From 9bd2799abf4034d3f31cccbc42ae2c170524e51e Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Tue, 23 Aug 2022 09:11:32 -0400 Subject: [PATCH] Schema touch-ups and updated example. --- src/metaschema/examples/rules-component.xml | 134 ++++++++++++------ .../oscal_rules-common_metaschema.xml | 55 +++---- 2 files changed, 117 insertions(+), 72 deletions(-) diff --git a/src/metaschema/examples/rules-component.xml b/src/metaschema/examples/rules-component.xml index 45b14ea7e3..1bc5007f26 100644 --- a/src/metaschema/examples/rules-component.xml +++ b/src/metaschema/examples/rules-component.xml @@ -4,82 +4,126 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="3559d200-4849-41ac-a420-28b2ffa22c52"> - Example Component Definition with Rules and Tests Linked to Component - 2022-08-22T00:00:00.000000000-04:00 + Example Component Definition for Openshift Container Platform v4, Rules, and Tests + 2022-08-23T00:00:00.000000000-04:00 0.0.1-alpha 1.2.0 - Important Rule 1 + Disable Anonymous Unauthenticated Access to Components -

is a description of Important Rule 1.

+

Anonymous (i.e. unauthenticated) access to any OCP4 sub-system documented in the components below must prevent anonymous, unauthenticated access.

- Test A for Rule 1 + Disable Anonymous Authentication to the Kubelet - Iac Analysis -

This is Test A, it can be executed to demonstrate a system meets requirements for Rule 1.

+

This test will analyze Infrastructure-as-Code (IaC) written in Ansible to provision OCP4 cluster(s). If the necessary configuration in /etc/kubernetes/kubelet.conf disables anonymous authentication with the appropriate setting (authentication.anonymous.enabled: false), this test will return a passing value. It will be one example of an aspect of OCP4 cluster(s) configured to meet CM-6 requirements.

- Test B for Rule 1 + Disable Anonymous Authentication to the Kubelet - Runtime Analysis with OCP4 Compliance Operator -

This is Test B, it can be executed to demonstrate a system meets requirements for Rule 1.

+

+ This test will analyze running OCP4 cluster(s) with its configured Compliance Operator to perform the necessary configuration management scans. If operator conducts scans of node kubelets and the necessary configuration in /etc/kubernetes/kubelet.conf disables anonymous authentication with the appropriate setting (authentication.anonymous.enabled: false), this test will return a passing value. It will be one example of an aspect of OCP4 cluster(s) configured to meet CM-6 requirements.

+ + + +
- Test C for Rule 1 + Disable Anonymous Authentication to the Kubelet - Runtime Analysis with CSP API for Managed OCP4 Control Plane -

This is Test C, it can be optionally executed to demonstrate a system meets requirements for Rule 1.

+

This test will analyze running OCP4 cluster(s) with a managed service from a cloud service provider (CSP). The CSP has a managed service that provisions OCP4 cluster(s) for customers. A REST API for this managed service can be queried. If the API confirms the setting is appropriately set, this test will return a passing value. It will be one example of an aspect of OCP4 cluster(s) configured to meet CM-6 requirements.

- Test D for Rule 1 + OCP4 Cluster Properly Configured and Deployed with Compliance Operator -

This is Test D, it can be optionally executed to demonstrate a system meets requirements for Rule 1.

+

This is a test that provides automated evaluation to confirm that an OCP4 cluster has the Compliance Operator properly installed and configured.

+ + + +
- - - - - - + + + + + + + - - + + + + + + - - - - + + - - + + - - + + + + + + + + + + + + + + + + + - Example Rule & Test Component 1 - A Sample Component with Rule and Test Integration - - Rule Implementation for Testing Scenario Usage Pattern 1. - - - Rule Implementation for Testing Scenario Usage Pattern 2. - - - Rule Implementation for Testing Scenario Usage Pattern 3. - + RedHit Openshift Container Platform v4 + +

This component documents the usage of RedHat's OpenShift Container Platform v4 (OCP4) in a system.

+

For many OpenShift Container Platform customers, regulatory readiness, or compliance, on some level is required before any systems can be put into production. That regulatory readiness can be imposed by national standards, industry standards, or the organization's corporate governance framework.

+

This component documents a system's use of OCP4 and its regulatory readiness in relation to NIST's Special Publication 800-37 information security and risk management framework. Implemented requirements are documented through security and privacy controls from NIST's Special Publication 800-53 Revision 5 Catalog.

+

Many of the implemented requirements provide supporting evidence of already implemented requirements with OCP4 cluster(s) as-is or recommendations for customers to configure cluster(s) accordingly in their own environment when it is their responsibility, on a control-by-control basis. Where applicable, OSCAL and its rules provide machine-readable instructions for recommended security tools to evaluate security and privacy control requirements are met and provide machine-readable evidence of such requirements.

+
+ + + + +

Control implementations and their documented requirements for OCP4 from the NIST 800-53 Revision 5 Catalog (sourced from NIST ITL CSD's official OSCAL catalog).

+
+ + +

+ OCP4 implements requirements to support NIST 800-53 Revision 5 control CM-6: Configuration Settings. +

+
+ + common secure configurations from official RedHat or community OpenSCAP sources + + + + +

Configuration managers can use the product's functionality to establish and document configuration settings for OCP4 cluster(s) employed within the system. When not using system defaults, configuration managers can use that reflect the most restrictive mode consistent with operational requirements.

+
+
+ + + + +
+
\ No newline at end of file diff --git a/src/metaschema/oscal_rules-common_metaschema.xml b/src/metaschema/oscal_rules-common_metaschema.xml index a948111db6..55a554b9bf 100644 --- a/src/metaschema/oscal_rules-common_metaschema.xml +++ b/src/metaschema/oscal_rules-common_metaschema.xml @@ -31,7 +31,7 @@ - + @@ -65,7 +65,7 @@ - + @@ -100,10 +100,10 @@ - + - + Test Reference TODO - + condition + + + + + + + - - - + - - Testing Scenario Universally Unique Identifier Reference - A testing scenario UUID reference - - + Testing Scenario Universally Unique Identifier A testing scenari UUID reference Testing Scenario Reference A reference to a testing scenario. + + + Testing Scenario Universally Unique Identifier Reference + A testing scenario UUID reference + @@ -194,11 +195,11 @@ Rule Implementation Universally Unique Identifier TODO - - Rule Implementation Description - A summary of the rule implementation. - + + Rule Implementation Description + A summary of the rule implementation. + @@ -206,7 +207,7 @@ - +