Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add parameters to produced ocp4.csv #18

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Add parameters to produced ocp4.csv #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78421fc
Add parameters to produced ocp4.csv
degenaro Mar 10, 2023
030e11a
Add copy of CIS benchmark profiles to README instructions
degenaro Mar 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 84 additions & 6 deletions scripts/README.ocp4_cis_profile_to_csv.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,93 @@
# command

#### ocp4_cis_profile_to_csv.py
# Procedure to create ocp4.csv

##### Purpose:

create ocp4.csv file from CIS Benchmarks profile(s) + OSCAL catalog(s)
create ocp4.csv file from:

- CIS Benchmarks profile(s)
- OSCAL catalog(s)
- OCP4 extracted parameters

##### Requirements:

- trestle
- download of ComplianceAsCode ocp-oscal-cd (this repo)
- download of ComplianceAsCode content

##### 1. install trestle

```
degenaro:~$ python -m venv venv.ocp4
degenaro:~$ source venv.ocp4/bin/activate
(venv.ocp4) degenaro:~$ pip install pip install compliance-trestle
```

##### 2. download repos

```
(venv.ocp4) degenaro:~$ cd /tmp
(venv.ocp4) degenaro:tmp$ mkdir cac
(venv.ocp4) degenaro:tmp$ cd cac
(venv.ocp4) degenaro:cac$ git clone https://github.com/ComplianceAsCode/ocp-oscal-cd.git
(venv.ocp4) degenaro:cac$ git clone https://github.com/ComplianceAsCode/content.git
```

##### 3. build ComplianceAsCodeContent for ocp4

```
(venv.ocp4) degenaro:cac$ cd content
(venv.ocp4) degenaro:content$ ./build_product -d ocp4
```

##### 4. extract ocp4 parameter info

```
(venv.ocp4) degenaro:content$ cd ../ocp-oscal-cd
degenaro:ocp-oscal-cd$ python scripts/ocp4_extract_rule_params.py -i ../content/build/ssg-ocp4-ds-1.2.xml -o data

```

Note: a warning is given for those parameters not linked to any rule

<details>
<summary>console</summary>

03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_hypershift_cluster
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_ocp_version_api_path
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_ocp_version_yaml_path
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_apiserver_audit_log_maxsize
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_apiserver_encryption_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_apiserver_encryption_path
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_openshift_apiserver_config
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_openshift_apiserver_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_openshift_apiserver_namespace
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_openshift_kube_apiserver_config
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_openshift_kube_apiserver_config_data_name
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_openshift_kube_apiserver_namespace
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_config_data_name
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_config_filepath
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_port_zero_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_rotate_kubelet_server_certs_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_secure_port_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_service_account_ca_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_service_account_private_key_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_controller_manager_use_service_account_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_etcd_argument_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_etcd_filepath
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_kube_authorization_mode
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_sccs_with_allowed_capabilities_regex
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_scheduler_argument_filter
03/10/2023 10:24:06 W no rule found for parameter xccdf_org.ssgproject.content_value_var_scheduler_filepath

</details>

##### 6. create ocp4.csv

```
(venv.ocp4) degenaro:ocp-oscal-cd$ cp -p ../content/products/ocp4/profiles/cis.profile data/cis-benchmarks/
(venv.ocp4) degenaro:ocp-oscal-cd$ cp -p ../content/products/ocp4/profiles/cis-node.profile data/cis-benchmarks/
(venv.ocp4) degenaro:ocp-oscal-cd$ python scripts/ocp4_cis_profile_to_csv.py --input data/cis-benchmarks/cis-node.profile profiles/OCP4_CIS_NODE/profile.json "OCP4 CIS Node Profile" --input data/cis-benchmarks/cis.profile profiles/OCP4_CIS/profile.json "OCP4 CIS Profile" --check-prefix xccdf_org.ssgproject.content_rule_ --catalog catalogs/ocp4-cis/catalog.json --rule-to-parameters-map data/rule2var.json --output data/
```

