Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inventory - Authenticated Scan Constraints #1032

Open
17 tasks
Rene2mt opened this issue Dec 24, 2024 · 0 comments
Open
17 tasks

Inventory - Authenticated Scan Constraints #1032

Rene2mt opened this issue Dec 24, 2024 · 0 comments

Comments

@Rene2mt
Copy link
Member

Rene2mt commented Dec 24, 2024

Constraint Task

Consistent with issue #813, this work focuses on determining if the component/inventory item asset supports authenticated scanning.

Intended Outcome

  • There must be at least one "allow-authenticated-scan" prop in the inventory
  • Internal "service" component must have "allows-authenticated-scan"
  • Allowed values for "allow-authenticated-scans" prop are "yes" or "no" and not other values are allowed

Syntax Type

This is optional core OSCAL syntax.

Allowed Values

NIST-allowed values must be extended with FedRAMP allowed values.

Metapath(s) to Content

FIRST CONSTRAINT

context="//inventory-item"

target=". | //component[@uuid=./implemented-component/@component-uuid]"

count(./prop[@name='allows-authenticated-scan']) >=1

---
SECOND CONSTRAINT

context="//component[@type='service' and ./prop[@name='implementation-point' and @value='internal']]"

target="."

count(./prop[@name='allows-authenticated-scan']) =1

---
THIRD CONSTRAINT

context = "//(component | inventory-item)/prop[@name='allows-authenticated-scan']"

target = "./@value"

allowed-values (allow-others='no'): 'yes', 'no'

Purpose of the OSCAL Content

FedRAMP requires authenticated scans of inventory items wherever possible. These constraints help quickly identify inventory items that do not comply with the authenticated scan requirements.

Dependencies

No response

Acceptance Criteria

  • All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
    • Explanation is present and accurate
    • sample content is present and accurate
    • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
  • All constraints associated with the review task have been created
  • The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
  • The constraint conforms to the FedRAMP Constraint Style Guide.
    • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
  • Known good test content is created for unit testing.
  • Known bad test content is created for unit testing.
  • Unit testing is configured to run both known good and known bad test content examples.
  • Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
  • A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
  • This issue is referenced in the PR.

Other information

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 🔖 Ready
Development

No branches or pull requests

1 participant