From 9721932d4bf5c264fda307671566d72bd5b0347b Mon Sep 17 00:00:00 2001 From: Takumi Yanagawa Date: Tue, 4 Jun 2024 22:48:41 +0900 Subject: [PATCH] add example usage of heterogeneous PVPs Signed-off-by: Takumi Yanagawa --- .secrets.baseline | 9 + c2p/tools/viewer/template.py | 4 +- c2p/tools/viewer/viewer.py | 17 +- docs/public/heterogeneous.md | 47 ++ docs/public/heterogeneous.result.md | 760 ++++++++++++++++++ .../tests/data/heterogeneous/auditree.json | 34 + .../heterogeneous/component-definition.csv | 16 + .../heterogeneous/component-definition.json | 644 +++++++++++++++ .../data/heterogeneous/csv-to-oscal-cd.config | 7 + .../heterogeneous/compliance_to_policy.py | 45 ++ .../heterogeneous/compliance_to_policy.sh | 32 + .../heterogeneous/result_to_compliance.py | 118 +++ .../kyverno/compliance_to_policy.py | 10 +- .../kyverno/result_to_compliance.py | 10 +- samples_public/ocm/compliance_to_policy.py | 10 +- samples_public/ocm/result_to_compliance.py | 10 +- 16 files changed, 1763 insertions(+), 10 deletions(-) create mode 100644 docs/public/heterogeneous.md create mode 100644 docs/public/heterogeneous.result.md create mode 100644 plugins_public/tests/data/heterogeneous/auditree.json create mode 100644 plugins_public/tests/data/heterogeneous/component-definition.csv create mode 100644 plugins_public/tests/data/heterogeneous/component-definition.json create mode 100644 plugins_public/tests/data/heterogeneous/csv-to-oscal-cd.config create mode 100644 samples_public/heterogeneous/compliance_to_policy.py create mode 100755 samples_public/heterogeneous/compliance_to_policy.sh create mode 100644 samples_public/heterogeneous/result_to_compliance.py diff --git a/.secrets.baseline b/.secrets.baseline index fb09706..228fd5f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -172,6 +172,15 @@ "type": "Hex High Entropy String", "verified_result": null } + ], + "plugins_public/tests/data/heterogeneous/auditree.json": [ + { + "hashed_secret": "1e5c2f367f02e47a8c160cda1cd9d91decbac441", + "is_verified": false, + "line_number": 12, + "type": "Secret Keyword", + "verified_result": null + } ] }, "version": "0.13.1+ibm.61.dss", diff --git a/c2p/tools/viewer/template.py b/c2p/tools/viewer/template.py index 8939e45..52047e3 100644 --- a/c2p/tools/viewer/template.py +++ b/c2p/tools/viewer/template.py @@ -23,7 +23,9 @@ {% for rule_result in control_result.rule_results %} {% if rule_result.subjects|length > 0 %} -Rule {{ rule_result.id}}: {{ rule_result.description}} +Rule `{{ rule_result.id}}`: +- {{ rule_result.description}} +
Details {% for subject in rule_result.subjects %} diff --git a/c2p/tools/viewer/viewer.py b/c2p/tools/viewer/viewer.py index 746cd46..cba5bb6 100644 --- a/c2p/tools/viewer/viewer.py +++ b/c2p/tools/viewer/viewer.py @@ -14,7 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -from typing import List, Optional +from typing import Dict, List, Optional from jinja2 import Template from pydantic import BaseModel @@ -73,15 +73,22 @@ def get_pass_fail_icon(result): def render(assessment_results: AssessmentResults, component_definition: ComponentDefinition) -> str: - rule_sets = [] + rule_sets_map: Dict[str, List[Dict[str, str]]] = {} for component in component_definition.components: if is_component_type_validation(component.type): - rule_sets = rule_sets + group_props_by_remarks(component) + rule_sets_map[component.title] = group_props_by_remarks(component) components: List[DefinedComponent] = list( filter(lambda x: not is_component_type_validation(x.type), component_definition.components) ) + def get_pvp_rule_pair(rule_id): + for pvp, rule_sets in rule_sets_map.items(): + for rule in rule_sets: + if rule['Rule_Id'] == rule_id: + return (pvp, rule) + return None, None + render_components = [] for component in components: rendered_component = RenderedComponent(title=component.title) @@ -91,9 +98,9 @@ def render(assessment_results: AssessmentResults, component_definition: Componen control_result = ControlResult(id=control_id) for prop in filter(lambda x: x.name == 'Rule_Id', imple_req.props): rule_id = prop.value - rule_set = next(filter(lambda x: x['Rule_Id'] == rule_id, rule_sets), None) + pvp, rule_set = get_pvp_rule_pair(rule_id) if rule_set != None: - rule_result = RuleResult(id=rule_id, description=rule_set['Check_Description']) + rule_result = RuleResult(id=f'{rule_id} ({pvp})', description=rule_set['Check_Description']) o = find_observation(assessment_results.results[0].observations, rule_set['Check_Id']) if o != None: for subject in o.subjects: diff --git a/docs/public/heterogeneous.md b/docs/public/heterogeneous.md new file mode 100644 index 0000000..408b61c --- /dev/null +++ b/docs/public/heterogeneous.md @@ -0,0 +1,47 @@ +## Work on heterogeneous PVPs + +Usecase of security checks against system (Github and Managed Kubernetes clusters) by multiple PVPs (Auditree, Kyverno, and OCM Policy). + +![heterogeneous](https://github.com/oscal-compass/compliance-to-policy/assets/113283236/bb64f81a-986c-41fa-83c6-4e7e9165af76) + +#### Steps +1. (Optional) Create OSCAL Component Defintion including multiple PVPs as validation components + - [component-definition.csv](/plugins_public/tests/data/heterogeneous/component-definition.csv) +1. Generate PVP policies from the OSCAL Component Definition + ``` + python samples_public/heterogeneous/compliance_to_policy.py \ + -c ./plugins_public/tests/data/heterogeneous/component-definition.json \ + -o ./policies + ``` + 1. Policies for each PVP are generated + ``` + $ tree -L 2 policies + policies + ├── auditree + │ └── auditree.json + ├── kyverno + │ ├── allowed-base-images + │ └── disallow-capabilities + └── ocm + ├── kustomization.yaml + ├── parameters.yaml + ├── policy-deployment + ├── policy-disallowed-roles + ├── policy-generator.yaml + └── policy-high-scan + ``` +1. (Optional) Collect policy validation results from system + - Example all PVP results are located in [/plugins_public/tests/data](/plugins_public/tests/data). +1. Generate OSCAL Assessment Results from PVP results + ``` + python samples_public/heterogeneous/result_to_compliance.py \ + -c ./plugins_public/tests/data/heterogeneous/component-definition.json \ + -r ./plugins_public/tests/data > assessment-results.json + ``` +1. OSCAL Assessment Results is not human readable format. You can see the merged report in markdown by a quick viewer. + ``` + c2p tools viewer \ + -cdef ./plugins_public/tests/data/heterogeneous/component-definition.json \ + -ar assessment-results.json + ``` + e.g. [result.md](/docs/public/heterogeneous.result.md) \ No newline at end of file diff --git a/docs/public/heterogeneous.result.md b/docs/public/heterogeneous.result.md new file mode 100644 index 0000000..7a8e302 --- /dev/null +++ b/docs/public/heterogeneous.result.md @@ -0,0 +1,760 @@ + + +## Component: GitHub + + +#### Result of control cm-2: + + +--- + +#### Result of control ac-2: + + + +Rule `demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty (Auditree)`: +- Check whether the GitHub org is not empty. + +