##### Sample invocation:
Note: file data/ocp4.csv is created

python scripts/ocp4_cis_profile_to_csv.py --input data/cis-benchmarks/cis-node.profile profiles/OCP4_CIS_NODE/profile.json "OCP4 CIS Node Profile" --input data/cis-benchmarks/cis.profile profiles/OCP4_CIS/profile.json "OCP4 CIS Profile" --check-prefix xccdf_org.ssgproject.content_rule_ --catalog catalogs/ocp4-cis/catalog.json --rule-to-parameters-map data/rule2var.json --output data/
37 changes: 19 additions & 18 deletions scripts/ocp4_cis_profile_to_csv.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,21 +49,21 @@
]

column_descriptions = [
'A human readable name for the component.',
'A description of the component including information about its function.',
'A category describing the purpose of the component. ALLOWED VALUES interconnection:software:hardware:service:physical:process-procedure:plan:guidance:standard:validation',
'A textual label that uniquely identifies a policy (desired state) that can be used to reference it elsewhere in this or other documents.',
'A description of the policy (desired state) including information about its purpose and scope.',
'A textual label that uniquely identifies the parameter associated with that policy (desired state) or controls implemented by the policy (desired state).',
'A description of the parameter including the purpose and use of the parameter.',
'ONLY for the policy (desired state) parameters: A value or set of values the parameter can take. The catalog parameters values are defined in the catalog. ',
'A value recommended by Compliance Team in this profile for the parameter of the control or policy (desired state). If a CIS-benchmark exists, the default default could be the CIS-benchmark recommended value.',
'A URL reference to the source catalog or profile for which this component is implementing controls for. A profile designates a selection and configuration of controls from one or more catalogs.',
'A description of the profile.',
'A list of textual labels that uniquely identify the controls or statements that the component implements.',
'A textual label that uniquely identifies a check of the policy (desired state) that can be used to reference it elsewhere in this or other documents.',
'A description of the check of the policy (desired state) including the method (interview or examine or test) and procedure details.',
'A namespace qualifying the property name. This allows different organizations to associate distinct semantics with the same name. Used in conjunction with "class" as the ontology concept. ',
'A human readable name for the component.', # noqa: E501
'A description of the component including information about its function.', # noqa: E501
'A category describing the purpose of the component. ALLOWED VALUES interconnection:software:hardware:service:physical:process-procedure:plan:guidance:standard:validation', # noqa: E501
'A textual label that uniquely identifies a policy (desired state) that can be used to reference it elsewhere in this or other documents.', # noqa: E501
'A description of the policy (desired state) including information about its purpose and scope.', # noqa: E501
'A textual label that uniquely identifies the parameter associated with that policy (desired state) or controls implemented by the policy (desired state).', # noqa: E501
'A description of the parameter including the purpose and use of the parameter.', # noqa: E501
'ONLY for the policy (desired state) parameters: A value or set of values the parameter can take. The catalog parameters values are defined in the catalog. ', # noqa: E501
'A value recommended by Compliance Team in this profile for the parameter of the control or policy (desired state). If a CIS-benchmark exists, the default default could be the CIS-benchmark recommended value.', # noqa: E501
'A URL reference to the source catalog or profile for which this component is implementing controls for. A profile designates a selection and configuration of controls from one or more catalogs.', # noqa: E501
'A description of the profile.', # noqa: E501
'A list of textual labels that uniquely identify the controls or statements that the component implements.', # noqa: E501
'A textual label that uniquely identifies a check of the policy (desired state) that can be used to reference it elsewhere in this or other documents.', # noqa: E501
'A description of the check of the policy (desired state) including the method (interview or examine or test) and procedure details.', # noqa: E501
'A namespace qualifying the property name. This allows different organizations to associate distinct semantics with the same name. Used in conjunction with "class" as the ontology concept. ', # noqa: E501
]

service_component_title = 'OCP4'
Expand All @@ -78,7 +78,7 @@
check_prefix_help = 'None'

default_namespace = 'http://ibm.github.io/compliance-trestle/schemas/oscal/cd'
#default_namespace = 'http://ibm.github.io/compliance-trestle/schemas/oscal/cd/pvp/ocp'
pvp_ocp_namespace = 'http://ibm.github.io/compliance-trestle/schemas/oscal/cd/pvp/ocp'
default_rule2parameter_map = 'None'


Expand Down Expand Up @@ -200,10 +200,11 @@ def _get_set_parameter(self, rule: str) -> tuple:
for key in self._rule_to_parm_map.keys():
if key == rule:
value = self._rule_to_parm_map[key]
remarks = value['description']
id_ = value['id']
description = value['description']
options = value['options']
default_value = options['default']
set_parameter = (f'var_{rule}', remarks, default_value, options)
set_parameter = (f'{id_}', description, default_value, options)
return set_parameter

def _run(self) -> None:
Expand Down
Loading