new feature: create OSCAL json report from compliance operator evidence #50

degenaro · 2021-01-29T18:06:42Z

Tick to sign-off your agreement to the Developer Certificate of Origin (DCO) 1.1

What

Transform Kubernetes compliance operator evidence from cluster_resource fetcher into a NIST OSCAL Assessment Results collection of Observations in JSON format.

Why

Rationale: standardized version of evidence for multi-cloud and to facilitate creation of NIST OSCAL Assessment Results.

How

Write a harvest report compliance_oscal_observations that consumes cluster_resource.json evidence and optional oscal-metadata.yaml to produce compliance_oscal_observations.json.

Test

Ensure check results summary filename property is set.
Ensure proper handling of no cluster_resource content.
Ensure proper report creation.
Ensure proper report creation with oscal metadata.
Test no 'resources' found.
Test no 'kind' found.
Test no 'ConfigMap' found.
Test no 'data' found.
Test no 'results' found.
Test no 'metadata' found.
Test no 'name' found.

Context

49

alfinkel

There's over 1000 lines of content here. This should really be pared down to a series of smaller PRs and/or see about making your test fixtures a bit less verbose. Our general guideline is to keep PRs under 500 lines of overall content.

Your commits also need to be signed.

Improved doc string, comprising report --details. spit & polish. spit & polish. Support optional config parameters --start and --end copyright remove test fixtures README reduce LOCs README original README report README merge 0.11.0

degenaro · 2021-02-17T21:46:11Z

Content pretty close to 500 lines now. Commits signed.

alfinkel · 2021-03-03T17:35:44Z

CHANGES.md

@@ -1,3 +1,7 @@
+# [0.11.0](https://github.com/ComplianceAsCode/auditree-arboretum/releases/tag/v0.11.0)
+
+- [ADDED] Kubernetes resources report added.


Suggested change

- [ADDED] Kubernetes resources report added.

- [ADDED] Kubernetes Compliance OSCAL Observations harvest report added.

Updated as suggested.

alfinkel · 2021-03-03T17:39:44Z

arboretum/kubernetes/README.md

+   ```
+
+[compliance-oscal-observations]: https://github.com/ComplianceAsCode/auditree-arboretum/blob/main/arboretum/kubernetes/reports/compliance_oscal_observations.py
+[fetch-cluster-resource]: https://github.ibm.com/auditree/auditree-central/blob/master/auditree_central/provider/iks/fetchers/fetch_cluster_resource.py


broken link

Two broken links fixed.

alfinkel · 2021-03-03T17:45:23Z

arboretum/kubernetes/README.md

+    * A report is generated comprising a collection of observations, one for each [XCCDF][xccdf] rule/result pair discovered in the `cluster_resource.json` files with respect to the optional date range. Each observation may be enhanced in accordance with an optional `oscal_metadata.yaml` file.
+* Data files required:
+    * `raw/kubernetes/cluster_resource.json`, created by the kubernetes provider [ClusterResourceFetcher][fetch-cluster-resource].
+* Data files optional:
+    * `raw/kubernetes/oscal_metadata.json`, planted by the kubernetes provider account administrator.


Is the oscal_metadata.yaml different from the raw/kubernetes/oscal_metadata.json?

Does whichever file that is going to be planted in the locker need to be treated as evidence? Planting it in the locker implies that it is auditable and will be treated as evidence with a time to live setting.

There are the 2 files: cluster_resource.json and oscal_metadata.json. They go hand-in-hand. The latter is metadata about the former. If the inventory (e.g. name: ssg-ocp4-ds-cis-10.221.139.105-pod) of the former former adds/deletes/modifies a name, then the latter should change accordingly.

alfinkel · 2021-03-03T18:19:28Z