regscale-cli 6.27.2.0__py3-none-any.whl → 6.28.0.0__py3-none-any.whl

regscale/integrations/public/csam/csam_controls.py

@@ -0,0 +1,432 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Integrates CSAM into RegScale"""
+
+# standard python imports
+import logging
+from typing import List, Optional, Tuple, Any, Dict
+from rich.progress import track
+from rich.console import Console
+from regscale.core.app.application import Application
+from regscale.models.regscale_models import (
+    Catalog,
+    ControlImplementation,
+    InheritedControl,
+    Inheritance,
+    SecurityControl,
+    SecurityPlan,
+)
+from regscale.integrations.control_matcher import ControlMatcher
+from regscale.models.regscale_models.form_field_value import FormFieldValue
+from regscale.integrations.public.csam.csam_common import (
+    retrieve_from_csam,
+    retrieve_ssps_custom_form_map,
+    CSAM_FIELD_NAME,
+    SSP_BASIC_TAB,
+)
+
+FULLY_IMPLEMENTED = "Fully Implemented"
+
+logger = logging.getLogger("regscale")
+console = Console()
+
+####################################################################################################
+#
+# IMPORT SSP / POAM FROM DoJ's CSAM GRC
+# CSAM API Docs: https://csam.dhs.gov/CSAM/api/docs/index.html (required PIV)
+#
+####################################################################################################
+
+
+def import_csam_controls(import_ids: Optional[List[int]] = None):
+    """
+    Import Controls from CSAM
+
+    :param list import_ids: Filtered list of SSPs
+    :return: None
+    """
+
+    # Get existing ssps by CSAM Id
+    custom_fields_basic_map = FormFieldValue.check_custom_fields([CSAM_FIELD_NAME], "securityplans", SSP_BASIC_TAB)
+    ssp_map = retrieve_ssps_custom_form_map(
+        tab_name=SSP_BASIC_TAB, field_form_id=custom_fields_basic_map[CSAM_FIELD_NAME]
+    )
+
+    plans = import_ids if import_ids else list(ssp_map.keys())
+
+    # Find the Catalogs
+    rev5_catalog_id, rev4_catalog_id = get_catalogs()
+
+    # Get the list of controls for each catalog
+    rev5_controls = SecurityControl.get_list_by_catalog(catalog_id=rev5_catalog_id)
+    rev4_controls = SecurityControl.get_list_by_catalog(catalog_id=rev4_catalog_id)
+
+    control_implementations = []
+    for regscale_ssp_id in plans:
+        results = []
+        system_id = ssp_map.get(regscale_ssp_id)
+
+        # Get the Implementation for AC-1
+        # Check the controlSet
+        # Match the catalog
+        imp = retrieve_from_csam(
+            csam_endpoint=f"/CSAM/api/v1/systems/{system_id}/controls/AC-1",
+        )
+
+        # Get the controls
+        if imp[0].get("controlSet") in ["NIST 800-53 Rev4", "NIST 800-53 Rev5"]:
+            results = retrieve_controls(
+                csam_id=system_id,
+                controls=rev4_controls if imp[0].get("controlSet") == "NIST 800-53 Rev4" else rev5_controls,
+                regscale_id=regscale_ssp_id,
+            )
+        else:
+            logger.warning(
+                f"System framework {imp.get('controlSet')} \
+                           for system {system_id} is not supported"
+            )
+            continue
+
+        if not results:
+            logger.warning(f"No controls found for system id: {system_id}")
+            continue
+
+        # Build the controls
+        control_implementations = build_implementations(results=results, regscale_id=regscale_ssp_id)
+
+        # Save the control implementations
+        for index in track(
+            range(len(control_implementations)),
+            description=f"Saving {len(control_implementations)} control implementations...",
+        ):
+            control_implementation = control_implementations[index]
+            control_implementation.create() if control_implementation.id == 0 else control_implementation.save()
+
+
+def build_implementations(results: list, regscale_id: int) -> list:
+    """
+    Build out the control implementations
+    from the results returned from CSAM
+
+    :param list results: records from CSAM
+    :param int regscale_id: RegScale SSP Id
+    :return: list of ControlImplementation objects
+    :return_type: list
+    """
+    matcher = ControlMatcher()
+    control_implementations = []
+
+    # Loop through the results and create or update the controls
+    for index in track(
+        range(len(results)),
+        description=f"Importing {len(results)} controls for system id: {regscale_id}...",
+    ):
+        result = results[index]
+
+        # Skip if not implemented
+        if not result["statedImplementationStatus"]:
+            continue
+
+        # Match existing controlImplementation
+        implementation = matcher.find_control_implementation(
+            control_id=result["controlId"], parent_id=regscale_id, parent_module="securityplans"
+        )
+
+        # Set values
+        status_lst = [FULLY_IMPLEMENTED if result["statedImplementationStatus"] == "Implemented" else "Not Implemented"]
+
+        status = FULLY_IMPLEMENTED if result["statedImplementationStatus"] == "Implemented" else "Not Implemented"
+
+        responsibility = (
+            result["applicability"]