Details + + + - Subject UUID: ae5c2bac-47be-4734-b847-beaad450a76e + - Title: Auditree Check: demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty_0_nasa + - Result: pass :white_check_mark: + - Reason: + ``` + {} + ``` + + + - Subject UUID: adc99d7c-b9fd-4d31-961f-c076635f2d53 + - Title: Auditree Check: demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty_1_esa + - Result: pass :white_check_mark: + - Reason: + ``` + {} + ``` + +
+ + +--- + + +## Component: Managed Kubernetes + + +#### Result of control cm-2: + + + +Rule `allowed-base-images (Kyverno)`: +- Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list. + +
Details + + + - Subject UUID: 70057a02-062f-4fb7-9dff-6407e633e4a1 + - Title: v1/Pod kube-scheduler-kind-control-plane kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 03b044ca-6739-41cb-9c9e-038db3e48b9f + - Title: v1/Pod coredns-5d78c9869d-gc25q kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: b393c6ea-dce4-496c-bc65-52ae123564a5 + - Title: v1/Pod kindnet-pbb9l kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 3d51ff83-c708-484c-8bdb-858ca48d14d3 + - Title: v1/Pod etcd-kind-control-plane kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 499afc36-5aa5-4d3b-8cac-b7a58043e14a + - Title: v1/Pod kube-apiserver-kind-control-plane kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: f770e021-b3a7-4699-bca7-58cf6c70bb14 + - Title: v1/Pod kube-proxy-zbddb kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 321d5475-59c1-4b77-98fc-624f23b0deba + - Title: v1/Pod coredns-5d78c9869d-2rbnq kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 037a870a-6256-4b0f-8d2b-70e3bb877c6c + - Title: v1/Pod kube-controller-manager-kind-control-plane kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 79f831d8-7b72-47a1-8f44-9fe9835caea9 + - Title: apps/v1/DaemonSet kindnet kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 906d7d99-2eae-461e-9def-5557e4c488ca + - Title: apps/v1/DaemonSet kube-proxy kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: ab72cc56-7c1f-42aa-9d96-3cafd843b464 + - Title: apps/v1/ReplicaSet coredns-5d78c9869d kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 6672c835-890d-4c68-a271-321ec432d26f + - Title: apps/v1/Deployment coredns kube-system + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: cbc28d59-713f-4b25-9dc3-d6cedd0eb8cf + - Title: v1/Pod kyverno-admission-controller-7cd788c8dd-gdnhp kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: be053523-a394-4fef-956f-c4fdbe5b841e + - Title: v1/Pod kyverno-reports-controller-7f94855747-tmnhr kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: a753ba1d-df9e-4c4a-b0a9-6e435da74b9d + - Title: v1/Pod kyverno-cleanup-admission-reports-28551310-cc4k7 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: d696fc41-1f67-4dd7-a1b4-1df455a2c607 + - Title: v1/Pod kyverno-cleanup-cluster-admission-reports-28551310-m4ld4 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 2ca0e393-5de6-49b4-bcb0-c0a98f89bace + - Title: v1/Pod kyverno-cleanup-controller-ddf458755-9bnlb kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: e02c3cb0-69b9-4947-b4cb-5b9447194bf0 + - Title: v1/Pod kyverno-background-controller-74599787cf-s6nm2 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 3eac92cd-05b3-4340-9d2d-ac06509b6aba + - Title: apps/v1/Deployment kyverno-cleanup-controller kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 32965aa3-0813-4d49-8b52-d6623764c16e + - Title: batch/v1/Job kyverno-cleanup-cluster-admission-reports-28551310 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: b009839e-1f23-44b1-bae1-61e2f1177613 + - Title: apps/v1/ReplicaSet kyverno-admission-controller-7cd788c8dd kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 05e47efc-7798-4087-a007-4a0f1b0ee925 + - Title: batch/v1/Job kyverno-cleanup-admission-reports-28551310 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 019c7fa5-e4ac-43a2-93d4-f31be5e894d2 + - Title: apps/v1/Deployment kyverno-background-controller kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: a1853c39-c418-4f76-aa2b-2d19f0705cf4 + - Title: apps/v1/ReplicaSet kyverno-cleanup-controller-ddf458755 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 7dee76f1-87bd-4125-af7f-b16b3940ee07 + - Title: apps/v1/ReplicaSet kyverno-background-controller-74599787cf kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 5dc41d4d-f497-4f9c-8e0a-4514a990e30b + - Title: apps/v1/Deployment kyverno-reports-controller kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 583c7bb1-3b9a-4dc2-a820-e17c525fcfe9 + - Title: apps/v1/ReplicaSet kyverno-reports-controller-7f94855747 kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 09b9733c-fd96-43ba-a32f-fa0374341aa0 + - Title: apps/v1/Deployment kyverno-admission-controller kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: e91e2d61-5d80-4d78-81dd-6295518904a3 + - Title: batch/v1/CronJob kyverno-cleanup-cluster-admission-reports kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: ff4e74e7-952d-4bd2-a9fa-77357c87869a + - Title: batch/v1/CronJob kyverno-cleanup-admission-reports kyverno + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 0441a56f-4a31-43c7-89b5-b40a8072ccf8 + - Title: v1/Pod local-path-provisioner-6bc4bddd6b-vlmww local-path-storage + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 876d0a33-5d16-48f2-a73b-02d458e3e53c + - Title: apps/v1/ReplicaSet local-path-provisioner-6bc4bddd6b local-path-storage + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + + + - Subject UUID: 637ce887-14c0-4773-af38-bf5dd77b7ac1 + - Title: apps/v1/Deployment local-path-provisioner local-path-storage + - Result: failure :x: + - Reason: + ``` + validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. + ``` + +
+ + + +Rule `policy-deployment (OCM)`: +- Ensure NGINX is deployed and running with given minimum instances + +
Details + + + - Subject UUID: 8d550c54-dcd4-4ba8-9e0a-a6b2d2158120 + - Title: Cluster "cluster1" + - Result: failure :x: + - Reason: + ``` + [c2p.policy-deployment.176f1ddc5591cb1c] NonCompliant; violation - deployments not found: [nginx-deployment] in namespace cluster1 missing; [nginx-deployment] in namespace kube-node-lease missing; [nginx-deployment] in namespace kube-public missing; [nginx-deployment] in namespace local-path-storage missing + ``` + + + - Subject UUID: 9632eb0a-0a37-4aa5-8f51-e738acc95dab + - Title: Cluster "cluster2" + - Result: failure :x: + - Reason: + ``` + [c2p.policy-deployment.176f1dc4e7de17cb] NonCompliant; violation - deployments not found: [nginx-deployment] in namespace cluster2 missing; [nginx-deployment] in namespace default missing; [nginx-deployment] in namespace kube-node-lease missing; [nginx-deployment] in namespace kube-public missing; [nginx-deployment] in namespace local-path-storage missing + ``` + +
