framework-mcp 1.3.1 → 1.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/backups/README.md +31 -0
- package/backups/safeguard-manager-5-safeguards.ts +343 -0
- package/dist/core/safeguard-manager.backup.d.ts +15 -0
- package/dist/core/safeguard-manager.backup.d.ts.map +1 -0
- package/dist/core/safeguard-manager.backup.js +318 -0
- package/dist/core/safeguard-manager.backup.js.map +1 -0
- package/dist/core/safeguard-manager.d.ts +17 -0
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +5321 -44
- package/dist/core/safeguard-manager.js.map +1 -1
- package/migration/README.md +66 -0
- package/migration/integration-ready-safeguards.ts +5457 -0
- package/package.json +1 -1
- package/scripts/analyze-data-structure.cjs +74 -0
- package/scripts/clean-safeguards-data.cjs +60 -0
- package/scripts/comprehensive-validation.cjs +176 -0
- package/scripts/count-safeguards.cjs +89 -0
- package/scripts/format-safeguards-proper.cjs +44 -0
- package/scripts/validate-formatted-data.cjs +88 -0
- package/src/core/safeguard-manager.backup.ts +343 -0
- package/src/core/safeguard-manager.ts +5510 -216
- package/src/core/safeguard-manager.ts.backup-20250821_085347 +343 -0
|
@@ -0,0 +1,343 @@
|
|
|
1
|
+
import { SafeguardElement, CacheEntry } from '../shared/types.js';
|
|
2
|
+
|
|
3
|
+
export class SafeguardManager {
|
|
4
|
+
private cache: Map<string, CacheEntry<any>>;
|
|
5
|
+
private safeguards: Record<string, SafeguardElement> = {};
|
|
6
|
+
|
|
7
|
+
constructor() {
|
|
8
|
+
this.cache = new Map();
|
|
9
|
+
this.initializeSafeguards();
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
public getSafeguardDetails(safeguardId: string, includeExamples: boolean = false): SafeguardElement | null {
|
|
13
|
+
// Check cache first
|
|
14
|
+
const cacheKey = `${safeguardId}_${includeExamples}`;
|
|
15
|
+
const cached = this.getCachedSafeguardDetails(cacheKey);
|
|
16
|
+
if (cached) {
|
|
17
|
+
return cached;
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
const safeguard = this.safeguards[safeguardId];
|
|
21
|
+
if (!safeguard) {
|
|
22
|
+
return null;
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
// Add examples if requested
|
|
26
|
+
let result = { ...safeguard };
|
|
27
|
+
if (includeExamples) {
|
|
28
|
+
result = this.addImplementationExamples(result);
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
// Cache the result
|
|
32
|
+
this.cache.set(cacheKey, {
|
|
33
|
+
data: result,
|
|
34
|
+
timestamp: Date.now()
|
|
35
|
+
});
|
|
36
|
+
|
|
37
|
+
return result;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
public listAvailableSafeguards(): string[] {
|
|
41
|
+
// Check cache first
|
|
42
|
+
const cached = this.cache.get('safeguard_list');
|
|
43
|
+
if (cached && (Date.now() - cached.timestamp < 10 * 60 * 1000)) { // 10 minute cache
|
|
44
|
+
return cached.data;
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
const safeguardList = Object.keys(this.safeguards).sort((a, b) => {
|
|
48
|
+
const [aMajor, aMinor] = a.split('.').map(Number);
|
|
49
|
+
const [bMajor, bMinor] = b.split('.').map(Number);
|
|
50
|
+
return aMajor - bMajor || aMinor - bMinor;
|
|
51
|
+
});
|
|
52
|
+
|
|
53
|
+
// Cache the result
|
|
54
|
+
this.cache.set('safeguard_list', {
|
|
55
|
+
data: safeguardList,
|
|
56
|
+
timestamp: Date.now()
|
|
57
|
+
});
|
|
58
|
+
|
|
59
|
+
return safeguardList;
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
public getAllSafeguards(): Record<string, SafeguardElement> {
|
|
63
|
+
return { ...this.safeguards };
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
public validateSafeguardId(safeguardId: string): void {
|
|
67
|
+
if (!safeguardId || typeof safeguardId !== 'string') {
|
|
68
|
+
throw new Error('Safeguard ID is required and must be a string');
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
