Skip to content

Commit

Permalink
feat: SSP author demo. (#3)
Browse files Browse the repository at this point in the history 
Signed-off-by: Chris Butler <[email protected]>
  • Loading branch information
@butler54
butler54 authored Jul 30, 2021
1 parent 1432c9a commit d529fa6
Show file tree
Hide file tree
Showing 165 changed files with 87,700 additions and 1 deletion.
9 changes: 9 additions & 0 deletions ISM_catalog_profile/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Creating Australian Government Information Security Manual as a OSCAL catalog.

## WARNING

This demo is not official and has not been endorsed in any way by the Australian Government. Please read about the [Australian Government Information Security manual here](https://www.cyber.gov.au/acsc/)

## Running this demo

- From the root directory of the repository run `python scripts/ISM/ISM.py`
6 changes: 6 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ A CICD pipeline (using github actions) is used for this demonstration. The full

## Creating a CIS controls catalog from an excel spreadsheet.

The Centre for Internet Security (CIS) produce a number of cross industry standards for IT security including their [platform specific benchmarks](https://www.cisecurity.org/cis-benchmarks/) and a suite of [controls](https://www.cisecurity.org/controls/). [This demo](./CIS_controls) converts a spreadsheet of those controls into a a catalog and three profiles.

## Creating an SSP using trestle author.

`trestle author ssp-generate` and `trestle author ssp-author` allow users to generate first a set of markdown documents to allow easy editing of control responses and second to reassemble that information up into an OSCAL ssp document. This is a 'baseline' demonstration with more sophisticated updates expected in the near term.

## License & Authors

If you would like to see the detailed LICENSE click [here](LICENSE).
Expand Down
2 changes: 1 addition & 1 deletion arc42-author-demo
Submodule arc42-author-demo updated 41 files
+38 −0 .github/workflows/trestle_pr.yml
+11 −0 .pre-commit-config.yaml
+0 −23 .travis.yml
+12 −0 .trestle/author/arc42-multidoc/01_introduction_and_goals.md
+1 −0 .trestle/author/arc42-multidoc/02_architecture_constraints.md
+15 −0 .trestle/author/arc42-multidoc/03_system_scope_and_context.md
+1 −0 .trestle/author/arc42-multidoc/04_solution_strategy.md
+78 −0 .trestle/author/arc42-multidoc/05_building_block_view.md
+16 −0 .trestle/author/arc42-multidoc/06_runtime_view.md
+32 −0 .trestle/author/arc42-multidoc/07_deployment_view.md
+17 −0 .trestle/author/arc42-multidoc/08_concepts.md
+1 −0 .trestle/author/arc42-multidoc/09_design_decisions.md
+5 −0 .trestle/author/arc42-multidoc/10_quality_scenarios.md
+1 −0 .trestle/author/arc42-multidoc/11_technical_risks.md
+6 −0 .trestle/author/arc42-multidoc/12_glossary.md
+ .trestle/author/arc42-multidoc/arc42-logo.png
+ .trestle/author/arc42-multidoc/images/arc42-logo.png
+211 −0 .trestle/author/arc42-single-failure/template.md
+211 −0 .trestle/author/arc42-single/template.md
+27 −0 .trestle/config.ini
+5 −0 CONTRIBUTING.md
+1 −1 MAINTAINERS.md
+35 −0 Makefile
+42 −59 README.md
+14 −0 arc42-multidoc/sample_multidoc_architecture/01_introduction_and_goals.md
+1 −0 arc42-multidoc/sample_multidoc_architecture/02_architecture_constraints.md
+15 −0 arc42-multidoc/sample_multidoc_architecture/03_system_scope_and_context.md
+1 −0 arc42-multidoc/sample_multidoc_architecture/04_solution_strategy.md
+78 −0 arc42-multidoc/sample_multidoc_architecture/05_building_block_view.md
+16 −0 arc42-multidoc/sample_multidoc_architecture/06_runtime_view.md
+32 −0 arc42-multidoc/sample_multidoc_architecture/07_deployment_view.md
+17 −0 arc42-multidoc/sample_multidoc_architecture/08_concepts.md
+1 −0 arc42-multidoc/sample_multidoc_architecture/09_design_decisions.md
+5 −0 arc42-multidoc/sample_multidoc_architecture/10_quality_scenarios.md
+1 −0 arc42-multidoc/sample_multidoc_architecture/11_technical_risks.md
+6 −0 arc42-multidoc/sample_multidoc_architecture/12_glossary.md
+ arc42-multidoc/sample_multidoc_architecture/arc42-logo.png
+ arc42-multidoc/sample_multidoc_architecture/images/arc42-logo.png
+202 −0 arc42-single-failure/arc42-single-failure_000.md
+211 −0 arc42-single/arc42-single_000.md
+198 −0 arc42-single/sample_architecture_partially_completed.md
Empty file added ssp_author_demo/.trestle/.keep
View file
Empty file.
27 changes: 27 additions & 0 deletions ssp_author_demo/.trestle/config.ini
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
[catalog]
decomposition_rules = ['catalog.groups.*.controls.*']
create_number_of_groups = 2
create_number_of_controls = 2