+ + +--- + +#### Result of control cm-2.1: + + + +Rule `disallow-capabilities (Kyverno)`: +- Adding capabilities beyond those listed in the policy must be disallowed. + +
Details + + + - Subject UUID: e904838d-6ae5-4e6d-a6af-f23251af41a9 + - Title: v1/Pod kube-scheduler-kind-control-plane kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 9efd1da2-49a2-4c8a-876c-d7ba3903d131 + - Title: v1/Pod coredns-5d78c9869d-gc25q kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 12fcdc21-0bef-4e9a-a6fc-5f0d610dca7c + - Title: v1/Pod kindnet-pbb9l kube-system + - Result: failure :x: + - Reason: + ``` + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) are disallowed. + ``` + + + - Subject UUID: 46f484c3-310c-400d-b827-fd93f71ee2a9 + - Title: v1/Pod etcd-kind-control-plane kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: e51ea171-1445-4ed5-a87b-f2a471aba1d7 + - Title: v1/Pod kube-apiserver-kind-control-plane kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 43561035-6e0d-42c1-9d73-db80d0ef91b8 + - Title: v1/Pod kube-proxy-zbddb kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 98d01ce3-bbb7-424a-90b9-0500444d6410 + - Title: v1/Pod coredns-5d78c9869d-2rbnq kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: b0fe2b9e-0dab-4895-a3f4-999fcf161ac0 + - Title: v1/Pod kube-controller-manager-kind-control-plane kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 09678adf-4299-4c5c-8cd9-dd69c85b4891 + - Title: apps/v1/DaemonSet kindnet kube-system + - Result: failure :x: + - Reason: + ``` + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) are disallowed. + ``` + + + - Subject UUID: e81dac74-cb49-4c70-8d77-6418fcbbe670 + - Title: apps/v1/DaemonSet kube-proxy kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 21c7ca64-e77e-494d-8f12-0f4038abe410 + - Title: apps/v1/ReplicaSet coredns-5d78c9869d kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 85e58cf6-ebe9-4edc-bf35-177864c7b1cd + - Title: apps/v1/Deployment coredns kube-system + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 44942bba-b51d-42a2-9449-df7dd48eacf2 + - Title: v1/Pod kyverno-admission-controller-7cd788c8dd-gdnhp kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 43b02afc-fbbd-474e-82dd-2f63035f6a43 + - Title: v1/Pod kyverno-reports-controller-7f94855747-tmnhr kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 10a62320-3a50-46fa-8228-0b2dbc1c8a85 + - Title: v1/Pod kyverno-cleanup-admission-reports-28551310-cc4k7 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: efc7b716-8c48-4f64-a921-7ce7f18a87bb + - Title: v1/Pod kyverno-cleanup-cluster-admission-reports-28551310-m4ld4 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: cb34f9c9-cb3d-40e4-95f6-4d08b91fc41f + - Title: v1/Pod kyverno-cleanup-controller-ddf458755-9bnlb kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 4ce8797f-7de4-46f4-ba8a-f07dd6e5c825 + - Title: v1/Pod kyverno-background-controller-74599787cf-s6nm2 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: e12d0bf6-d8f8-40e3-bf34-8769be9d2242 + - Title: apps/v1/Deployment kyverno-cleanup-controller kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: f85edce1-7872-4e08-8c15-4b31acc57752 + - Title: batch/v1/Job kyverno-cleanup-cluster-admission-reports-28551310 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 16d35cd5-68a8-4e6b-a7eb-ca1dd5d53484 + - Title: apps/v1/ReplicaSet kyverno-admission-controller-7cd788c8dd kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 970a79f6-7816-4ae3-a2e7-461fcefcd59c + - Title: batch/v1/Job kyverno-cleanup-admission-reports-28551310 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: cc36dd97-e864-4fde-a6ea-9f597a10816e + - Title: apps/v1/Deployment kyverno-background-controller kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 096a66b2-b4f0-4699-8c7a-73a533a39fc9 + - Title: apps/v1/ReplicaSet kyverno-cleanup-controller-ddf458755 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 09265b08-841a-40e4-8905-f5c3a69852d1 + - Title: apps/v1/ReplicaSet kyverno-background-controller-74599787cf kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: a92bb864-4709-435b-99a3-af182b9d99ee + - Title: apps/v1/Deployment kyverno-reports-controller kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 470a4b28-bfdf-4b42-beb4-fdfa633d21cf + - Title: apps/v1/ReplicaSet kyverno-reports-controller-7f94855747 kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: 4fea8c6a-1493-4522-8093-b560a5d6521f + - Title: apps/v1/Deployment kyverno-admission-controller kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: aac1da24-1ef4-4b9f-a6c3-78736dc74d6b + - Title: batch/v1/CronJob kyverno-cleanup-cluster-admission-reports kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-cronjob-adding-capabilities' passed. + ``` + + + - Subject UUID: 71c4745a-55b5-4616-a976-dd17212f720d + - Title: batch/v1/CronJob kyverno-cleanup-admission-reports kyverno + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-cronjob-adding-capabilities' passed. + ``` + + + - Subject UUID: ebf2ea59-6634-4b02-b582-c08a3247d4bd + - Title: v1/Pod local-path-provisioner-6bc4bddd6b-vlmww local-path-storage + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'adding-capabilities' passed. + ``` + + + - Subject UUID: 65eafe6f-9a3a-4e90-9cb9-73f7448d056c + - Title: apps/v1/ReplicaSet local-path-provisioner-6bc4bddd6b local-path-storage + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + + + - Subject UUID: fa06ba30-837c-44da-985c-f0409d1ae14f + - Title: apps/v1/Deployment local-path-provisioner local-path-storage + - Result: pass :white_check_mark: + - Reason: + ``` + validation rule 'autogen-adding-capabilities' passed. + ``` + +
+ + +--- + +#### Result of control ac-1: + + + +Rule `policy-disallowed-roles (OCM)`: +- Ensure roles are set to only allowed values + +