if (!/^[0-9]+\.[0-9]+$/.test(safeguardId)) {
|
|
72
|
+
throw new Error('Safeguard ID must be in format "X.Y" (e.g., "1.1", "5.1")');
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
if (!this.safeguards[safeguardId]) {
|
|
76
|
+
const availableSafeguards = this.listAvailableSafeguards();
|
|
77
|
+
throw new Error(`Safeguard ${safeguardId} not found. Available safeguards: ${availableSafeguards.join(', ')}`);
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
private getCachedSafeguardDetails(cacheKey: string): SafeguardElement | null {
|
|
82
|
+
const cached = this.cache.get(cacheKey);
|
|
83
|
+
|
|
84
|
+
if (cached && (Date.now() - cached.timestamp < 5 * 60 * 1000)) { // 5 minute cache
|
|
85
|
+
return cached.data;
|
|
86
|
+
}
|
|
87
|
+
|
|
88
|
+
return null;
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
private addImplementationExamples(safeguard: SafeguardElement): SafeguardElement {
|
|
92
|
+
// Add implementation examples based on safeguard type
|
|
93
|
+
const examples = this.getImplementationExamples(safeguard.id);
|
|
94
|
+
|
|
95
|
+
return {
|
|
96
|
+
...safeguard,
|
|
97
|
+
implementationSuggestions: [
|
|
98
|
+
...safeguard.implementationSuggestions,
|
|
99
|
+
...examples
|
|
100
|
+
]
|
|
101
|
+
};
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
private getImplementationExamples(safeguardId: string): string[] {
|
|
105
|
+
const exampleMap: Record<string, string[]> = {
|
|
106
|
+
"1.1": [
|
|
107
|
+
"Example: Use Lansweeper for automated asset discovery",
|
|
108
|
+
"Example: Implement ServiceNow CMDB for centralized tracking",
|
|
109
|
+
"Example: Deploy Microsoft SCCM for Windows asset management"
|
|
110
|
+
],
|
|
111
|
+
"5.1": [
|
|
112
|
+
"Example: Use Azure AD for centralized account management",
|
|
113
|
+
"Example: Implement Okta for identity lifecycle management",
|
|
114
|
+
"Example: Deploy JumpCloud for directory services"
|
|
115
|
+
],
|
|
116
|
+
"6.3": [
|
|
117
|
+
"Example: Enable Azure MFA for all external applications",
|
|
118
|
+
"Example: Implement Duo Security for multi-factor authentication",
|
|
119
|
+
"Example: Use Google Workspace SSO with MFA enforcement"
|
|
120
|
+
],
|
|
121
|
+
"7.1": [
|
|
122
|
+
"Example: Establish Nessus vulnerability scanning schedule",
|
|
123
|
+
"Example: Implement Qualys VMDR for continuous monitoring",
|
|
124
|
+
"Example: Use Rapid7 InsightVM for vulnerability management"
|
|
125
|
+
]
|
|
126
|
+
};
|
|
127
|
+
|
|
128
|
+
return exampleMap[safeguardId] || [];
|
|
129
|
+
}
|
|
130
|
+
|
|
131
|
+
private initializeSafeguards(): void {
|
|
132
|
+
// Initialize the complete CIS Controls Framework data
|
|
133
|
+
// TODO: Replace with complete 153 safeguards dataset - currently using temporary placeholder
|
|
134
|
+
// The complete dataset will be loaded from the original implementation
|
|
135
|
+
console.warn('⚠️ KNOWN BUG: SafeguardManager only loads 5 sample safeguards instead of complete 153 CIS Controls v8.1 dataset');
|
|
136
|
+
|
|
137
|
+
this.safeguards = {
|
|
138
|
+
"1.1": {
|
|
139
|
+
id: "1.1",
|
|
140
|
+
title: "Establish and Maintain a Detailed Enterprise Asset Inventory",
|
|
141
|
+
description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data",
|
|
142
|
+
implementationGroup: "IG1",
|
|
143
|
+
assetType: ["end-user devices", "network devices", "IoT devices", "servers"],
|
|
144
|
+
securityFunction: ["Identify"],
|
|
145
|
+
governanceElements: [
|
|
146
|
+
"establish inventory process",
|
|
147
|
+
"maintain inventory process",
|
|
148
|
+
"documented process",
|
|
149
|
+
"review and update bi-annually",
|
|
150
|
+
"enterprise asset management policy"
|
|
151
|
+
],
|
|
152
|
+
coreRequirements: [
|
|
153
|
+
"accurate inventory",
|
|
154
|
+
"detailed inventory",
|
|
155
|
+
"up-to-date inventory",
|
|
156
|
+