+            if result["applicability"] in ["Hybrid", "Inherited"]
+            else "Provider (System Specific)"
+        )
+
+        impl = result["implementationStatement"]
+
+        if implementation:
+            # Update it
+            implementation.status_lst = status_lst
+            implementation.status = status
+            implementation.responsibility = responsibility
+            implementation.controlSource = "Baseline"
+            implementation.implementation = impl
+        else:
+            # Build it from the catalog
+            implementation = ControlImplementation(
+                status_lst=status_lst,
+                status=status,
+                parentId=regscale_id,
+                parentModule="securityplans",
+                controlID=result["controlID"],
+                responsibility=responsibility,
+                controlSource="Baseline",
+                implementation=impl,
+            )
+
+        control_implementations.append(implementation)
+
+    return control_implementations
+
+
+def retrieve_controls(csam_id: int, controls: list, regscale_id: int) -> list:
+    """
+    Takes a system id and list of controls
+    returns a list of implmentations for
+    that system id and framework
+
+    :param int system_id: CSAM system id
+    :param str framework: Framework name
+    :param list controls: list of possible controls
+    :param int regscale_id: RegScale SSP Id
+    :return: list of control implementations
+    :return_type: list
+    """
+    imps = []
+    # Loop through the controls and get the implementations
+    for index in track(
+        range(len(controls)),
+        description=f"Retrieving implementations for system id: {csam_id}...",
+    ):
+        control = controls[index]
+        implementations = retrieve_from_csam(
+            csam_endpoint=f"/CSAM/api/v1/systems/{csam_id}/controls/{control.controlId}",
+        )
+
+        if len(implementations) == 0:
+            logger.debug(f"No implementations found for control {control.controlId} in system id: {csam_id}")
+            continue
+
+        # Add the RegScale SSP Id and controlID to the implementation
+        for impl in implementations:
+            if "NotApplicable" in impl["applicability"]:
+                continue
+
+            impl["securityPlanId"] = regscale_id
+            impl["controlID"] = control.id
+            imps.append(impl)
+    return imps
+
+
+def set_inheritable(regscale_id: int):
+    """
+    Given a RegScale SSP Id
+    Sets the inheritable flag on all control implementations
+
+    :param int regscale_id: id of Security Plan
+    :return: None
+    """
+
+    # Get list of existing controlimplementations
+    implementations = ControlImplementation.get_list_by_parent(regscale_id=regscale_id, regscale_module="securityplans")
+
+    for index in track(
+        range(len(implementations)),
+        description="Setting controls Inheritable...",
+    ):
+        implementation = implementations[index]
+        imp = ControlImplementation.get_object(object_id=implementation["id"])
+        if imp.status in [FULLY_IMPLEMENTED, "Partially Implemented", "In Remediation"]:
+            imp.inheritable = True
+            imp.save()
+
+
+def trim_inheritances(inheritances=List[Dict]) -> List[Dict]:
+    # Trim out the records that aren't inherited
+    # Trim down to one record per Control (vice "deterineifs")
+
+    unique_controls = []
+    new_list = []
+
+    for inheritance in inheritances:
+        if inheritance.get("isInherited") is False:
+            continue
+
+        if inheritance.get("controlId") in unique_controls:
+            continue
+
+        unique_controls.append(inheritance.get("controlId"))
+        new_list.append(inheritance)
+
+    return new_list
+
+
+def process_inheritances(
+    inheritances: List[Dict[str, Any]],
+    ssp: SecurityPlan,
+    ssp_map: Dict[str, int],
+    imp_map: Dict[str, int],
+    linked_ssps: List[SecurityPlan],
+):
+
+    matcher = ControlMatcher()
+    for inheritance in inheritances:
+        # If not inherited, skip
+        if inheritance.get("isInherited") is False:
+            continue
+
+        # Check if the control exists in plan
+        control_id = matcher.find_control_implementation(
+            control_id=inheritance.get("controlId"), parent_id=ssp.id, parent_module="securityplans"
+        )
+        if control_id not in imp_map:
+            logger.debug(f"Control {control_id} not found in RegScale for SSP {ssp.systemName} (ID: {ssp.id})")
+            continue
+
+        # Find the baseControl in RegScale
+        # Find the SSP
+        base_ssp = ssp_map.get(inheritance.get("offeringSystemName"))
+        if not base_ssp:
+            logger.debug(f"Base SSP {inheritance.get('offeringSystemName')} not found in RegScale, skipping")
+            continue
+
+        # Find the source control
+        base_control_id = matcher.find_control_implementation(
+            control_id=inheritance.get("controlId"), parent_id=base_ssp, parent_module="securityplans"
+        )
+
+        if not base_control_id:
+            logger.debug(f"Control not found in Base SSP: {inheritance.get('offeringSystemName')}, skipping")
