Compliance Standards Integration

Overview

opnDossier integrates industry-standard security compliance frameworks to provide comprehensive blue team audit reports. The system supports STIG (Security Technical Implementation Guide), SANS Firewall Checklist, and CIS-inspired Firewall Security Controls standards for firewall security assessment.

Status

Audit mode CLI integration is deferred to v2.1. Track progress in #174.

Supported Standards

STIG (Security Technical Implementation Guide)

STIGs are cybersecurity methodologies for standardizing security configuration within networks, servers, computers, and logical designs to enhance overall security. opnDossier implements the DISA Firewall Security Requirements Guide which includes:

Key STIG Controls

Control ID	Title	Severity	Category
V-206694	Firewall must deny network communications traffic by default	High	Default Deny Policy
V-206701	Firewall must employ filters that prevent DoS attacks	High	DoS Protection
V-206674	Firewall must use packet headers and attributes for filtering	High	Packet Filtering
V-206690	Firewall must disable unnecessary network services	Medium	Service Hardening
V-206682	Firewall must generate comprehensive traffic logs	Medium	Logging
V-206680	Firewall must log network location information	Medium	Logging
V-206679	Firewall must log event timestamps	Medium	Logging
V-206678	Firewall must log event types	Medium	Logging
V-206681	Firewall must log source information	Low	Logging
V-206711	Firewall must alert on DoS incidents	Low	Alerting

SANS Firewall Checklist

The SANS Firewall Checklist provides practical security controls for firewall configuration and management:

Key SANS Controls

Control ID	Category	Title	Severity
SANS-FW-001	Access Control	Default Deny Policy	High
SANS-FW-002	Rule Management	Explicit Rule Configuration	Medium
SANS-FW-003	Network Segmentation	Network Zone Separation	High
SANS-FW-004	Logging and Monitoring	Comprehensive Logging	Medium
SANS-FW-005	Service Hardening	Unnecessary Services Disabled	Medium
SANS-FW-006	Authentication	Strong Authentication	High
SANS-FW-007	Encryption	Encrypted Management	High
SANS-FW-008	Backup and Recovery	Configuration Backup	Medium
SANS-FW-009	Vulnerability Management	Regular Updates	High
SANS-FW-010	Incident Response	Alert Configuration	Medium

CIS-Inspired Firewall Security Controls

Our CIS-inspired firewall security controls provide comprehensive security guidance designed for OPNsense firewalls, based on general industry best practices for network firewall security:

Key Firewall Security Controls

Control ID	Category	Title	Severity	Description
FIREWALL-001	System Configuration	SSH Warning Banner	High	Configure SSH warning banner
FIREWALL-002	System Configuration	Auto Configuration Backup	Medium	Enable automatic configuration backup
FIREWALL-003	System Configuration	Message of the Day	Medium	Set appropriate MOTD message
FIREWALL-004	System Configuration	Hostname Configuration	Low	Set device hostname
FIREWALL-005	Network Configuration	DNS Server Configuration	Medium	Configure DNS servers
FIREWALL-006	Network Configuration	IPv6 Disablement	Medium	Disable IPv6 if not used
FIREWALL-007	Network Configuration	DNS Rebind Check	Medium	Disable DNS rebind check
FIREWALL-008	Management Access	HTTPS Web Management	High	Use HTTPS for web management
FIREWALL-009	High Availability	HA Configuration	Medium	Configure synchronized HA peer
FIREWALL-010	User Management	Session Timeout	High	Set session timeout to ≤10 minutes
FIREWALL-011	Authentication	Central Authentication	High	Configure LDAP/RADIUS authentication
FIREWALL-012	Access Control	Console Menu Protection	Medium	Password protect console menu
FIREWALL-013	User Management	Default Account Management	High	Secure default accounts
FIREWALL-014	User Management	Local Account Status	Medium	Disable local accounts except admin
FIREWALL-015	Security Policy	Login Protection Threshold	High	Set threshold to ≤30
FIREWALL-016	Security Policy	Access Block Time	High	Set block time to ≥300 seconds
FIREWALL-017	Security Policy	Default Password Change	High	Change default admin password
FIREWALL-018	Firewall Rules	Destination Restrictions	High	No "Any" in destination field
FIREWALL-019	Firewall Rules	Source Restrictions	High	No "Any" in source field
FIREWALL-020	Firewall Rules	Service Restrictions	High	No "Any" in service field