"all enterprise assets",
|
|
157
|
+
"potential to store or process data"
|
|
158
|
+
],
|
|
159
|
+
subTaxonomicalElements: [
|
|
160
|
+
"network address (if static)",
|
|
161
|
+
"hardware address",
|
|
162
|
+
"machine name",
|
|
163
|
+
"enterprise asset owner",
|
|
164
|
+
"department for each asset",
|
|
165
|
+
"approved to connect to network",
|
|
166
|
+
"end-user devices (portable and mobile)",
|
|
167
|
+
"network devices",
|
|
168
|
+
"non-computing/IoT devices",
|
|
169
|
+
"servers",
|
|
170
|
+
"physical connection",
|
|
171
|
+
"virtual connection",
|
|
172
|
+
"remote connection",
|
|
173
|
+
"cloud environments",
|
|
174
|
+
"regularly connected devices not under enterprise control"
|
|
175
|
+
],
|
|
176
|
+
implementationSuggestions: [
|
|
177
|
+
"MDM type tools for mobile devices",
|
|
178
|
+
"enterprise and software asset management tool",
|
|
179
|
+
"asset discovery tools",
|
|
180
|
+
"DHCP logging",
|
|
181
|
+
"passive discovery tools"
|
|
182
|
+
],
|
|
183
|
+
relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"],
|
|
184
|
+
keywords: ["asset", "inventory", "device", "network", "mobile", "IoT", "server", "detailed", "accurate", "up-to-date"]
|
|
185
|
+
},
|
|
186
|
+
"1.2": {
|
|
187
|
+
id: "1.2",
|
|
188
|
+
title: "Address Unauthorized Assets",
|
|
189
|
+
description: "Ensure that a process exists to address unauthorized assets on a weekly basis",
|
|
190
|
+
implementationGroup: "IG1",
|
|
191
|
+
assetType: ["devices"],
|
|
192
|
+
securityFunction: ["Respond"],
|
|
193
|
+
governanceElements: [
|
|
194
|
+
"ensure process exists",
|
|
195
|
+
"weekly basis requirement",
|
|
196
|
+
"unauthorized asset handling policy"
|
|
197
|
+
],
|
|
198
|
+
coreRequirements: [
|
|
199
|
+
"address unauthorized assets",
|
|
200
|
+
"process to handle unauthorized devices",
|
|
201
|
+
"weekly execution"
|
|
202
|
+
],
|
|
203
|
+
subTaxonomicalElements: [
|
|
204
|
+
"unauthorized asset detection",
|
|
205
|
+
"asset classification",
|
|
206
|
+
"response timeline",
|
|
207
|
+
"documentation requirements",
|
|
208
|
+
"quarantine procedures",
|
|
209
|
+
"removal procedures"
|
|
210
|
+
],
|
|
211
|
+
implementationSuggestions: [
|
|
212
|
+
"network access control (NAC) solutions",
|
|
213
|
+
"automated asset discovery tools",
|
|
214
|
+
"network monitoring systems",
|
|
215
|
+
"SIEM integration"
|
|
216
|
+
],
|
|
217
|
+
relatedSafeguards: ["1.1", "1.3", "12.1", "13.1"],
|
|
218
|
+
keywords: ["unauthorized", "assets", "weekly", "address", "process", "detection", "quarantine"]
|
|
219
|
+
},
|
|
220
|
+
"5.1": {
|
|
221
|
+
id: "5.1",
|
|
222
|
+
title: "Establish and Maintain an Inventory of Accounts",
|
|
223
|
+
description: "Establish and maintain an inventory of all accounts managed in the enterprise",
|
|
224
|
+
implementationGroup: "IG1",
|
|
225
|
+
assetType: ["users"],
|
|
226
|
+
securityFunction: ["Identify"],
|
|
227
|
+
governanceElements: [
|
|
228
|
+
"establish inventory process",
|
|
229
|
+
"maintain inventory process",
|
|
230
|
+
"validate all active accounts are authorized",
|
|
231
|
+
"recurring schedule minimum quarterly",
|
|
232
|
+
"account management policy"
|
|
233
|
+
],
|
|
234
|
+
coreRequirements: [
|
|
235
|
+
"inventory of all accounts",
|
|
236
|
+
"user accounts",
|
|
237
|
+
"administrator accounts",
|
|
238
|
+
"managed in the enterprise"
|
|
239
|
+
],
|
|
240
|
+
subTaxonomicalElements: [
|
|
241
|
+
"person's name",
|
|
242
|
+
"username",
|
|
243
|
+
"start/stop dates",
|
|
244
|
+
"department",
|
|
245
|
+
"account status",
|
|
246
|
+
"account type",
|
|
247
|
+
"access rights",
|
|
248
|
+
"last login date"
|
|
249
|
+
],
|
|
250
|
+
implementationSuggestions: [
|
|
251
|
+
"identity and access management tool",
|
|
252
|
+
"directory services",
|
|
253
|
+
"automated account provisioning",
|
|