+            continue
+
+        # Create or update the inheritance record
+        # Add the parent if not already linked
+        if base_ssp not in linked_ssps:
+            linked_ssps.append(base_ssp)
+
+        # Create the records
+        create_inheritance(
+            parent_id=ssp.id,
+            parent_module="securityplans",
+            hybrid=inheritance.get("isHybrid", True),
+            base_id=base_ssp,
+            control_id=imp_map[control_id],
+            base_control_id=base_control_id,
+        )
+
+    # Create the Inheritance Record(s)
+    for inheritance_ssp in linked_ssps:
+        create_inheritance_linage(
+            parent_id=ssp.id,
+            parent_module="securityplans",
+            base_id=inheritance_ssp,
+        )
+
+
+def create_inheritance(
+    parent_id: int, parent_module: str, base_id: int, hybrid: bool, control_id: int, base_control_id: int
+):
+    """
+    Creates the records for inheritance
+
+    :param int parent_id: Id of inheriting record
+    :param str parent_module: Module of inheriting record
+    :param int base_id: Id of inherited record
+    :param bool hybrid: Is the control hybrid
+    :param int control_id: Id of inheriting control
+    :param int base_control_id: Id of inherited control
+    :return: None
+    """
+
+    # Update the control implementation
+    control_impl = ControlImplementation.get_object(object_id=control_id)
+    if control_impl:
+        control_impl.bInherited = True
+        control_impl.responsibility = "Hybrid" if hybrid else "Inherited"
+        control_impl.inheritedControlId = base_control_id
+        control_impl.inheritedSecurityPlanId = base_id
+        control_impl.save()
+
+    # Check if the Inherited Control already exists
+    existing = InheritedControl.get_all_by_control(control_id=control_id)
+    for exists in existing:
+        if exists["inheritedControlId"] == base_control_id:
+            return
+
+    InheritedControl(
+        parentId=parent_id, parentModule=parent_module, baseControlId=control_id, inheritedControlId=base_control_id
+    ).create()
+
+
+def create_inheritance_linage(parent_id: int, parent_module: str, base_id: int):
+    """
+    Creates a RegScale Inheritance Record
+
+    :param int parent_id: Id of inheriting record
+    :param str parent_module: Module of inheriting record
+    :param int base_control_id: Id of inherited control
+    :return: None
+    """
+    # Check if the Inheritance already exists
+    existing = Inheritance.get_all_by_parent(parent_id=parent_id, parent_module=parent_module)
+    for exists in existing:
+        if exists.planId == base_id:
+            return
+
+    # Update Lineage (no way to update.. only create)
+    Inheritance(recordId=parent_id, recordModule=parent_module, planId=base_id).create()
+
+
+def import_csam_inheritance(import_ids: Optional[List[int]] = None):
+    """
+    Import control inheritance from CSAM
+
+    :param list import_ids: List of SSPs to import
+    :return: None
+    """
+
+    # Get list of existing SSPs in RegScale
+    existing_ssps = SecurityPlan.get_ssp_list()
+    ssp_map = {ssp["title"]: ssp["id"] for ssp in existing_ssps}
+
+    if not import_ids:
+        import_ids = [ssp["id"] for ssp in existing_ssps]
+
+    # Get Inheritance data from CSAM
+    for index in track(
+        range(len(import_ids)),
+        description=f"Importing inheritance for {len(import_ids)} Systems...",
+    ):
+        ssp = SecurityPlan.get_object(object_id=import_ids[index])
+        linked_ssps = []
+        # Get the inheritance data from CSAM
+
+        inheritances = retrieve_from_csam(
+            csam_endpoint=f"/CSAM/api/v1/systems/{ssp.otherIdentifier}/inheritedcontrols",
+        )
+        if not inheritances:
+            logger.debug(f"No inheritance data found for SSP {ssp.systemName} (ID: {ssp.id})")
+            continue
+        # Process each inheritance record
+        imp_map = ControlImplementation.get_control_label_map_by_plan(plan_id=ssp.id)
+
+        inheritances = trim_inheritances(inheritances=inheritances)
+
+        process_inheritances(
+            inheritances=inheritances, ssp=ssp, ssp_map=ssp_map, imp_map=imp_map, linked_ssps=linked_ssps
+        )
+
+
+def get_catalogs() -> Tuple[Optional[int], Optional[int]]:
+    """
+    Get the catalog ids for NIST SP 800-53 Rev 5 and Rev 4
+
+    :return: tuple of catalog ids
+    :return_type: Tuple[Optional[int], Optional[int]]
+    """
+    # Find the Catalogs
+    # Use the init.yaml values, otherwise search for the catalogs by guid
+    app = Application()
+    catalogs = app.config.get("csamFrameworkCatalog")
+    rev5_catalog = Catalog.find_by_guid("b0c40faa-fda4-4ed3-83df-368908d9e9b2")  # NIST SP 800-53 Rev 5
+    rev4_catalog = Catalog.find_by_guid("02158108-e491-49de-b9a8-3cb1cb8197dd")  # NIST SP 800-53 Rev 4
+
+    if catalogs:
+        rev5_catalog_id = catalogs.get("800-53r5")
+        rev4_catalog_id = catalogs.get("800-53r4")
+    elif rev5_catalog and rev4_catalog:
+        rev5_catalog_id = rev5_catalog.id
+        rev4_catalog_id = rev4_catalog.id
+
+    return rev5_catalog_id, rev4_catalog_id