Implementation Details

Audit Engine

The compliance analysis is performed by the internal/audit/engine.go module, which:

1. Analyzes OPNsense configurations against defined security controls
2. Maps findings to compliance standards with specific control references
3. Generates compliance reports with detailed remediation guidance
4. Provides risk assessment based on control compliance status

Data Structures

// AuditFinding represents a finding with compliance mappings
type AuditFinding struct {
    processor.Finding
    STIGReferences []string `json:"stigReferences,omitempty"`
    SANSReferences []string `json:"sansReferences,omitempty"`
    FirewallReferences []string `json:"firewallReferences,omitempty"`
    ComplianceTags []string `json:"complianceTags,omitempty"`
}

// AuditResult contains the complete audit results
type AuditResult struct {
    Findings       []AuditFinding `json:"findings"`
    STIGCompliance map[string]bool `json:"stigCompliance"`
    SANSCompliance map[string]bool `json:"sansCompliance"`
    FirewallCompliance map[string]bool `json:"firewallCompliance"`
    Summary        AuditSummary   `json:"summary"`
}

Compliance Checks

The audit engine performs the following types of checks:

STIG Compliance Checks

1. Default Deny Policy (V-206694)

2. Verifies firewall implements deny-by-default approach

3. Checks for explicit allow rules only

4. DoS Protection (V-206701)

5. Validates DoS protection mechanisms

6. Checks flood protection and rate limiting

7. Packet Filtering (V-206674)

8. Analyzes rule specificity

9. Identifies overly permissive rules

10. Service Hardening (V-206690)

11. Checks for unnecessary services

12. Validates service configuration

13. Logging Configuration (V-206682, V-206680, V-206679, V-206678, V-206681)

14. Verifies comprehensive logging

15. Checks log content and format

SANS Compliance Checks

1. Access Control (SANS-FW-001)

2. Validates default deny implementation

3. Checks explicit allow rules

4. Rule Management (SANS-FW-002)

5. Analyzes rule documentation

6. Checks rule specificity

7. Network Segmentation (SANS-FW-003)

8. Validates zone separation

9. Checks access controls between zones

10. Logging and Monitoring (SANS-FW-004)

11. Verifies comprehensive logging

12. Checks monitoring configuration

Firewall Security Compliance Checks

1. System Configuration (FIREWALL-001, FIREWALL-002, FIREWALL-003, FIREWALL-004)

2. Validates SSH warning banner configuration

3. Checks auto configuration backup settings
4. Verifies MOTD customization

5. Validates hostname configuration

6. Network Configuration (FIREWALL-005, FIREWALL-006, FIREWALL-007)

7. Verifies DNS server configuration

8. Checks IPv6 disablement settings

9. Validates DNS rebind check configuration

10. Management Access (FIREWALL-008)

11. Verifies HTTPS web management configuration

12. Checks management access encryption

13. High Availability (FIREWALL-009)

14. Validates HA peer configuration

15. Checks synchronization settings

16. User Management (FIREWALL-010, FIREWALL-013, FIREWALL-014)

17. Verifies session timeout configuration

18. Checks default account management

19. Validates local account status

20. Authentication (FIREWALL-011)

21. Validates central authentication configuration

22. Checks LDAP/RADIUS setup

23. Access Control (FIREWALL-012)

24. Verifies console menu protection

25. Checks access control settings

26. Security Policy (FIREWALL-015, FIREWALL-016, FIREWALL-017)

27. Validates login protection threshold

28. Checks access block time configuration

29. Verifies default password change

30. Firewall Rules (FIREWALL-018, FIREWALL-019, FIREWALL-020)

31. Validates destination field restrictions

32. Checks source field restrictions
33. Verifies service field restrictions

Enhanced Blue Team Reports

Planned for v2.1 alongside audit mode CLI integration.

