# HBOM Compliance and Governance Rules # Category: hbom-compliance # Evaluates hardware inventory completeness, redaction posture, and governance-ready evidence. - id: HBC-001 name: "HBOM inventory lacks firmware or board provenance" description: "Incomplete firmware or board provenance weakens auditability for hardware refresh, attestation, and patch-governance workflows." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" cis-controls-v8: - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory" condition: | metadata.component[ $safeStr($prop($, 'cdx:hbom:platform')) = 'linux' and $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'board' and ( $hasProp($, 'cdx:hbom:boardVendor') or $hasProp($, 'cdx:hbom:boardName') or $hasProp($, 'cdx:hbom:biosVendor') or $hasProp($, 'cdx:hbom:biosVersion') or $hasProp($, 'cdx:hbom:firmwareDate') ) ] ) = 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' lacks board or firmware provenance fields needed for governance review" mitigation: "Enable richer firmware/board collection on supported Linux hosts, validate SMBIOS access, and ensure the inventory captures board vendor, board name, BIOS vendor, BIOS version, and firmware date where available." evidence: | { "platform": $prop($, 'cdx:hbom:platform'), "architecture": $prop($, 'cdx:hbom:architecture'), "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board']) } - id: HBC-002 name: "Managed asset identity is incomplete" description: "HBOMs used for fleet governance should capture stable host identity fields such as model, platform, and serial or asset identifiers." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" cis-controls-v8: - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory" iso-27001: - "A.5.9 Inventory of information and other associated assets" condition: | metadata.component[ type = 'device' and ( $hasProp($, 'cdx:hbom:platform') = false or $hasProp($, 'cdx:hbom:architecture') = false or ( $hasProp($, 'cdx:hbom:serialNumber') = false and $hasProp($, 'cdx:hbom:platformUuid') = false and $hasProp($, 'cdx:hbom:assetTag') = false ) ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM metadata for '{{ name }}' is missing stable asset identity fields required for governance workflows" mitigation: "Capture platform, architecture, and at least one durable host identifier (serial, platform UUID, or asset tag) so the device can be reconciled with CMDB and lifecycle systems." evidence: | { "platform": $prop($, 'cdx:hbom:platform'), "architecture": $prop($, 'cdx:hbom:architecture'), "serialNumber": $prop($, 'cdx:hbom:serialNumber'), "platformUuid": $prop($, 'cdx:hbom:platformUuid'), "assetTag": $prop($, 'cdx:hbom:assetTag') } - id: HBC-003 name: "HBOM collector evidence is incomplete" description: "Governance review is weaker when the BOM omits the collector command evidence used to derive the hardware inventory." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ type = 'device' and ( $hasProp($$, 'cdx:hbom:evidence:commandCount') = false or $number($firstNonEmpty($prop($$, 'cdx:hbom:evidence:commandCount'), '0')) = 0 or $hasProp($$, 'cdx:hbom:evidence:command') = false ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' is missing collector command evidence needed for reproducible review" mitigation: "Retain command-evidence metadata in the distributed BOM, or attach equivalent collection provenance so reviewers can understand how the hardware inventory was derived." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "commandCount": $prop(bom, 'cdx:hbom:evidence:commandCount'), "commandEvidence": $prop(bom, 'cdx:hbom:evidence:command') } - id: HBC-004 name: "Storage inventory lacks encryption posture evidence" description: "Storage volumes without explicit encryption posture make it difficult to prove compliance with device and media protection requirements." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "SC-28 Protection of Information at Rest" - "CM-8 System Component Inventory" condition: | metadata.component[ type = 'device' and $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']) > 0 and $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume' and ( $hasProp($, 'cdx:hbom:isEncrypted') or $hasProp($, 'cdx:hbom:fileVault') ) ] ) = 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' includes storage volumes but no explicit encryption posture evidence" mitigation: "Enable volume-level enrichment on supported platforms or pair the HBOM with equivalent host controls evidence so encryption compliance can be verified." evidence: | { "storageVolumeCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']), "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "platform": $prop($, 'cdx:hbom:platform') } - id: HBC-005 name: "HBOM uses non-redacted identifier policy" description: "HBOMs intended for broad distribution should avoid a non-redacted identifier policy unless raw identifiers are explicitly required by the receiving workflow." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ type = 'device' and $hasProp($, 'cdx:hbom:identifierPolicy') and $not($startsWith($lowercase($safeStr($prop($, 'cdx:hbom:identifierPolicy'))), 'redacted')) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' uses identifier policy '{{ $prop($, 'cdx:hbom:identifierPolicy') }}' instead of a redacted posture" mitigation: "Default distributed HBOMs to redacted identifiers and keep raw hardware identity values confined to internal asset-governance workflows with a documented need-to-know." evidence: | { "identifierPolicy": $prop($, 'cdx:hbom:identifierPolicy'), "serialNumber": $prop($, 'cdx:hbom:serialNumber'), "platformUuid": $prop($, 'cdx:hbom:platformUuid') } - id: HBC-006 name: "HBOM collector is missing optional enrichment commands" description: "Missing native utilities reduce the hardware evidence available to governance, assurance, and troubleshooting workflows." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ type = 'device' and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:missingCommandCount'), '0')) > 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' reported missing native enrichment commands" mitigation: "Install the reported utilities on the target host and rerun the HBOM collection so the inventory includes the richer structured hardware evidence those commands provide." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "missingCommandCount": $prop(bom, 'cdx:hbom:analysis:missingCommandCount'), "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'), "diagnosticIssues": $propList(bom, 'cdx:hbom:analysis:diagnosticIssues') } - id: HBC-007 name: "HBOM collector hit permission-denied enrichments" description: "Permission-sensitive enrichments that fail during collection often leave firmware, graphics, or SMBIOS evidence incomplete until the host is rerun with the documented privileged mode." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" condition: | metadata.component[ type = 'device' and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:permissionDeniedCount'), '0')) > 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' hit permission-denied enrichments that likely require a rerun with --privileged" mitigation: "Where policy allows, rerun HBOM collection with --privileged so cdx-hbom can use the documented non-interactive sudo path for permission-sensitive Linux enrichments." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "permissionDeniedCount": $prop(bom, 'cdx:hbom:analysis:permissionDeniedCount'), "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'), "requiresPrivileged": $prop(bom, 'cdx:hbom:analysis:requiresPrivileged') } - id: HBC-008 name: "HBOM collector is missing firmware-management enrichment" description: "Without fwupd-derived metadata, governance teams lose update-protocol, firmware GUID, and device lifecycle context that is useful for firmware assurance and remediation planning." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" condition: | metadata.component[ $safeStr($prop($, 'cdx:hbom:platform')) = 'linux' and $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'fwupdmgr-devices-json') ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' is missing firmware-management enrichment because fwupdmgr was unavailable" mitigation: "Install fwupd on the target host and rerun the collection so the BOM can capture protocol, flags, GUIDs, and related firmware-management properties where supported." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'), "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'), "installHintCount": $prop(bom, 'cdx:hbom:analysis:installHintCount') } - id: HBC-009 name: "HBOM board and BIOS provenance was blocked by permissions" description: "When dmidecode-backed firmware and board enrichment is blocked, the HBOM may miss board-vendor, board-name, BIOS-version, and related governance evidence." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" condition: | metadata.component[ $safeStr($prop($, 'cdx:hbom:platform')) = 'linux' and $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'dmidecode-firmware-board') ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' could not capture full board and BIOS provenance because dmidecode enrichment was blocked" mitigation: "Where policy allows, rerun with --privileged or equivalent access so the collector can gather firmware vendor, BIOS version, board vendor, and board name data." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds'), "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'), "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board']) } - id: HBC-010 name: "HBOM display and DRM evidence is incomplete" description: "Missing EDID decoding or blocked DRM enrichment reduces the fidelity of display, connector, and content-protection metadata used during workstation and kiosk governance reviews." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'display-connector' or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter' ] ) > 0 and ( $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'edid-decode') or $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'drm-info-json') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' includes display hardware but the richer DRM or EDID evidence is incomplete" mitigation: "Install edid-decode where available and, if policy permits, rerun with --privileged so the collector can capture connector, mode, and content-protection metadata for Linux displays." evidence: | { "displayComponentCount": $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'display-connector' or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter' ] ), "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'), "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds') }