regscale/integrations/public/csam/csam_poam.py

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Integrates CSAM into RegScale"""
+
+# standard python imports
+import logging
+from typing import List
+from rich.progress import track
+from rich.console import Console
+from regscale.core.app.api import Api
+from regscale.core.app.application import Application
+from regscale.core.utils.date import format_to_regscale_iso, date_obj
+from regscale.core.app.utils.app_utils import error_and_exit, filter_list
+from regscale.core.app.utils.parser_utils import safe_date_str
+from regscale.models.regscale_models import (
+    Issue,
+    SecurityControl,
+    SecurityPlan,
+    User,
+)
+from regscale.models.regscale_models.regscale_model import RegScaleModel
+from regscale.integrations.control_matcher import ControlMatcher
+from regscale.models.regscale_models.form_field_value import FormFieldValue
+from regscale.integrations.public.csam.csam_common import (
+    retrieve_ssps_custom_form_map,
+    retrieve_from_csam,
+    FISMA_FIELD_NAME,
+    CSAM_FIELD_NAME,
+    SSP_BASIC_TAB,
+    SYSTEM_ID,
+)
+
+POAM_ID = "POAM Id"
+
+logger = logging.getLogger("regscale")
+console = Console()
+
+####################################################################################################
+#
+# IMPORT SSP / POAM FROM DoJ's CSAM GRC
+# CSAM API Docs: https://csam.dhs.gov/CSAM/api/docs/index.html (required PIV)
+#
+####################################################################################################
+
+
+def import_csam_poams():
+    # Check Custom Fields
+    custom_fields_basic_map = FormFieldValue.check_custom_fields(
+        fields_list=[FISMA_FIELD_NAME, CSAM_FIELD_NAME], module_name="securityplans", tab_name=SSP_BASIC_TAB
+    )
+
+    # Get the SSPs
+    ssp_map = retrieve_ssps_custom_form_map(
+        tab_name=SSP_BASIC_TAB, field_form_id=custom_fields_basic_map[CSAM_FIELD_NAME]
+    )
+
+    # Get a list of users and create a map to id
+    users = User.get_all()
+    user_map = {user.userName: user.id for user in users}
+
+    # Grab the data from CSAM
+    results = retrieve_from_csam(csam_endpoint="/CSAM/api/v1/reports/POAM_Details_Report_CBP")
+
+    # Parse the results
+    poam_list = []
+    for index in track(
+        range(len(results)),
+        description=f"Importing {len(results)} POA&Ms...",
+    ):
+        result = results[index]
+
+        # Get the existing SSP:
+        ssp_id = ssp_map.get(str(result[SYSTEM_ID]))
+        if not ssp_id:
+            logger.error(
+                f"A RegScale Security Plan does not exist for CSAM id: {result[SYSTEM_ID]}\
+             create or import the Security Plan prior to importing POA&Ms"
+            )
+            continue
+
+        # Check if the POAM exists:
+        existing_issue = Issue.find_by_other_identifier(result[POAM_ID])
+        if existing_issue:
+            new_issue = existing_issue
+        else:
+            new_issue = Issue()
+
+        # Update the issue
+        new_issue.isPoam = True
+        new_issue.parentId = ssp_id
+        new_issue.parentModule = "securityplans"
+        new_issue.otherIdentifier = result[POAM_ID]
+        new_issue.title = result["POAM Title"]
+        new_issue.affectedControls = result["Controls"]
+        new_issue.securityPlanId = ssp_id
+        new_issue.identification = "Vulnerability Assessment"
+        new_issue.description = result["Detailed Weakness Description"]
+        new_issue.poamComments = f"{result['Weakness Comments']}\n \
+            {result['POA&M Delayed Comments']}\n \
+            {result['POA&M Comments']}"
+        new_issue.dateFirstDetected = safe_date_str(result["Create Date"])
+        new_issue.dueDate = safe_date_str(result["Planned Finish Date"])
+        # Need to convert cost to a int
+        # new_issue.costEstimate = result['Cost']
+        new_issue.issueOwnerId = (
+            user_map.get(result["Email"]) if user_map.get(result["Email"]) else RegScaleModel.get_user_id()
+        )
+        # Update with IssueSeverity String
+        new_issue.severityLevel = result["Severity"]
+        # Update with IssueStatus String
+        new_issue.status = result["Status"]
+
+        poam_list.append(new_issue)
+
+    for index in track(
+        range(len(poam_list)),
+        description=f"Updating RegScale with {len(poam_list)} POA&Ms...",
+    ):
+        poam = poam_list[index]
+        if poam.id == 0:
+            poam.create()
+        else:
+            poam.save()
+    logger.info(f"Added or updated {len(poam_list)} POA&Ms in RegScale")

