2022-07-06 13:37:13 +00:00
|
|
|
# Attestations
|
|
|
|
|
|
|
|
|
|
## Use Cases
|
|
|
|
|
|
2022-07-07 15:59:31 +00:00
|
|
|
As a compliance officer,
|
|
|
|
|
I want to mark skipped controls as manually passed or failed
|
|
|
|
|
so that I can manually complete the profile.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
2022-07-07 15:59:31 +00:00
|
|
|
As a compliance officer,
|
|
|
|
|
I want to set an expiration date and a justification for my attestations
|
|
|
|
|
so that I can control their application.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
2022-07-07 15:59:31 +00:00
|
|
|
As a compliance officer,
|
|
|
|
|
I want flexibility in the file format accepted by the attestations system (XLSX, YAML, CSV, JSON),
|
2022-07-07 11:48:08 +00:00
|
|
|
so that I can use a familiar file format.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
When used with Enhanced Outcomes, this becomes handling `Not Reviewed` controls.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
## Mechanism
|
|
|
|
|
|
|
|
|
|
### CLI option desirable
|
|
|
|
|
|
|
|
|
|
`inspec exec profilename --attestation-file file.???`
|
|
|
|
|
|
2022-07-07 15:59:31 +00:00
|
|
|
The new option is named like `--waiver-file` - singular, with `-file`. You may provide multiple arguments for the option.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
2022-07-07 15:59:31 +00:00
|
|
|
The file can be any of the following formats: `YAML`, `XLSX`, `CSV`, or `JSON`.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
#### YAML and JSON
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
An array of Hashes.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
#### XLSX and CSV
|
|
|
|
|
|
|
|
|
|
XLSX is the first sheet in the file.
|
|
|
|
|
|
|
|
|
|
Both formats assume a header row.
|
|
|
|
|
|
|
|
|
|
### Fields in the file
|
|
|
|
|
|
|
|
|
|
#### control_id
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
_Required_. Matches control ID of the control.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
#### justification
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
_Required_. Free text field, used as an explanation for the control when displayed.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
#### evidence_url
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
_Optional_. URL to some evidence, determined by the user, supports the justification.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
#### expiration_date
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
_Optional_. If present, the attestation expires at the end of the date given.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
#### status
|
|
|
|
|
|
2022-07-07 15:59:31 +00:00
|
|
|
_Optional_.
|
2022-07-07 11:48:08 +00:00
|
|
|
|
|
|
|
|
Default `passed`. If the attestation should indicate that the control is a failure, set this to `failed`.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
### Implementation
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
When running, at the **RunData** stage, attestations are handled by the following process:
|
2022-07-06 13:37:13 +00:00
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
1. Locate matching controls by matching the control ID.
|
2022-07-06 13:37:13 +00:00
|
|
|
|
|
|
|
|
2. Inject an artificial test result into the control. Use the attestation justification as the result message.
|
|
|
|
|
|
|
|
|
|
3. If the attestation is expired, set the new test result to Skip.
|
|
|
|
|
|
|
|
|
|
4. If the attestation is not expired, set the new test result to the status given on the attestation data (default pass).
|
|
|
|
|
|
|
|
|
|
5. Record a copy of the attestation data structure in the Control RunData structure.
|
|
|
|
|
|
|
|
|
|
### Compatibility
|
|
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
To support backward compatibility with existing MITRE work, support will be added (but not otherwise documented) for the following fields:
|
2022-07-06 13:37:13 +00:00
|
|
|
|
2022-07-07 11:48:08 +00:00
|
|
|
* explanation - the equivalent of justification
|
|
|
|
|
* updated (Date) and frequency (string enum) - together, the equivalent of the expiration date.
|
