Giters

GSA-TTS / docker-trestle

Docker image and supporting scripts and templates for running compliance-trestle

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TTS Dockerized Compliance Trestle

This repository contains the source code for the ghcr.io/gsa-tts/trestle Docker image and OSCAL models to be used by that image.

Image Use:

General workflow:

  1. Download trestle image and run CLI
  2. Create the files for a given SSPP
  3. Do in a loop:
    1. Edit control statements within markdown files
    2. Assemble markdown contents into a provisional OSCAL SSP
    3. Edit other sections of the SSPP within the smaller json files
  4. Assemble everything into a final OSCAL SSP (TODO: within a CI workflow)

Pull down the trestle image and initialize a compliance trestle project

Prerequisite: $(pwd)/compliance directory exists and is where you want to store all compliance artifacts

docker pull ghcr.io/gsa-tts/trestle
docker run -it --rm -v $(pwd)/compliance:/app/docs ghcr.io/gsa-tts/trestle bash

All other usage commands assume you are operating within the docker container.

Create Control Statement Markdown Files

If you are using a profile that isn't shipped with the image you must import it first

If you are utilizing Component Definitions, you must import and/or create them first.

generate-ssp-markdown -p PROFILE_NAME [-c COMP_DEF_NAMES]

Assemble SSP JSON from Markdown

assemble-ssp-json -n SYSTEM_NAME [-c COMP_DEF_NAMES]

This step will create system-security-plans/SYSTEM_NAME/system-security-plan.json as well as smaller JSON files within system-security-plans/SYSTEM_NAME/system-security-plan/ for editing.

This script should be given the same list of Component Definitions that were passed to generate-ssp-markdown

Final SSP Assembly

trestle assemble -n SYSTEM_NAME system-security-plan

Import profile into working space:

If you are using a PROFILE_NAME that does not ship with this docker container then you must first manually import it using:

trestle import -f PROFILE_URL -o PROFILE_NAME

Once that is done you can go back to the generate-ssp-markdown step

Import Component Definition into working space:

To import a component that ships with this docker container: copy-component -n COMPONENT_NAME

To import a component that is available from a URL: copy-component -n COMPONENT_NAME -u COMPONENT_URL

Create Component Definition

create-component -n COMPONENT_NAME

And then edit the created files to contain the component definition.

Split SSP into manageable files

This step is automatically handled by the assemble-ssp-json script as long as that script is run from the trestle root.

split-ssp system-security-plans/SYSTEM_NAME/system-security-plan.json

Templates:

The following templates are included in the Docker image:

profiles/lato

A profile representing the set of controls covered by a GSA LATO SSPP.

component-definitions/cloud_gov

A Component Definition representing the Cloud.gov CRM.

catalogs/nist800-53r5

A copy of the full NIST 800-53 revision 5 catalog.

catalogs/lato

A resolved catalog of just the NIST 800-53r5 controls that are used by the LATO profile.

Development

Updating templates:

Run the trestle image locally through Docker Compose:

docker compose run cli bash

Utilize compliance-trestle commands within the /app/templates directory to make any changes that are required.

The /app/docs directory can be used as a scratch area for any temporary trestle tests.

Updating the Docker image:

  1. Make required changes to the Dockerfile
  2. Build the image: docker build -t ghcr.io/gsa-tts/trestle .
  3. Tag with a datestamp: docker tag ghcr.io/gsa-tts/trestle ghcr.io/gsa-tts/trestle:YYYYMMDD
  4. Push the new tag to Docker Hub: docker push ghcr.io/gsa-tts/trestle:YYYYMMDD

About

Docker image and supporting scripts and templates for running compliance-trestle

Languages

Language:Shell 80.0%Language:Dockerfile 20.0%