regscale/integrations/public/fedramp/click.py

@@ -9,8 +9,9 @@ from typing import Literal, Optional
 import click
 from dateutil.relativedelta import relativedelta
 
-from regscale.core.app.utils.regscale_utils import check_module_id
+from regscale.core.app.utils.regscale_utils import check_module_id, error_and_exit
 from regscale.models import regscale_id, regscale_module
+from regscale.models.regscale_models import Asset
 
 logger = logging.getLogger("regscale")
 
@@ -368,7 +369,7 @@ def import_fedramp_inventory(
     type=click.Path(exists=True, dir_okay=False, file_okay=True),
     required=True,
     prompt="Enter the file path containing FedRAMP (.xlsx) POAM workbook to ingest to RegScale.",
-    help="RegScale will process and load the FedRAMP POAMs as RegScale issues.",
+    help="RegScale will process and load the FedRAMP POAMs (including POA&M Items and Configuration Findings) as RegScale issues.",
 )
 @regscale_id()
 @regscale_module()
@@ -392,6 +393,8 @@ def import_fedramp_poam_template(
 ) -> None:
     """
     Import a FedRamp POA&M document to RegScale issues.
+
+    Supports both POA&M Items and Configuration Findings tabs.
     """
     # suppress UserWarnings from openpyxl
     import warnings
@@ -401,7 +404,17 @@ def import_fedramp_poam_template(
     warnings.filterwarnings("ignore", category=UserWarning, module="openpyxl")
 
     if not check_module_id(parent_id=regscale_id, parent_module=regscale_module):
-        raise ValueError(f"RegScale ID {regscale_id} is not a valid member of {regscale_module}.")
+        error_and_exit(f"RegScale ID {regscale_id} is not a valid member of {regscale_module}.")
+
+    # Check if assets exist before importing POAMs
+    existing_assets = Asset.get_all_by_parent(parent_id=regscale_id, parent_module=regscale_module)
+    if not existing_assets:
+        error_msg = (
+            f"No assets found in {regscale_module} #{regscale_id}. "
+            "Please import inventory first using 'regscale fedramp import_fedramp_inventory' "
+            "before importing POAMs."
+        )
+        error_and_exit(error_msg)
 
     # Initialize the FedRAMP integration
     integration = FedrampPoamIntegration(plan_id=regscale_id, file_path=str(file_path))
@@ -456,7 +469,7 @@ def import_drf(file_path: click.Path, regscale_id: int, regscale_module: str) ->
     warnings.filterwarnings("ignore", category=UserWarning, module="openpyxl")
 
     if not check_module_id(parent_id=regscale_id, parent_module=regscale_module):
-        raise ValueError(f"RegScale ID {regscale_id} is not a valid member of {regscale_module}.")
+        error_and_exit(f"RegScale ID {regscale_id} is not a valid member of {regscale_module}.")
     DRF(file_path=file_path, module_id=regscale_id, module=regscale_module)