The enhanced blue team report provides:

• Executive Summary with compliance metrics
• Findings by Severity with control references
• STIG Compliance Details with status matrix
• SANS Compliance Details with status matrix
• Firewall Security Compliance Details with status matrix
• Security Recommendations mapped to controls
• Compliance Roadmap for remediation
• Risk Assessment based on findings

Report Sections

Executive Summary

• Total findings count
• Severity breakdown
• Compliance status summary across all standards

Critical/High Findings

• Detailed findings with control references
• Specific remediation guidance
• STIG/SANS/Firewall control mappings

Compliance Details

• Control-by-control status for each standard
• Compliance matrices
• Risk assessments

Recommendations

• Prioritized action items
• Control-specific guidance
• Implementation roadmap

Compliance Mapping

Finding to Control Mapping

Each audit finding is mapped to relevant controls:

finding := AuditFinding{
    Finding: processor.Finding{
        Type:        "compliance",
        Title:       "Missing Default Deny Policy",
        Description: "Firewall does not implement a default deny policy",
        Recommendation: "Configure firewall to deny all traffic by default",
        Component:   "firewall-rules",
        Reference:   "FIREWALL-003, STIG V-206694",
    },
    STIGReferences: []string{"V-206694"},
    SANSReferences: []string{"SANS-FW-001"},
    FirewallReferences: []string{"FIREWALL-018"},
    ComplianceTags: []string{"default-deny", "firewall-rules", "security-posture"},
}

Baseline Processor Compliance Checks

The ExampleProcessor includes baseline compliance checks that run when compliance analysis is enabled. These checks are intended to flag common configuration gaps before advanced audit mappings are applied:

• Password Policy Enforcement (component: users): Critical severity when no enabled administrative users are configured; high severity when users are missing password configuration; medium severity when administrative accounts are disabled.
• Audit Logging Configuration (component: syslog): High severity when syslog is disabled; medium severity when critical categories (system, auth, filter) are missing; low severity when no remote syslog server is configured.

These findings use the compliance type and include remediation guidance aligned with OPNsense best practices.

Control Status Tracking

The system tracks compliance status for each control:

result.STIGCompliance["V-206694"] = false   // Non-compliant
result.SANSCompliance["SANS-FW-001"] = false // Non-compliant
result.FirewallCompliance["FIREWALL-018"] = false // Non-compliant

Benefits

For Blue Teams

1. Standardized Assessment: Use industry-recognized security controls
2. Compliance Reporting: Generate reports for regulatory requirements
3. Risk Prioritization: Focus on high-impact security issues
4. Remediation Guidance: Get specific action items for each finding
5. Framework Alignment: Align with STIG, SANS, and industry best practices

For Organizations

1. Regulatory Compliance: Meet STIG, SANS, and industry security requirements
2. Security Posture: Understand current security state
3. Improvement Roadmap: Plan security enhancements
4. Audit Readiness: Prepare for security assessments
5. Industry Standards: Follow recognized best practices

Future Enhancements

Planned Features

1. Additional Standards: NIST Cybersecurity Framework, ISO 27001
2. Custom Controls: Organization-specific security requirements
3. Automated Remediation: Generate configuration fixes
4. Compliance Monitoring: Track compliance over time
5. Integration: SIEM and ticketing system integration

Control Expansion

1. More STIG Controls: Additional DISA security requirements
2. Industry-Specific: Healthcare, finance, government controls
3. Regional Standards: EU, APAC, and other regional requirements
4. Framework Mapping: Cross-reference between standards
5. Additional Controls: Expand firewall security control coverage

References

• DISA STIG Library
• SANS Firewall Checklist
• CIS-Inspired Firewall Security Controls Reference
• STIG Viewer
• NIST Cybersecurity Framework

Support

For questions about compliance standards integration:

1. Documentation: Review this guide and API documentation
2. Issues: Report bugs or feature requests via GitHub
3. Contributions: Submit improvements to compliance mappings
4. Standards: Suggest additional security frameworks to support