Skip to content

Commit

Permalink
fix: Correct OSCAL output to desired design point for osco-to-oscal.
Browse files Browse the repository at this point in the history 
* Several small-ish fix-ups to produced OSCAL.

* Fix comparison data for utils tests.

Co-authored-by: Chris Butler <chris@thebutlers.me>
  • Loading branch information
@degenaro @butler54
degenaro and butler54 authored Mar 15, 2021
1 parent e0c1651 commit 5530eb4
Show file tree
Hide file tree
Showing 11 changed files with 10,324 additions and 4,417 deletions.
69 changes: 41 additions & 28 deletions docs/cli.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,9 @@ Example input OSCO scan result file contents (snippet):

*ssg-ocp4-ds-cis-111.222.333.444-pod.yaml*

<details>
<summary>display sample</summary>

```
apiVersion: v1
data:
Expand Down Expand Up @@ -423,19 +426,25 @@ metadata:
resourceVersion: "22693328"
selfLink: /api/v1/namespaces/openshift-compliance/configmaps/ssg-ocp4-ds-cis-111.222.333.444-pod
uid: 1da3ea81-0a25-4512-ad86-7ac360246b5d
```
</details>
<br>

<span style="color:green">
Example input OSCAL metadata file contents:
</span>

*oscal-metadata.yaml*

```
<details>
<summary>display sample</summary>

```
ssg-ocp4-ds-cis-111.222.333.444-pod:
locker: https://github.mycorp.com/degenaro/evidence-locker
namespace: xccdf
benchmark: CIS Kubernetes Benchmark
subject-references:
component:
uuid-ref: 56666738-0f9a-4e38-9aac-c0fad00a5821
Expand All @@ -447,13 +456,15 @@ ssg-ocp4-ds-cis-111.222.333.444-pod:
title: Pod
properties:
target: kube-br7qsa3d0vceu2so1a90-roksopensca-default-0000026b.iks.mycorp
target-ip: 111.222.333.444
cluster-name: ROKS-OpenSCAP-1
cluster-type: openshift
cluster-region: us-south
ssg-rhel7-ds-cis-111.222.333.444-pod:
locker: https://github.mycorp.com/degenaro/evidence-locker
namespace: xccdf
benchmark: CIS Kubernetes Benchmark
subject-references:
component:
uuid-ref: 89cfe7a7-ce6b-4699-aa7b-2f5739c72001
Expand All @@ -465,10 +476,12 @@ ssg-rhel7-ds-cis-111.222.333.444-pod:
title: VM
properties:
target: kube-br7qsa3d0vceu2so1a90-roksopensca-default-0000026b.iks.mycorp
target-ip: 111.222.333.444
cluster-name: ROKS-OpenSCAP-1
cluster-type: openshift
cluster-region: us-south
```
</details>

**metadata format**

Expand All @@ -482,7 +495,9 @@ OSCAL.

```
<name>:
locker: <locker>
namespace: <namespace>
benchmark: <benchmark>
subject-references:
component:
uuid-ref: <uuid-ref-component>
Expand Down Expand Up @@ -518,6 +533,8 @@ Example output OSCAL Observations file contents (snippet):
</span>

*ssg-ocp4-ds-cis-111.222.333.444-pod.json*
<details>
<summary>display sample</summary>

```
{
Expand All @@ -526,6 +543,14 @@ Example output OSCAL Observations file contents (snippet):
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"title": "xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd",
"description": "xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd",
"props": [
{
"name": "benchmark",
"ns": "dns://osco",
"class": "source",
"value": "CIS Kubernetes Benchmark"
}
],
"methods": [
"TEST-AUTOMATED"
],
Expand All @@ -542,18 +567,32 @@ Example output OSCAL Observations file contents (snippet):
"props": [
{
"name": "target",
"ns": "dns://osco",
"class": "inventory-item",
"value": "kube-br7qsa3d0vceu2so1a90-roksopensca-default-0000026b.iks.mycorp"
},
{
"name": "target-ip",
"ns": "dns://osco",
"class": "inventory-item",
"value": "111.222.333.444"
},
{
"name": "cluster-name",
"ns": "dns://osco",
"class": "inventory-item",
"value": "ROKS-OpenSCAP-1"
},
{
"name": "cluster-type",
"ns": "dns://osco",
"class": "inventory-item",
"value": "openshift"
},
{
"name": "cluster-region",
"ns": "dns://osco",
"class": "inventory-item",
"value": "us-south"
}
]
Expand Down Expand Up @@ -581,40 +620,14 @@ Example output OSCAL Observations file contents (snippet):
"ns": "dns://xccdf",
"class": "result",
"value": "notselected"
},
{
"name": "target",
"ns": "dns://xccdf",
"class": "target",
"value": "kube-br7qsa3d0vceu2so1a90-roksopensca-default-0000026b.iks.mycorp"
}
]
}
]
},
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"title": "xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens",
"description": "xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens",
"methods": [
"TEST-AUTOMATED"
],
"subjects": [
{
"uuid-ref": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"type": "component",
"title": "Red Hat OpenShift Kubernetes"
},
...
]
},
...
{
...
}
]
}
```
</details>

## `trestle task tanium-to-oscal`

Expand Down
4 changes: 4 additions & 0 deletions tests/data/tasks/osco/input/oscal-metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
ssg-ocp4-ds-cis-111.222.333.444-pod:
locker: https://github.mycorp.com/degenaro/evidence-locker
namespace: xccdf
benchmark: CIS Kubernetes Benchmark
subject-references:
component:
uuid-ref: 56666738-0f9a-4e38-9aac-c0fad00a5821
Expand All @@ -13,13 +14,15 @@ ssg-ocp4-ds-cis-111.222.333.444-pod:
title: Pod
properties:
target: kube-br7qsa3d0vceu2so1a90-roksopensca-default-0000026b.iks.mycorp
target-ip: 111.222.333.444
cluster-name: ROKS-OpenSCAP-1
cluster-type: openshift
cluster-region: us-south

ssg-rhel7-ds-cis-111.222.333.444-pod:
locker: https://github.mycorp.com/degenaro/evidence-locker
namespace: xccdf
benchmark: CIS Kubernetes Benchmark
subject-references:
component:
uuid-ref: 89cfe7a7-ce6b-4699-aa7b-2f5739c72001
Expand All @@ -31,6 +34,7 @@ ssg-rhel7-ds-cis-111.222.333.444-pod:
title: VM
properties:
target: kube-br7qsa3d0vceu2so1a90-roksopensca-default-0000026b.iks.mycorp
target-ip: 111.222.333.444
cluster-name: ROKS-OpenSCAP-1
cluster-type: openshift
cluster-region: us-south
Expand Down
Loading

0 comments on commit 5530eb4

Please sign in to comment.