End-to-end Demo - CNCF OSCAL Compass

Overview

This end-to-end demo shows use of CNCF OSCAL Compass compliance-trestle and agile-authoring for (continuous) compliance standardization and automation.

Reference: compliance-to-policy-go

Catalog

repo

• Shown is NIST 800-53, which is already available in OSCAL format.
• The present repo is used as the "source" for dependent repos needing this catalog.

Note: In some cases, the OSCAL format of a catalog is not available. In such circumstances, the Catalog repo itself can be used to do the transformation from the original source format into OSCAL using compliance-trestle and agile-authoring tools.

Profile

repo

• Shown is selected controls from NIST 800-538 catalog.
• Use markdown editing to add guidance and assemble revised OSCAL profile.

Component Definition

repo

• Comprises 2 parts:
  • Ubuntu software component definition
  • OSCO validation component definition

System Security Plan

repo

• Shown is selected SSP comprising Ubuntu component definition.
• Use markdown editing to add guidance and assemble revised OSCAL SSP.

Mapping

repo

• Shown is future mapping model, for re-use of results from NIST 800-53 to get posture for other compliance program(s), such as HIPAA, GDPR, FedRAMP, SOC2...

Compliance posture

repo

• Repo comprises compliance posture for Ubuntu system.

XCCDF Results for UBUNTU (e.g. evidence locker)

repo

• Repo comprises XCCDF results for Ubuntu system.

---

---

Videos CNCF OSCAL Compass

CNCF OSCAL Compass Introduction (44 mins)
CNCF OSCAL Compass End-to-End Demo (15 mins)

---

---

Demo CNCF OSCAL Compass

Demo Part 1 - CNCF OSCAL Compass: Agile Authoring

Why agile authoring?

Terminology

Artifact	What it means?
Catalog	Externally published list of control specifications
Profile	Add, modify, delete controls from catalog. 2 or more catalogs can also be combined in a profile
Component definition	describes how hardware, software, services, policies, processes, or procedures can support or provide implementations of specific controls, acting as a modular and reusable model for capturing control information
SSP	represents a description of the control implementation of an information system

Agile Authoring Key Points

How do I leverage the demo?

The agile authoring demo leverages native git features like git repositories, pull requests, branches and github actions to build a git based pipeline to transform and build a domino chain for compliance artifacts. There are couple of ways you can leverage agile authoring:

1. Clone the repositories in oscal-compass organization
2. The repositories can be added to your organization
3. You will need to add a secret to the github workflow which has write access to all the repositories. The secret variable name should be PUSH_TOKEN
4. You can then modify/add/delete compliance artifacts and see the cascade updates according to the agile authoring workflow
5. The cascade will be in form of git branches and PRs according to the agile authoring workflows

Demo Part 2 - CNCF OSCAL Compass: automated compliance posture

This demo shows how OSCAL Compass can be used for compliance posture automation. The compliance posture for a subject VM is computed and displayed.

In preparation, the prerequisite OSCAL documents were created. Starting in the Compliance-As-Code domain:

• the NIST 800-53 catalog comprising all controls for that program is kept locally in a Git repo, managed by OSCAL Compass agile authoring
• a selection of controls is specified in the profile Git repo, managed by OSCAL Compass agile authoring
• a selection of rules and checks is specified in the component definition Git repo, managed by OSCAL Compass agile authoring
  • the rules are specified in the software component definition
  • the checks are specified in the validation component definition

Moving to the Policy-As-Code domain, this comprises the demo:

• a Ubuntu VM is provisioned and started
• OSCAL Compass C2P is employed to push a tailored oscap profile to the Ubuntu VM
  • the oscap profile is constructed from the validation OSCAL Component Definition
• OSCAL Compass C2P is employed to pull oscap xccdf results from the Ubuntu VM
• OSCAL Compass trestle is employed to convert the oscap xccdf results into OSCAL Assessment Results
• OSCAL Compass trestle is employed to produce compliance posture from OSCAL Component Definitions and Assessment Results
• the compliance posture for the Ubuntu VM is displayed in the default browser

Prerequisites

• Download and install VirtualBox from https://www.virtualbox.org/wiki/Downloads. This is the Oracle hypervisor that will run the VM.
• Download and install Vagrant from https://developer.hashicorp.com/vagrant/install. Vagrant is a developers tool for automating the creation of lightweight, reproducible and portable virtual environments via command-line.

Fetch the compliance-posture repo and launch

> cd /tmp
> git clone https://github.com/oscal-compass/e2e-demo-compliance-posture.git
> cd e2e-demo-compliance-posture/
> make demo

The first time make demo is run, a Ubuntu VM is created and started. Then OSCAL Compass is used to:

• push the oscap profile to the VM
• pull the oscap xccdf results from the VM
• convert the oscap xccdf results into OSCAL Assessment Results
• use the OSCAL Assessment Results and Component Definitions calculate compliance posture
• display the VM compliance posture in browser

Subsequent invocations of make demo will utilize the already running VM.

> make clean-up

Run make clean-up when finished to shutdown the VM.

Notes

1. If the results don't pop up in a browser window, then manually open file:///tmp/e2e-demo-compliance-posture/README.md with your browser.

2. If the results don't preview in your Chrome browser, consider installing Markdown Viewer Extension. You may have to enable the extension to access files.

enable extension screen shot

---

---

Example configuration employing C2P (from Git repo)

Example 1

---

---

Example configuration employing Git repo as a substitute for the VM

Example 2