[profile]
decomposition_rules = []

[target-definition]
decomposition_rules = ['target-definition.targets.*.target-control-implementations.*']
create_number_of_targets = 2
create_number_of_target_control_implementations = 2

[component-definition]
decomposition_rules = []

[system-security-plan]
decomposition_rules = []

[assessment-plan]
decomposition_rules = []

[assessment-result]
decomposition_rules = []

[plan-of-action-and-milestone]
decomposition_rules = []
45 changes: 45 additions & 0 deletions ssp_author_demo/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# ssp_author_demo

This demonstration of \[compliance-trestle\]((https://ibm.github.io/compliance-trestle) is designed to show how `trestle author` can be used to enable version controlled editing of SSP responses.

The trestle project has been setup with a catalog and profile from NIST using 800-53. This was used to generate the markdown directory.

SSP generate is used to generate the markdown files based on the combination of a profile and a single catalog. [Multi-stage profile resolution](https://github.com/IBM/compliance-trestle/issues/648) is a work in progress.

The pro

## Steps to recreate setup

### Initial import

- trestle init was run
- The [OSCAL-content](https://github.com/usnistgov/OSCAL-content) repository was cloned.
- The [NIST 800-53 catalog](https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json) was imported with `trestle import -f {path to catalog} -o 800-53`
- The catalog will be inserted within `./catalogs/800-53/`
- The [NIST 800-53 LOW profile](https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile.json) was imported with trestle import -f {path to profile} -o 800-53-low\`
- The profiles will be inserted within `./profiles/800-53-low/`
- The profile is updated such that it refers to the catalog by the catalog name (e.g. `800-53.json`) [note see upcoming changes](https://github.com/IBM/compliance-trestle/issues/557)

### Inserting parameters

Profiles from NIST do not insert parameter values by default so the profile needs to be modified.

- `cd ./profiles/800-53-low/`
- Add the missing modify structure`trestle add -f ./profile.json -e 'profile.modify'`
- Create some sample parameters: `trestle add -f ./profile.json -e 'profile.modify.set-parameters'`
- The parameters now need to be set by using the `value` field. For this demo all the parameters for ac-1 have been set.

### Populating response content

- First the response documents must be generated using:
- cd to the project root directory
- `trestle author ssp-generate -p 800-53-low --output test_system -s 'guidance:Control Guidance'`
- `--output` puts the markdown directory tree into `./test_system`
- `-s` maps named parts names to sections in catalog to the markdown document
- Content is edited by end users (in this case ac-1 part a)

### Creating the OSCAL catalog

- Run
- `trestle author ssp-assemble -m test_system -o acme-test-system`
- The ssp will be generated in `./system-security-plans/acme-test-system`
Empty file added ssp_author_demo/assessment-plans/.keep
View file
Empty file.
Empty file added ssp_author_demo/assessment-results/.keep
View file
Empty file.
Empty file added ssp_author_demo/catalogs/.keep
View file
Empty file.
76,414 changes: 76,414 additions & 0 deletions ssp_author_demo/catalogs/800-53/catalog.json
View file

Large diffs are not rendered by default.