Details + + + - Subject UUID: 0dc6be0d-a543-4be8-b44e-93807b239f97 + - Title: Cluster "cluster1" + - Result: pass :white_check_mark: + - Reason: + ``` + [c2p.policy-disallowed-roles.176f1dcdc4c8d17e] Compliant; notification - roles in namespace cluster1; in namespace default; in namespace kube-node-lease; in namespace kube-public; in namespace local-path-storage missing as expected, therefore this Object template is compliant + ``` + + + - Subject UUID: abdd951e-9d9b-44e6-9709-a783d5c3ad32 + - Title: Cluster "cluster2" + - Result: pass :white_check_mark: + - Reason: + ``` + [c2p.policy-disallowed-roles.176f1dc36e36b7b2] Compliant; notification - roles in namespace cluster2; in namespace default; in namespace kube-node-lease; in namespace kube-public; in namespace local-path-storage missing as expected, therefore this Object template is compliant + ``` + +
+ + +--- + +#### Result of control cm-6: + + + +Rule `policy-high-scan (OCM)`: +- Ensure scan is enabled with high level + +
Details + + + - Subject UUID: 2558054b-c8f5-477d-91e1-aab3b2d58c04 + - Title: Cluster "cluster1" + - Result: failure :x: + - Reason: + ``` + [c2p.policy-high-scan.176f1ddc441457e5] NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult, please check if you have CRD deployed + ``` + + + - Subject UUID: e50230da-d99d-4a4c-84fd-89e79b733297 + - Title: Cluster "cluster2" + - Result: failure :x: + - Reason: + ``` + [c2p.policy-high-scan.176f1dc4e29e1221] NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult, please check if you have CRD deployed + ``` + +
+ + +--- + + diff --git a/plugins_public/tests/data/heterogeneous/auditree.json b/plugins_public/tests/data/heterogeneous/auditree.json new file mode 100644 index 0000000..687af03 --- /dev/null +++ b/plugins_public/tests/data/heterogeneous/auditree.json @@ -0,0 +1,34 @@ +{ + "locker": { + "default_branch": "main", + "repo_url": "https://github.com/MY_ORG/MY_EVIDENCE_REPO" + }, + "notify": { + "slack": { + "demo.arboretum.accred": [ + "#some-slack-channel", + "#some-other-slack-channel" + ], + "demo.custom.accred": [ + "#some-slack-channel" + ] + }, + "gh_issues": { + "demo.arboretum.accred": { + "repo": [ + "MY_ORG/MY_GH_ISSUES_REPO", + "MY_ORG/MY_OTHER_GH_ISSUES_REPO" + ], + "title": "Check results for demo.arboretum.accred accreditation" + } + } + }, + "org": { + "gh": { + "orgs": [ + "ORG1", + "ORG2" + ] + } + } +} \ No newline at end of file diff --git a/plugins_public/tests/data/heterogeneous/component-definition.csv b/plugins_public/tests/data/heterogeneous/component-definition.csv new file mode 100644 index 0000000..98c8343 --- /dev/null +++ b/plugins_public/tests/data/heterogeneous/component-definition.csv @@ -0,0 +1,16 @@ +$$Component_Title,$$Component_Description,$$Component_Type,$$Control_Id_List,$$Rule_Id,$$Rule_Description,$Parameter_Id,$Parameter_Description,$Parameter_Value_Alternatives,$Parameter_Value_Default,$$Profile_Source,$$Profile_Description,$Check_Id,$Check_Description,$$Namespace +A human readable name for the component.,A description of the component including information about its function.,A category describing the purpose of the component. ALLOWED VALUES interconnection:software:hardware:service:physical:process-procedure:plan:guidance:standard:validation:,A list of textual labels that uniquely identify the controls or statements that the component implements.,A textual label that uniquely identifies a policy (desired state) that can be used to reference it elsewhere in this or other documents.,A description of the policy (desired state) including information about its purpose and scope.,A textual label that uniquely identifies the parameter associated with that policy (desired state) or controls implemented by the policy (desired state).,A description of the parameter including the purpose and use of the parameter.,ONLY for the policy (desired state) parameters: A value or set of values the parameter can take. The catalog parameters values are defined in the catalog. ,"A value recommended by Compliance Team in this profile for the parameter of the control or policy (desired state). If a CIS-benchmark exists, the default default could be the CIS-benchmark recommanded value.",A URL reference to the source catalog or profile for which this component is implementing controls for. A profile designates a selection and configuration of controls from one or more catalogs,A description of the profile.,A textual label that uniquely identifies a check of the policy (desired state) that can be used to reference it elsewhere in this or other documents.,A description of the check of the policy (desired state) including the method (interview or examine or test) and procedure details.,"A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. Used in conjunction with ""class"" as the ontology concept. " +GitHub,GitHub,Service,cm-2,demo_examples.checks.test_github.GitHubOrgs.test_supported_versions,GitHub API returns any supported version.,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,demo_examples.checks.test_github.GitHubOrgs.test_supported_versions,Check whether there are any supported versions.,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +GitHub,GitHub,Service,ac-2,demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty,GitHub org is not empty.,org.gh.orgs,List of organization name,"nasa,esa","nasa,esa",https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty,Check whether the GitHub org is not empty.,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Managed Kubernetes,Managed Kubernetes cluster,Service,cm-2,allowed-base-images,"Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.",allowed_baseimages,Allowed baseimages,gcr.io/distroless/static:root,gcr.io/distroless/static:root,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,allowed-base-images,"Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.",http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Managed Kubernetes,Managed Kubernetes cluster,Service,cm-2.1,disallow-capabilities,"Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull those images on behalf of your Pod. This policy searches for images coming from a registry called `corp.reg.com` and, if found, will mutate the Pod to add an IimagePullSecret called `my-secret`.",,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,disallow-capabilities,Adding capabilities beyond those listed in the policy must be disallowed.,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Managed Kubernetes,Managed Kubernetes cluster,Service,cm-2,policy-deployment,Ensure deployment configuration is securely set up,minimum_nginx_deployment_replicas,Minimum number of NGINX pod,3,3,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,policy-deployment,Ensure NGINX is deployed and running with given minimum instances,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Managed Kubernetes,Managed Kubernetes cluster,Service,ac-1,policy-disallowed-roles,Ensure roles are set to only allowed values,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,policy-disallowed-roles,Ensure roles