/kube-oscal-catalog

Primary LanguageShell

kube-oscal-catalog

Kube OSCAL catalog

overview

This repo comprises the CIS Kubernetes Benchmark v1.7.0 as an OSCAL catalog.

This repo is managed using open source project compliance-trestle. The initial catalog in OSCAL json format was created using the trestle task ocp4-cis-profile-to-oscal-catalog command. Transformations between markdown documents and the corresponding OSCAL catalog.json are managed by the trestle automation scripts, which employ trestle core commands.

The catalog.

Example markdown.

agile authoring

markdown

The trestle Agile Authoring process facilitates management of the OSCAL json via the GIT managed lifecycle of markdown documents. The process employs GIT with trestle automation scripts as follows:

  1. check-out a markdown document, representing one part of the OSCAL catalog
  2. modify the markdown
  3. check-in the markdown document, and create a pull request for review
  4. once reviewed and approved, the markdown is employed to render a revised OSCAL catalog via the automation scripts in the repo

initial OSCAL catalog.json and markdown (one time setup)

initialize

Before agile authoring can occur, steps employed to create the initial OSCAL catalog and markdown in this repo:

  1. Clone the kubernetes catalog repo
  2. Install compliance-trestle into a virtual environment
  3. Download CIS_Kubernetes_Benchmark_v1.7.0.xlsx into kubernetes catalog data folder: visit cisecurity.org
  4. Run: trestle task cis-xlsx-to-oscal-catalog -c data/cis-xlsx-ocp-to-oscal-catalog.config
  5. Push the catalog.json into the repo
  6. The trestle automation creates the markdown

initial repo setup and population (one time setup)

template

Before initial OSCAL catalog.json and markdown are created, steps employed to setup the repo:

  1. Create a repo
  2. Configure the repo by including a GIT_TOKEN (see repo customization below) and setting up teams and people if desired
  3. Download a template repo (for example this one)
  4. Update the automation scripts (see automation scripts customizations below)
  5. Popluate the repo
repo customization

Settings -> Secrets and variables -> Actions

  • Add Repository secret GIT_TOKEN with your personal token created here
  • Be sure token has workflow checked
automation scripts customizations

These scripts were customized in scripts automation as follows.

check_and_update_all.sh
  • trestle task ocp4-cis-profile-to-oscal-catalog -c data/trestle task cis-xlsx-to-oscal-catalog data/cis-xlsx-ocp-to-oscal-catalog.config
check_and_update_all.sh
  • remote=https://$GIT_TOKEN@github.com/ComplianceAsCode/kube-oscal-catalog
update_profile.sh
  • export COMMIT_BODY="Sync catalogs with kube-oscal-catalog repo"
  • cd kube-oscal-profile
  • remote=https://$GIT_TOKEN@github.com/ComplianceAsCode/kube-oscal-profile