Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1692

Automate creating CIS profiles from machine-readable sources

XMLWordPrintable

    • cis-profile-automation
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 0% To Do, 0% In Progress, 100% Done
    • Approved

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      The goal of this epic is to develop tools in the ComplianceAsCode/content repository that read benchmarks and generate OpenSCAP profiles from them.

      Why is this important?

      Currently, we maintain profiles manually, which includes copy/pasting content from benchmarks in PDF format. This process doesn't scale when we need to update profiles, or add support for new profiles.

      The CIS Workbench tool allows partners (which Red Hat is through IBM's CIS partnership), to download CIS benchmarks in XLSX format. This is a better option than PDFs since it's at least machine-readable and we can use it to develop tools for creating and maintaining profiles.

      Automation should make it easier for us to maintain existing profiles when CIS updates them. It should also make it easier to support additional profiles offered by CIS.

      Depending on the input format we decide to target (XLSX or OSCAL), we may be able to re-use this tooling for other profiles, like NIST 800-53.

      Scenarios

      1. As an engineer, I want to pass an OpenShift or Kubernetes CIS benchmark to a tool that generates the YAML output to be converted into a OpenSCAP profile.

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • The tool must generate an OpenSCAP profile from a machine-readable format (e.g., XLSX or OSCAL)
      • The tool must be idempotent, where running it multiple times with the same input will generate the same result
      • The tool must have documentation written for engineers that explains how to use it
      • The tool must leave an opportunity for engineers to match generated controls with preexisting rules

      Dependencies (internal and external)

      1. We have a dependency on CIS Workbench, we must be able to get the profiles in a machine-readable format

      Previous Work (Optional):

      Open questions::

      1. How should we maintain CIS profiles moving forward

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              lbragsta@redhat.com Lance Bragstad
              lbragsta@redhat.com Lance Bragstad
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: