tests/connection-security-FAIL.yaml | 8 ++++++++ .../unit-tests/connection-security-PASS.yaml | 8 ++++++++ 4 files changed, 37 insertions(+) create mode 100644 src/validations/constraints/unit-tests/connection-security-FAIL.yaml create mode 100644 src/validations/constraints/unit-tests/connection-security-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 18edb73fb..2d93f2cdc 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -41,6 +41,7 @@ Examples: | component-has-provider-responsible-role | | component-has-used-by-link | | component-type | + | connection-security | | control-implementation-status | | data-center-alternate | | data-center-count | @@ -211,6 +212,8 @@ Examples: | component-responsible-role-references-party-PASS.yaml | | component-type-FAIL.yaml | | component-type-PASS.yaml | + | connection-security-FAIL.yaml | + | connection-security-PASS.yaml | | control-implementation-status-FAIL.yaml | | control-implementation-status-PASS.yaml | | data-center-alternate-FAIL.yaml | diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index 907ed444c..ab4fb8b7e 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -102,6 +102,24 @@ A physical or virtual network. + + Connection Security + Identifies connection security value. + Internet Protocol Security (IPSec) Internet Key Exchange (IKE) Version 1 + Internet Protocol Security (IPSec) Internet Key Exchange (IKE) Version 2 + Internet Protocol Security (IPSec) + Secure Shell 1 (SSH-1) + Secure Shell 2 (SSH-2) + Secure Sockets Layer (SSL) 1.0 + Secure Sockets Layer (SSL) 2.0 + Secure Sockets Layer (SSL) 3.0 + Transport Layer Security (TLS) Version 1.0 + Transport Layer Security (TLS) Version 1.1 + Transport Layer Security (TLS) Version 1.2 + Transport Layer Security (TLS) Version 1.3 + Virtual Private Network (VPN) + + Control Implementation Status The implementation status of the control. diff --git a/src/validations/constraints/unit-tests/connection-security-FAIL.yaml b/src/validations/constraints/unit-tests/connection-security-FAIL.yaml new file mode 100644 index 000000000..05bc28059 --- /dev/null +++ b/src/validations/constraints/unit-tests/connection-security-FAIL.yaml @@ -0,0 +1,8 @@ +# Driver for the negative connection-security constraint unit test. +test-case: + name: The negative connection-security constraint unit test. + description: This test case suppresses the negative test for the connection-security "allowed-values" constraint because of its @allow-other="yes" attribute value. + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: connection-security + fail_count: 0 diff --git a/src/validations/constraints/unit-tests/connection-security-PASS.yaml b/src/validations/constraints/unit-tests/connection-security-PASS.yaml new file mode 100644 index 000000000..3a0307ff7 --- /dev/null +++ b/src/validations/constraints/unit-tests/connection-security-PASS.yaml @@ -0,0 +1,8 @@ +# Driver for the positive connection-security constraint unit test. +test-case: + name: The positive connection-security constraint unit test. + description: Test that the FedRAMP SSP connection-security properties contain FedRAMP-approved values. + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: connection-security + result: pass \ No newline at end of file From 65622b0a150f08de00c6a3c922071b11a97792ee Mon Sep 17 00:00:00 2001 From: DimitriZhurkin Date: Thu, 2 Jan 2025 09:00:12 -0700 Subject: [PATCH 2/3] change fedramp ns to http --- src/validations/constraints/fedramp-external-allowed-values.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index ab4fb8b7e..3797a45d2 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -102,7 +102,7 @@ A physical or virtual network. - + Connection Security Identifies connection security value. Internet Protocol Security (IPSec) Internet Key Exchange (IKE) Version 1 From 68ca660ae9cd9e092dc881e0df34232cb9ff1e5b Mon Sep 17 00:00:00 2001 From: DimitriZhurkin Date: Thu, 2 Jan 2025 10:01:34 -0700 Subject: [PATCH 3/3] Add help-url --- src/validations/constraints/fedramp-external-allowed-values.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index 3797a45d2..592df480c 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -105,6 +105,7 @@ Connection Security Identifies connection security value. + Internet Protocol Security (IPSec) Internet Key Exchange (IKE) Version 1 Internet Protocol Security (IPSec) Internet Key Exchange (IKE) Version 2 Internet Protocol Security (IPSec)