are set to only allowed values,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Managed Kubernetes,Managed Kubernetes cluster,Service,cm-6,policy-high-scan,Ensure scan is enabled with high level,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,policy-high-scan,Ensure scan is enabled with high level,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Auditree,Auditree,Validation,na,demo_examples.checks.test_github.GitHubOrgs.test_supported_versions,GitHub API returns any supported version.,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,demo_examples.checks.test_github.GitHubOrgs.test_supported_versions,Check whether there are any supported versions.,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Auditree,Auditree,Validation,na,demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty,GitHub org is not empty.,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty,Check whether the GitHub org is not empty.,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Kyverno,Kyverno as Policy Validation Point,Validation,na,allowed-base-images,"Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.",,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,allowed-base-images,"Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.",http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +Kyverno,Kyverno as Policy Validation Point,Validation,na,disallow-capabilities,"Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull those images on behalf of your Pod. This policy searches for images coming from a registry called `corp.reg.com` and, if found, will mutate the Pod to add an IimagePullSecret called `my-secret`.",,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,disallow-capabilities,Adding capabilities beyond those listed in the policy must be disallowed.,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +OCM,OCM as Policy Validation Point,Validation,na,policy-deployment,Ensure NGINX is deployed and running with given minimum instances,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,policy-deployment,Ensure NGINX is deployed and running with given minimum instances,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +OCM,OCM as Policy Validation Point,Validation,na,policy-disallowed-roles,Ensure roles are set to only allowed values,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,policy-disallowed-roles,Ensure roles are set to only allowed values,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud +OCM,OCM as Policy Validation Point,Validation,na,policy-high-scan,Ensure scan is enabled with high level,,,,,https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json,NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE,policy-high-scan,Ensure scan is enabled with high level,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud \ No newline at end of file diff --git a/plugins_public/tests/data/heterogeneous/component-definition.json b/plugins_public/tests/data/heterogeneous/component-definition.json new file mode 100644 index 0000000..40ac380 --- /dev/null +++ b/plugins_public/tests/data/heterogeneous/component-definition.json @@ -0,0 +1,644 @@ +{ + "component-definition": { + "uuid": "2e280330-18b8-4812-80d5-c2e15b0f0948", + "metadata": { + "title": "Component Definition using Heterogeneous PVPs", + "last-modified": "2024-06-04T09:33:06+00:00", + "version": "1.0", + "oscal-version": "1.0.4" + }, + "components": [ + { + "uuid": "23e45641-3c6b-4d9c-a111-ab81df5554a7", + "type": "Service", + "title": "GitHub", + "description": "GitHub", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_supported_versions", + "remarks": "rule_set_00" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "GitHub API returns any supported version.", + "remarks": "rule_set_00" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_supported_versions", + "remarks": "rule_set_00" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Check whether there are any supported versions.", + "remarks": "rule_set_00" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty", + "remarks": "rule_set_01" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "GitHub org is not empty.", + "remarks": "rule_set_01" + }, + { + "name": "Parameter_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "org.gh.orgs", + "remarks": "rule_set_01" + }, + { + "name": "Parameter_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "List of organization name", + "remarks": "rule_set_01" + }, + { + "name": "Parameter_Value_Alternatives", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "nasa,esa", + "remarks": "rule_set_01" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty", + "remarks": "rule_set_01" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Check whether the GitHub org is not empty.", + "remarks": "rule_set_01" + } + ], + "control-implementations": [ + { + "uuid": "4e88cbc0-98f0-437c-9583-2b975f5b9c70", + "source": "https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json", + "description": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE", + "set-parameters": [ + { + "param-id": "org.gh.orgs", + "values": [ + "nasa", + "esa" + ] + } + ], + "implemented-requirements": [ + { + "uuid": "5ee157a0-3e0c-4b1b-bb1c-db4630455fe4", + "control-id": "cm-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_supported_versions" + } + ] + }, + { + "uuid": "7db44b45-20e3-4806-b01b-4182bbd27db6", + "control-id": "ac-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty" + } + ] + } + ] + } + ] + }, + { + "uuid": "f1c9445f-0b76-473c-ae7b-10013f3cb914", + "type": "Service", + "title": "Managed Kubernetes", + "description": "Managed Kubernetes cluster", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed-base-images", + "remarks": "rule_set_02" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.", + "remarks": "rule_set_02" + }, + { + "name": "Parameter_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed_baseimages", + "remarks": "rule_set_02" + }, + { + "name": "Parameter_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Allowed baseimages", + "remarks": "rule_set_02" + }, + { + "name": "Parameter_Value_Alternatives", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "gcr.io/distroless/static:root", + "remarks": "rule_set_02" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed-base-images", + "remarks": "rule_set_02" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.", + "remarks": "rule_set_02" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "disallow-capabilities", + "remarks": "rule_set_03" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull those images on behalf of your Pod. This policy searches for images coming from a registry