Empty file added ssp_author_demo/component-definitions/.keep
View file
Empty file.
Empty file added ssp_author_demo/plan-of-action-and-milestones/.keep
View file
Empty file.
Empty file added ssp_author_demo/profiles/.keep
View file
Empty file.
253 changes: 253 additions & 0 deletions ssp_author_demo/profiles/800-53-low/profile.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,253 @@
{
"profile": {
"uuid": "8742196d-86ba-4e72-a411-28867dab43bb",
"metadata": {
"title": "NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE",
"last-modified": "2021-06-08T17:57:33.975+00:00",
"version": "Final",
"oscal-version": "1.0.0",
"roles": [
{
"id": "creator",
"title": "Document Creator"
},
{
"id": "contact",
"title": "Contact"
}
],
"parties": [
{
"uuid": "984e6c07-b5b6-4ab6-b22b-283609c325e6",
"type": "organization",
"name": "Joint Task Force, Transformation Initiative",
"email-addresses": [
"[email protected]"
],
"addresses": [
{
"addr-lines": [
"National Institute of Standards and Technology",
"Attn: Computer Security Division",
"Information Technology Laboratory",
"100 Bureau Drive (Mail Stop 8930)"
],
"city": "Gaithersburg",
"state": "MD",
"postal-code": "20899-8930"
}
]
}
],
"responsible-parties": [
{
"role-id": "creator",
"party-uuids": [
"984e6c07-b5b6-4ab6-b22b-283609c325e6"
]
},
{
"role-id": "contact",
"party-uuids": [
"984e6c07-b5b6-4ab6-b22b-283609c325e6"
]
}
]
},
"imports": [
{
"href": "800-53.json",
"include-controls": [
{
"with-ids": [
"ac-1",
"ac-2",
"ac-3",
"ac-7",
"ac-8",
"ac-14",
"ac-17",
"ac-18",
"ac-19",
"ac-20",
"ac-22",
"at-1",
"at-2",
"at-2.2",
"at-3",
"at-4",
"au-1",
"au-2",
"au-3",
"au-4",
"au-5",
"au-6",
"au-8",
"au-9",
"au-11",
"au-12",
"ca-1",
"ca-2",
"ca-3",
"ca-5",
"ca-6",
"ca-7",
"ca-7.4",
"ca-9",
"cm-1",
"cm-2",
"cm-4",
"cm-5",
"cm-6",
"cm-7",
"cm-8",
"cm-10",
"cm-11",
"cp-1",
"cp-2",
"cp-3",
"cp-4",
"cp-9",
"cp-10",
"ia-1",
"ia-2",
"ia-2.1",
"ia-2.2",
"ia-2.8",
"ia-2.12",
"ia-4",
"ia-5",
"ia-5.1",
"ia-6",
"ia-7",
"ia-8",
"ia-8.1",
"ia-8.2",
"ia-8.4",
"ia-11",
"ir-1",
"ir-2",
"ir-4",
"ir-5",
"ir-6",
"ir-7",
"ir-8",
"ma-1",
"ma-2",
"ma-4",
"ma-5",
"mp-1",
"mp-2",
"mp-6",
"mp-7",
"pe-1",
"pe-2",
"pe-3",
"pe-6",
"pe-8",
"pe-12",
"pe-13",
"pe-14",
"pe-15",
"pe-16",
"pl-1",
"pl-2",
"pl-4",
"pl-4.1",
"pl-10",
"pl-11",
"ps-1",
"ps-2",
"ps-3",
"ps-4",
"ps-5",
"ps-6",
"ps-7",
"ps-8",
"ps-9",
"ra-1",
"ra-2",
"ra-3",
"ra-3.1",
"ra-5",
"ra-5.2",
"ra-5.11",
"ra-7",
"sa-1",
"sa-2",
"sa-3",
"sa-4",
"sa-4.10",
"sa-5",
"sa-8",
"sa-9",
"sa-22",
"sc-1",
"sc-5",
"sc-7",
"sc-12",
"sc-13",
"sc-15",
"sc-20",
"sc-21",
"sc-22",
"sc-39",
"si-1",
"si-2",
"si-3",
"si-4",
"si-5",
"si-12",
"sr-1",
"sr-2",
"sr-2.1",
"sr-3",
"sr-5",
"sr-8",
"sr-10",
"sr-11",
"sr-11.1",
"sr-11.2",
"sr-12"
]
}
]
}
],
"merge": {
"as-is": true
},
"modify": {
"set-parameters": [
{
"param-id": "ac-1_prm_1",
"values": ["All employees"]
},
{
"param-id": "ac-1_prm_2",
"values": ["Organization-level"]
},
{
"param-id": "ac-1_prm_3",
"values": ["Chief Information Security Officer"]
},
{
"param-id": "ac-1_prm_4",
"values": ["Every year"]
},
{
"param-id": "ac-1_prm_5",
"values": ["Any IT system breach involving inappropriate access management"]
},
{
"param-id": "ac-1_prm_6",
"values": ["every quarter"]
},
{
"param-id": "ac-1_prm_7",
"values": ["any IT system breach or known near miss"]
}
]
}
}
}
Empty file added ssp_author_demo/system-security-plans/.keep
View file
Empty file.
Loading

0 comments on commit d529fa6

Please sign in to comment.