Giter Club home page Giter Club logo

docker-trestle's Introduction

TTS Dockerized Compliance Trestle

This repository contains the source code for the ghcr.io/gsa-tts/trestle Docker image and OSCAL models to be used by that image.

Image Use:

General workflow:

  1. Download trestle image and run CLI
  2. Create the files for a given SSPP
  3. Do in a loop:
    1. Edit control statements within markdown files
    2. Assemble markdown contents into a provisional OSCAL SSP
    3. Edit other sections of the SSPP within the smaller json files
  4. Assemble everything into a final OSCAL SSP (TODO: within a CI workflow)

Pull down the trestle image and initialize a compliance trestle project

Prerequisite: $(pwd)/compliance directory exists and is where you want to store all compliance artifacts

docker pull ghcr.io/gsa-tts/trestle
docker run -it --rm -v $(pwd)/compliance:/app/docs ghcr.io/gsa-tts/trestle bash

All other usage commands assume you are operating within the docker container.

Create Control Statement Markdown Files

If you are using a profile that isn't shipped with the image you must import it first

If you are utilizing Component Definitions, you must import and/or create them first.

generate-ssp-markdown -p PROFILE_NAME [-c COMP_DEF_NAMES]

Assemble SSP JSON from Markdown

assemble-ssp-json -n SYSTEM_NAME [-c COMP_DEF_NAMES]

This step will create system-security-plans/SYSTEM_NAME/system-security-plan.json as well as smaller JSON files within system-security-plans/SYSTEM_NAME/system-security-plan/ for editing.

This script should be given the same list of Component Definitions that were passed to generate-ssp-markdown

Final SSP Assembly

trestle assemble -n SYSTEM_NAME system-security-plan

Import profile into working space:

If you are using a PROFILE_NAME that does not ship with this docker container then you must first manually import it using:

trestle import -f PROFILE_URL -o PROFILE_NAME

Once that is done you can go back to the generate-ssp-markdown step

Import Component Definition into working space:

To import a component that ships with this docker container: copy-component -n COMPONENT_NAME

To import a component that is available from a URL: copy-component -n COMPONENT_NAME -u COMPONENT_URL

Create Component Definition

create-component -n COMPONENT_NAME

And then edit the created files to contain the component definition.

Split SSP into manageable files

This step is automatically handled by the assemble-ssp-json script as long as that script is run from the trestle root.

split-ssp system-security-plans/SYSTEM_NAME/system-security-plan.json

Templates:

The following templates are included in the Docker image:

profiles/lato

A profile representing the set of controls covered by a GSA LATO SSPP.

component-definitions/cloud_gov

A Component Definition representing the Cloud.gov CRM.

component-definitions/devtools_cloud_gov

A set of testable best practices for running applications on cloud.gov. This component integrates with Auditree and c2p to generate compliance results

catalogs/nist800-53r5

A copy of the full NIST 800-53 revision 5 catalog.

catalogs/lato

A resolved catalog of just the NIST 800-53r5 controls that are used by the LATO profile.

Development

Updating templates:

Run the trestle image locally through Docker Compose:

docker compose run cli bash

Utilize compliance-trestle commands within the /app/templates directory to make any changes that are required.

The /app/docs directory can be used as a scratch area for any temporary trestle tests.

Updating the Docker image:

  1. Make required changes to the Dockerfile
  2. Push to GitHub and create a PR
  3. On merging to main, a new docker image will be built, tagged, and pushed to the github container registry.

Each published image will be tagged with:

  1. latest
  2. The publication date: YYYYMMDD
  3. The branch it was created on: main
  4. The short git sha: sha-c9f60e2

docker-trestle's People

Contributors

rahearn avatar

Stargazers

avatar Peter Burkholder avatar

Watchers

avatar Peter Burkholder avatar Paul Hirsch avatar

docker-trestle's Issues

Security Policy violation Branch Protection

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch main
Signed commits required, but not enabled for branch: main

โš ๏ธ There is an updated version of this policy result! Click here to see the latest update

Issue created by GSA-TTS Allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Automate releases

As a developer, I would like a new release tagged, built, and published on each merge to main so that I don't forget to release exciting new features.

Exceptions:

  • changes that only update README.md do not require a release.

AC:

  • Merge to main builds the new docker image, tags it with the date, and pushes it to ghcr.io/gsa-tts/trestle

follow on work:

Deduplicate generate/assemble options

Shared options between generate-ssp-markdown and assemble-ssp-json must be given identically.

As a developer, I want to specify these options in a config file
So that I can keep them correct and consistent.

All markdown files can be included into the OSCAL SSP model as appropriate

Existing tooling does not break non-control content out into markdown files.

As a developer, I want to have tooling to write all descriptions in markdown files, so that I can avoid doing any JSON editing when putting together my SSPP.

Acceptance criteria:

  • A markdown folder and document structure can be created to put content into
  • That markdown can be automatically pulled back into the OSCAL SSP model in the appropriate fields.

Simplify component definition use and tooling

figure out how to best import leveraged SSPs and/or components (moving to level 2 of the ATO-as-code maturity model)

As a developer, I want to easily import inherited controls from my providers, so I can cleanly represent who is responsible for what in my SSPP

Notes:

  • In previous use of trestle, you could just add ### Cloud.gov to the control markdown to document what cloud.gov was responsible for. That was nice in that it kept the markdown clean, but also terrible because it required a lot of copy/paste. Now, doing that without specifying an actual Component Definition results in an error about the missing CD.
  • Open question: is a "Leveraged SSP" actually the model we should be using here?

Acceptance Criteria:

  • A basic component definition exists for cloud.gov that speaks at least to the LATO controls
  • A new SSPP can utilize that CD easily

Security Policy violation SECURITY.md

This issue was automatically created by Allstar.

Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/GSA-TTS/docker-trestle/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

Issue created by GSA-TTS Allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Simple gap analysis script

As a devsecops user, I want a simple cli interface to see what controls have been implemented and which still need to be addressed, so I know where to focus my efforts next.

Bundle OSCAL viewer into image

Look into what it would take to bundle the easy dynamics oscal viewer into the image for a slightly nicer viewing experience.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.