called `corp.reg.com` and, if found, will mutate the Pod to add an IimagePullSecret called `my-secret`.", + "remarks": "rule_set_03" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "disallow-capabilities", + "remarks": "rule_set_03" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Adding capabilities beyond those listed in the policy must be disallowed.", + "remarks": "rule_set_03" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-deployment", + "remarks": "rule_set_04" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure deployment configuration is securely set up", + "remarks": "rule_set_04" + }, + { + "name": "Parameter_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "minimum_nginx_deployment_replicas", + "remarks": "rule_set_04" + }, + { + "name": "Parameter_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Minimum number of NGINX pod", + "remarks": "rule_set_04" + }, + { + "name": "Parameter_Value_Alternatives", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "3", + "remarks": "rule_set_04" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-deployment", + "remarks": "rule_set_04" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure NGINX is deployed and running with given minimum instances", + "remarks": "rule_set_04" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-disallowed-roles", + "remarks": "rule_set_05" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure roles are set to only allowed values", + "remarks": "rule_set_05" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-disallowed-roles", + "remarks": "rule_set_05" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure roles are set to only allowed values", + "remarks": "rule_set_05" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-high-scan", + "remarks": "rule_set_06" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure scan is enabled with high level", + "remarks": "rule_set_06" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-high-scan", + "remarks": "rule_set_06" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure scan is enabled with high level", + "remarks": "rule_set_06" + } + ], + "control-implementations": [ + { + "uuid": "5a1fe2cf-b8de-42f2-89c7-6fdba985ef97", + "source": "https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json", + "description": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE", + "set-parameters": [ + { + "param-id": "allowed_baseimages", + "values": [ + "gcr.io/distroless/static:root" + ] + }, + { + "param-id": "minimum_nginx_deployment_replicas", + "values": [ + "3" + ] + } + ], + "implemented-requirements": [ + { + "uuid": "418d830e-ac59-480b-98f2-1c363b17f024", + "control-id": "cm-2", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed-base-images" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-deployment" + } + ] + }, + { + "uuid": "f2487b9a-7f6d-4b0c-9ae1-d32b5069e522", + "control-id": "cm-2.1", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "disallow-capabilities" + } + ] + }, + { + "uuid": "ccb5aef2-d8cd-42d6-871e-9afa0a687dd4", + "control-id": "ac-1", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-disallowed-roles" + } + ] + }, + { + "uuid": "e69ada48-7d51-400d-9580-4dec91743056", + "control-id": "cm-6", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-high-scan" + } + ] + } + ] + } + ] + }, + { + "uuid": "e3965c22-1ce0-4355-ac97-653f7b6e67a6", + "type": "Validation", + "title": "Auditree", + "description": "Auditree", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_supported_versions", + "remarks": "rule_set_07" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "GitHub API returns any supported version.", + "remarks": "rule_set_07" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_supported_versions", + "remarks": "rule_set_07" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Check whether there are any supported versions.", + "remarks": "rule_set_07" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty", + "remarks": "rule_set_08" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "GitHub org is not empty.", + "remarks": "rule_set_08" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty", + "remarks": "rule_set_08" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Check whether the GitHub org is not empty.", + "remarks": "rule_set_08" + } + ], + "control-implementations": [ + { + "uuid": "094cb6b0-15e8-4e37-b8c0-661e59b385c3", + "source": "https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json", + "description": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE", + "implemented-requirements": [ + { + "uuid": "30d9ed6f-14d8-494d-ae2b-ac4034873bfb", + "control-id": "na", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_supported_versions" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty" + } + ] + } + ] + } + ] + }, + { + "uuid": "0b0402f2-4b2a-4814-bb1e-d392e02ab0c0", + "type": "Validation", + "title": "Kyverno", + "description": "Kyverno as Policy Validation Point", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed-base-images", + "remarks": "rule_set_09" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.", + "remarks": "rule_set_09" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed-base-images", + "remarks": "rule_set_09" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list.", + "remarks": "rule_set_09" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "disallow-capabilities", + "remarks": "rule_set_10" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Images coming from certain registries require authentication in order to pull them, and the kubelet uses this information in the form of an imagePullSecret to pull those images on behalf of your Pod. This policy searches for images coming from a registry called `corp.reg.com` and, if found, will mutate the Pod to add an IimagePullSecret called `my-secret`.", + "remarks": "rule_set_10" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "disallow-capabilities", + "remarks": "rule_set_10" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Adding capabilities beyond those listed in the policy must be disallowed.", + "remarks": "rule_set_10" + } + ], + "control-implementations": [ + { + "uuid": "5c052888-ac10-4082-b812-296fcd333b39", + "source": "https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json", + "description": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE", + "implemented-requirements": [ + { + "uuid": "87a39e57-339a-4aff-90f6-08d2cec0186c", + "control-id": "na", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "allowed-base-images" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "disallow-capabilities" + } + ] + } + ] + } + ] + }, + { + "uuid": "b305c949-984f-4655-b7a2-8d6618614e2f", + "type": "Validation", + "title": "OCM", + "description": "OCM