diff --git a/.github/workflows/generate_leveraged.yaml b/.github/workflows/generate_leveraged.yaml new file mode 100644 index 0000000..b439be8 --- /dev/null +++ b/.github/workflows/generate_leveraged.yaml @@ -0,0 +1,67 @@ +name: Leveraged Content Handler +on: + push: + branches: + - feature-* + - Feature-* + - develop + - main + pull_request: {} +jobs: + partial_ssp: + runs-on: ubuntu-20.04 + defaults: + run: + working-directory: . + steps: + - name: Check out repository code. + uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + with: + python-version: '3.10' + - name: Check environment. + run: | + ls -ltra + python --version + pip --version + - name: Install dependencies. + run: | + pip install -r requirements.txt + # - name: Run tests. + # run: | + # pytest + - name: Execute script. + run: | + python oscal_leveraged.py + - name: Save SSP. + uses: actions/upload-artifact@v3 + with: + name: artifact-leveraged-ssp + path: SSP.LEVERAGED.output.yaml + validate_oscal: + runs-on: ubuntu-20.04 + if: ${{ github.ref_name == 'main' || github.ref_name == 'develop' || github.ref_name == 'feature-doc-templates' }} + needs: + - partial_ssp + steps: + - name: Checkout + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + id: checkout + - name: Setup Java + uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c + with: + distribution: adopt + java-version: 11 + - name: Download SSP. + uses: actions/download-artifact@v3 + with: + name: artifact-leveraged-ssp + - name: Run oscal-cli Validation. + uses: oscal-club/oscal-cli-action@v1.0.0 + id: validation + with: + args: ssp validate SSP.LEVERAGED.output.yaml + - name: Validation Result + shell: bash + run: | + exit $oscalcli_exit_code \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/generate_ssp.yaml similarity index 100% rename from .github/workflows/ci.yaml rename to .github/workflows/generate_ssp.yaml diff --git a/oscal_leveraged.py b/oscal_leveraged.py new file mode 100644 index 0000000..0496e96 --- /dev/null +++ b/oscal_leveraged.py @@ -0,0 +1,107 @@ +#%% Install Libraries (You can uncomment below and execute to install.) +# import sys +# !{sys.executable} -m pip install chevron +# !{sys.executable} -m pip install pydantic +# !{sys.executable} -m pip install PyYAML +# !{sys.executable} -m pip install diagrams + +# Note: You may need to install this: https://www.graphviz.org/ + +#%% Import Libraries +import os, sys +import chevron +import json +import datetime +from pathlib import Path +from yaml import safe_load,YAMLError,dump + +from oscalic.system_security_plan import SystemSecurityPlan as SSP +from oscalic.control import ControlAssembly as Control +from oscalic import Template, Helper, Validation + +error_condition = None + +#%% Setup +today = datetime.datetime.now() +today_format = '%Y-%m-%dT00:00:00.0000-04:00' +today = today.strftime(today_format) +control_list = list() + +#%% Paths +partial_path = 'system-security-plan/partials_CSP' + +#%% Read Partials +partials = os.listdir(partial_path) +this_system_component_uuid = Helper.get_uuid() +ssp_controls=list() +print(len(partials)) + +#%% Start SSP +ssp_template = os.path.join(os.getcwd(), partial_path, 'template.ssp.yaml') +ssp_data = { + 'uuid:document': Helper.get_uuid(), + 'uuid:statement': Helper.get_uuid(), + 'uuid:component': this_system_component_uuid, + 'uuid:user': Helper.get_uuid(), + 'uuid:party': Helper.get_uuid(), + 'uuid:by-component': Helper.get_uuid(), + 'uuid:information-type':Helper.get_uuid(), + 'version': '0.0.1', + 'modified_date': f"{today}", +} +ssp_content = Template.apply(ssp_template, ssp_data) +ssp = Helper.from_yaml(SSP, ssp_content) + +#%% Start Profile +profile_template = os.path.join(os.getcwd(), partial_path, 'template.profile.yaml') +profile_data = { + 'uuid:document': Helper.get_uuid(), + 'uuid:statement': Helper.get_uuid(), + 'uuid:component-uuid': this_system_component_uuid, + 'uuid:by-component': Helper.get_uuid(), + 'version': '0.0.1', + 'modified_date': f"{today}" +} + + +#%% Interpret Partials +for partial in partials: + if partial.startswith('template.'): + continue + + partial_file = os.path.join(os.getcwd(), partial_path, partial) + + uuid_content = { + 'uuid:control': Helper.get_uuid(), + 'uuid:statement': Helper.get_uuid(), + 'uuid:component-uuid': this_system_component_uuid, + 