254
|
+
"account lifecycle management",
|
|
255
|
+
"role-based access control system"
|
|
256
|
+
],
|
|
257
|
+
relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2"],
|
|
258
|
+
keywords: ["accounts", "inventory", "user", "administrator", "name", "username", "dates", "department", "quarterly"]
|
|
259
|
+
},
|
|
260
|
+
"6.3": {
|
|
261
|
+
id: "6.3",
|
|
262
|
+
title: "Require MFA for Externally-Exposed Applications",
|
|
263
|
+
description: "Require all externally-exposed enterprise or third-party applications to enforce MFA",
|
|
264
|
+
implementationGroup: "IG1",
|
|
265
|
+
assetType: ["users"],
|
|
266
|
+
securityFunction: ["Protect"],
|
|
267
|
+
governanceElements: [
|
|
268
|
+
"require MFA enforcement",
|
|
269
|
+
"policy for externally-exposed applications",
|
|
270
|
+
"MFA compliance verification"
|
|
271
|
+
],
|
|
272
|
+
coreRequirements: [
|
|
273
|
+
"multi-factor authentication",
|
|
274
|
+
"all externally-exposed applications",
|
|
275
|
+
"enterprise applications",
|
|
276
|
+
"third-party applications",
|
|
277
|
+
"enforce MFA where supported"
|
|
278
|
+
],
|
|
279
|
+
subTaxonomicalElements: [
|
|
280
|
+
"authentication factors",
|
|
281
|
+
"something you know (password)",
|
|
282
|
+
"something you have (token)",
|
|
283
|
+
"something you are (biometric)",
|
|
284
|
+
"external access points",
|
|
285
|
+
"application inventory",
|
|
286
|
+
"exposure assessment"
|
|
287
|
+
],
|
|
288
|
+
implementationSuggestions: [
|
|
289
|
+
"directory service enforcement",
|
|
290
|
+
"SSO provider enforcement",
|
|
291
|
+
"multi-factor authentication tools",
|
|
292
|
+
"SAML integration",
|
|
293
|
+
"OAuth implementation",
|
|
294
|
+
"conditional access policies"
|
|
295
|
+
],
|
|
296
|
+
relatedSafeguards: ["2.1", "4.1", "5.1", "6.1", "6.2"],
|
|
297
|
+
keywords: ["MFA", "multi-factor", "authentication", "externally-exposed", "applications", "third-party", "SSO", "directory"]
|
|
298
|
+
},
|
|
299
|
+
"7.1": {
|
|
300
|
+
id: "7.1",
|
|
301
|
+
title: "Establish and Maintain a Vulnerability Management Process",
|
|
302
|
+
description: "Establish and maintain a documented vulnerability management process for enterprise assets",
|
|
303
|
+
implementationGroup: "IG1",
|
|
304
|
+
assetType: ["documentation"],
|
|
305
|
+
securityFunction: ["Govern"],
|
|
306
|
+
governanceElements: [
|
|
307
|
+
"establish documented process",
|
|
308
|
+
"maintain vulnerability management process",
|
|
309
|
+
"review and update documentation annually",
|
|
310
|
+
"update when significant enterprise changes occur",
|
|
311
|
+
"vulnerability management policy"
|
|
312
|
+
],
|
|
313
|
+
coreRequirements: [
|
|
314
|
+
"vulnerability management process",
|
|
315
|
+
"enterprise assets scope",
|
|
316
|
+
"documented procedures",
|
|
317
|
+
"vulnerability identification",
|
|
318
|
+
"vulnerability assessment"
|
|
319
|
+
],
|
|
320
|
+
subTaxonomicalElements: [
|
|
321
|
+
"vulnerability scanning procedures",
|
|
322
|
+
"risk assessment criteria",
|
|
323
|
+
"remediation prioritization",
|
|
324
|
+
"patch management integration",
|
|
325
|
+
"vulnerability tracking",
|
|
326
|
+
"reporting requirements",
|
|
327
|
+
"roles and responsibilities",
|
|
328
|
+
"escalation procedures"
|
|
329
|
+
],
|
|
330
|
+
implementationSuggestions: [
|
|
331
|
+
"vulnerability scanning tools",
|
|
332
|
+
"patch management systems",
|
|
333
|
+
"vulnerability databases",
|
|
334
|
+
"CVSS scoring",
|
|
335
|
+
"automated scanning",
|
|
336
|
+
"vulnerability management platforms"
|
|
337
|
+
],
|
|
338
|
+
relatedSafeguards: ["1.1", "2.1", "7.2", "7.3", "7.4", "7.5", "7.6", "7.7"],
|
|
339
|
+
keywords: ["vulnerability", "management", "process", "documented", "annual", "review", "enterprise", "assets"]
|
|
340
|
+
}
|
|
341
|
+
};
|
|
342
|
+
}
|
|
343
|
+
}
|