as Policy Validation Point", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-deployment", + "remarks": "rule_set_11" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure NGINX is deployed and running with given minimum instances", + "remarks": "rule_set_11" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-deployment", + "remarks": "rule_set_11" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure NGINX is deployed and running with given minimum instances", + "remarks": "rule_set_11" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-disallowed-roles", + "remarks": "rule_set_12" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure roles are set to only allowed values", + "remarks": "rule_set_12" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-disallowed-roles", + "remarks": "rule_set_12" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure roles are set to only allowed values", + "remarks": "rule_set_12" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-high-scan", + "remarks": "rule_set_13" + }, + { + "name": "Rule_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure scan is enabled with high level", + "remarks": "rule_set_13" + }, + { + "name": "Check_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-high-scan", + "remarks": "rule_set_13" + }, + { + "name": "Check_Description", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "Ensure scan is enabled with high level", + "remarks": "rule_set_13" + } + ], + "control-implementations": [ + { + "uuid": "070f037a-a616-4029-88a8-9ec9af7e9665", + "source": "https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json", + "description": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE", + "implemented-requirements": [ + { + "uuid": "ce032485-52ae-4eb7-9a10-b56fed1d96f8", + "control-id": "na", + "description": "", + "props": [ + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-deployment" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-disallowed-roles" + }, + { + "name": "Rule_Id", + "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", + "value": "policy-high-scan" + } + ] + } + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/plugins_public/tests/data/heterogeneous/csv-to-oscal-cd.config b/plugins_public/tests/data/heterogeneous/csv-to-oscal-cd.config new file mode 100644 index 0000000..40bc446 --- /dev/null +++ b/plugins_public/tests/data/heterogeneous/csv-to-oscal-cd.config @@ -0,0 +1,7 @@ + +[task.csv-to-oscal-cd] + +title = Component Definition using Heterogeneous PVPs +version = 1.0 +csv-file = plugins_public/tests/data/heterogeneous/component-definition.csv +output-dir = plugins_public/tests/data/heterogeneous diff --git a/samples_public/heterogeneous/compliance_to_policy.py b/samples_public/heterogeneous/compliance_to_policy.py new file mode 100644 index 0000000..bf1655f --- /dev/null +++ b/samples_public/heterogeneous/compliance_to_policy.py @@ -0,0 +1,45 @@ +import argparse +import subprocess +from pathlib import Path + +TEST_DATA_BASE_DIR = 'plugins_public/tests/data' +TEST_DATA_DIR = f'{TEST_DATA_BASE_DIR}/heterogeneous' + +parser = argparse.ArgumentParser() +parser.add_argument( + '-c', + '--component_definition', + type=str, + default=f'{TEST_DATA_DIR}/component-definition.json', + help=f'Path to component-definition.json (default: {TEST_DATA_DIR}/component-definition.json', + required=False, +) +parser.add_argument( + '-o', + '--out', + type=str, + help=f'Path to output directory', + required=True, +) + +args = parser.parse_args() +out = args.out + + +def run(pvp, *additionals): + command = [ + 'python', + f'samples_public/{pvp}/compliance_to_policy.py', + '-c', + args.component_definition, + ] + command = command + list(additionals) + subprocess.run(command, capture_output=True, text=True) + + +Path(out).mkdir(exist_ok=True) +(Path(out) / 'auditree').mkdir(exist_ok=True) + +run('auditree', '-o', f'{out}/auditree/auditree.json') +run('kyverno', '-o', f'{out}/kyverno') +run('ocm', '-o', f'{out}/ocm') diff --git a/samples_public/heterogeneous/compliance_to_policy.sh b/samples_public/heterogeneous/compliance_to_policy.sh new file mode 100755 index 0000000..ddd8920 --- /dev/null +++ b/samples_public/heterogeneous/compliance_to_policy.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +component_definition=./plugins_public/tests/data/heterogeneous/component-definition.json +out=./plugins_public/tests/data/heterogeneous + +while [[ $# -gt 0 ]]; do + case $1 in + -c|--component_definition) + component_definition="$2" + shift + shift + ;; + -o|--out) + out="$2" + shift + shift + ;; + -*|--*) + echo "Unknown option $1" + exit 1 + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + ;; + esac +done + +mkdir -p $out/auditree +python samples_public/auditree/compliance_to_policy.py -c $component_definition -o $out/auditree/auditree.json +python samples_public/kyverno/compliance_to_policy.py -c $component_definition -o $out/kyverno +python samples_public/ocm/compliance_to_policy.py -c $component_definition -o $out/ocm \ No newline at end of file diff --git a/samples_public/heterogeneous/result_to_compliance.py b/samples_public/heterogeneous/result_to_compliance.py new file mode 100644 index 0000000..8215841 --- /dev/null +++ b/samples_public/heterogeneous/result_to_compliance.py @@ -0,0 +1,118 @@ +import argparse +import subprocess +from typing import Dict, List + +from trestle.oscal.assessment_results import AssessmentResults, ControlSelection +from trestle.oscal.assessment_results import Model as AssessmentResultsRoot +from trestle.oscal.assessment_results import Result, ReviewedControls, SelectControlById +from trestle.oscal.common import Metadata + +from c2p.framework.oscal_utils import get_datetime, uuid + +TEST_DATA_BASE_DIR = 'plugins_public/tests/data' +TEST_DATA_DIR = f'{TEST_DATA_BASE_DIR}/heterogeneous' + +parser = argparse.ArgumentParser() +parser.add_argument( + '-c', + '--component_definition', + type=str, + default=f'{TEST_DATA_DIR}/component-definition.json', + help=f'Path to component-definition.json (default: {TEST_DATA_DIR}/component-definition.json', + required=False, +) +parser.add_argument( + '-r', + '--result_directory', + type=str, + default=f'{TEST_DATA_BASE_DIR}', + help=f'Path to (default: {TEST_DATA_BASE_DIR}', + required=False, +) + +args = parser.parse_args() + + +def run(pvp, *additionals) -> AssessmentResultsRoot: + command = [ + 'python', + f'samples_public/{pvp}/result_to_compliance.py', + '-c', + args.component_definition, + ] + command = command + list(additionals) + ret = subprocess.run(command, capture_output=True, text=True) + return AssessmentResultsRoot.parse_raw(ret.stdout) + + +ar_auditree = run('auditree', '-i', f'{args.result_directory}/auditree/check_results.json') +ar_kyverno = run( + 'kyverno', + '-polr', + f'{args.result_directory}/kyverno/policyreports.wgpolicyk8s.io.yaml', + '-cpolr', + f'{args.result_directory}/kyverno/clusterpolicyreports.wgpolicyk8s.io.yaml', +) +ar_ocm = run( + 'ocm', + '-p', + f'{args.result_directory}/ocm/policies.policy.open-cluster-management.io.yaml', +) +metadata = Metadata( + title='System Assessment Results (using heterogeneous PVPs', + last_modified=get_datetime(), + oscal_version=ar_auditree.assessment_results.metadata.oscal_version, + version='0.0.1', +) + +include_controls_map: Dict[str, List[str]] = {} + + +def map_to_include_controls(ar: AssessmentResultsRoot) -> List[SelectControlById]: + return [ + control + for selection in ar.assessment_results.results[0].reviewed_controls.control_selections + for control in selection.include_controls + ] + + +include_controls = ( + map_to_include_controls(ar_auditree) + map_to_include_controls(ar_kyverno) + map_to_include_controls(ar_ocm) +) + +for c in include_controls: + if c.control_id in include_controls_map: + include_controls_map[c.control_id] = include_controls_map[c.control_id] + c.statement_ids + else: + include_controls_map[c.control_id] = c.statement_ids +include_controls = [SelectControlById(control_id=x[0], statement_ids=x[1]) for x in include_controls_map.items()] +reviewed_controls = ReviewedControls(control_selections=[ControlSelection(include_controls=include_controls)]) + + +def map_to_subjects(ar: AssessmentResultsRoot) -> List[SelectControlById]: + return [ + control + for selection in ar.assessment_results.results[0].reviewed_controls.control_selections + for control in selection.include_controls + ] + + +observations = ( + ar_auditree.assessment_results.results[0].observations + + ar_kyverno.assessment_results.results[0].observations + + ar_ocm.assessment_results.results[0].observations +) + +result = Result( + uuid=uuid(), + title='System Assessment Results', + description='System Assessment Results', + start=get_datetime(), + reviewed_controls=reviewed_controls, + observations=observations, +) + +ar = AssessmentResults( + uuid=uuid(), metadata=metadata, import_ap=ar_auditree.assessment_results.import_ap, results=[result] +) +print(ar.oscal_serialize_json(pretty=True)) diff --git a/samples_public/kyverno/compliance_to_policy.py b/samples_public/kyverno/compliance_to_policy.py index 4a42e95..90f37cd 100644 --- a/samples_public/kyverno/compliance_to_policy.py +++ b/samples_public/kyverno/compliance_to_policy.py @@ -13,6 +13,14 @@ TEST_DATA_DIR = 'plugins_public/tests/data/kyverno' parser = argparse.ArgumentParser() +parser.add_argument( + '-c', + '--component_definition', + type=str, + default=f'{TEST_DATA_DIR}/component-definition.json', + help=f'Path to component-definition.json (default: {TEST_DATA_DIR}/component-definition.json', + required=False, +) parser.add_argument( '-o', '--out', type=str, help='Path to output directory (default: system temporary directory)', required=False ) @@ -23,7 +31,7 @@ # Setup c2p_config c2p_config = C2PConfig() c2p_config.compliance = ComplianceOscal() -c2p_config.compliance.component_definition = f'{TEST_DATA_DIR}/component-definition.json' +c2p_config.compliance.component_definition = args.component_definition c2p_config.pvp_name = 'Kyverno' c2p_config.result_title = 'Kyverno Assessment Results' c2p_config.result_description = 'OSCAL Assessment Results from Kyverno' diff --git a/samples_public/kyverno/result_to_compliance.py b/samples_public/kyverno/result_to_compliance.py index 6b145b3..861729b 100644 --- a/samples_public/kyverno/result_to_compliance.py +++ b/samples_public/kyverno/result_to_compliance.py @@ -32,12 +32,20 @@ help='Path to cluster policy report', required=False, ) +parser.add_argument( + '-c', + '--component_definition', + type=str, + default=f'{TEST_DATA_DIR}/component-definition.json', + help=f'Path to component-definition.json (default: {TEST_DATA_DIR}/component-definition.json', + required=False, +) args = parser.parse_args() # Setup c2p_config c2p_config = C2PConfig() c2p_config.compliance = ComplianceOscal() -c2p_config.compliance.component_definition = f'{TEST_DATA_DIR}/component-definition.json' +c2p_config.compliance.component_definition = args.component_definition c2p_config.pvp_name = 'Kyverno' c2p_config.result_title = 'Kyverno Assessment Results' c2p_config.result_description = 'OSCAL Assessment Results from Kyverno' diff --git a/samples_public/ocm/compliance_to_policy.py b/samples_public/ocm/compliance_to_policy.py index 903fafa..3b5d8bc 100644 --- a/samples_public/ocm/compliance_to_policy.py +++ b/samples_public/ocm/compliance_to_policy.py @@ -13,6 +13,14 @@ TEST_DATA_DIR = 'plugins_public/tests/data/ocm' parser = argparse.ArgumentParser() +parser.add_argument( + '-c', + '--component_definition', + type=str, + default=f'{TEST_DATA_DIR}/component-definition.json', + help=f'Path to component-definition.json (default: {TEST_DATA_DIR}/component-definition.json', + required=False, +) parser.add_argument( '-o', '--out', type=str, help='Path to output directory (default: system temporary directory)', required=False ) @@ -23,7 +31,7 @@ # Setup c2p_config c2p_config = C2PConfig() c2p_config.compliance = ComplianceOscal() -c2p_config.compliance.component_definition = 'plugins_public/tests/data/ocm/component-definition.json' +c2p_config.compliance.component_definition = args.component_definition c2p_config.pvp_name = 'OCM' # Construct C2P diff --git a/samples_public/ocm/result_to_compliance.py b/samples_public/ocm/result_to_compliance.py index 8b83e27..c7511b8 100644 --- a/samples_public/ocm/result_to_compliance.py +++ b/samples_public/ocm/result_to_compliance.py @@ -23,12 +23,20 @@ help='Path to a yaml file in which policies.policy.open-cluster-management.io resources are dumped.', required=False, ) +parser.add_argument( + '-c', + '--component_definition', + type=str, + default=f'{TEST_DATA_DIR}/component-definition.json', + help=f'Path to component-definition.json (default: {TEST_DATA_DIR}/component-definition.json', + required=False, +) args = parser.parse_args() # Setup c2p_config c2p_config = C2PConfig() c2p_config.compliance = ComplianceOscal() -c2p_config.compliance.component_definition = 'plugins_public/tests/data/ocm/component-definition.json' +c2p_config.compliance.component_definition = args.component_definition c2p_config.pvp_name = 'OCM' c2p_config.result_title = 'OCM Assessment Results' c2p_config.result_description = 'OSCAL Assessment Results from OCM'