'uuid:by-component': Helper.get_uuid(), + } + + partial_content = Template.apply(partial_file, uuid_content) + + try: + control = Helper.from_yaml(Control, partial_content) + ssp.system_security_plan.control_implementation.implemented_requirements.append(control) + print(f"SUCCESS: {partial_file}") + except Validation.OSCALValidationError as e: + print(f"{partial_file}:\nVALIDATION ERROR: {e.json()}\n") + error_condition = 1 + + +#%% Run above here for partial validation. +################################################################################################### +## Prepare Document + +#%% Save Profile +profile_content = Template.apply(profile_template, profile_data) +Path('Profile.LEVERAGED.output.yaml').write_text(profile_content) + +#%% Save SSP +Path('SSP.LEVERAGED.output.yaml').write_text(Helper.to_yaml(ssp)) + +# %% +if error_condition: + exit(error_condition) + +#%% \ No newline at end of file diff --git a/system-security-plan/partials_CSP/template.profile.yaml b/system-security-plan/partials_CSP/template.profile.yaml new file mode 100644 index 0000000..305993a --- /dev/null +++ b/system-security-plan/partials_CSP/template.profile.yaml @@ -0,0 +1,41 @@ +profile: + uuid: 51a969c1-af30-4eb7-99a2-0d3ddbd8cacb + metadata: + title: Leveraged Bloss@m Minimal Baseline for Demonstration + last-modified: 2022-11-22T00:00:00.000000-04:00 + version: 0.0.1-alpha + oscal-version: 1.0.4 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: {{ uuid:party }} + type: organization + name: CSD Development + email-addresses: + - blossom@nist.gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - "Attn: Computer Security Division" + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - {{ uuid:party-1 }} + - role-id: contact + party-uuids: + - {{ uuid:party-2 }} + imports: + - href: https://raw.githubusercontent.com/usnistgov/oscal-content/ba2efa4c90155650b0fd536f3bffd13042ac6dc7/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml + include-controls: + - with-ids: + {{ content:controls_list }} + merge: + as-is: true \ No newline at end of file diff --git a/system-security-plan/partials_CSP/template.ssp.yaml b/system-security-plan/partials_CSP/template.ssp.yaml new file mode 100644 index 0000000..9c5b9ce --- /dev/null +++ b/system-security-plan/partials_CSP/template.ssp.yaml @@ -0,0 +1,73 @@ +system-security-plan: + uuid: {{ uuid:document }} + + metadata: + title: Leveraged BloSS@M Experimental System Security Plan + last-modified: '2022-12-21T00:00:00.0000-04:00' + version: {{ version }} + oscal-version: 1.0.4 + roles: + - id: admin + title: Administrator + parties: + - uuid: {{ uuid:party }} + type: person + + import-profile: + href: ./profile.yaml + + system-characteristics: + system-ids: + - id: saas_system_iaas_customer + system-name: Leveraging SaaS System + description: > + NO CONTENT HERE FOR NOW + security-sensitivity-level: low + system-information: + information-types: + - uuid: {{ uuid:information-type }} + title: System Assessment + description: This system handles development information pertaining to audit and assessment events to demonstrate the OSCAL workflow. + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.3.5.1 + confidentiality-impact: + base: fips-199-low + integrity-impact: + base: fips-199-low + availability-impact: + base: fips-199-low + security-impact-level: + security-objective-confidentiality: fips-199-low + security-objective-integrity: fips-199-low + security-objective-availability: fips-199-low + status: + state: operational + authorization-boundary: + description: This system is for demonstration purposes only. + + system-implementation: + users: + - uuid: {{ uuid:user }} + role-ids: + - admin + authorized-privileges: + - title: Developer + functions-performed: + - Manages the content and components within the system. + components: + - uuid: {{ uuid:component }} + type: this-system + title: OSCAL Testing Workflow Application + description: This is an application to demonstrate minimal OSCAL content, and automation to execute tests against the application. + props: + - name: implementation-point + value: internal + status: + state: under-development + + + control-implementation: + description: "List of Controls" + implemented-requirements: []