Open drsm79 opened 4 years ago
1) In terms of the steps above under the assessment plan I think step 2.1 would be validate the assessment plan.
Assessment plan validation in this context would be non-trivial - in that you may want to validate the underlying integrity of the associated SSP / component definition** / profile and potentially underlying catalogs.
I think this will be important for a number of reasons.
If this is the case the validation may make sense to sit in an external tool (perhaps running in conjunction with plant).
If the above statement is a given - I think it would make sense to run the validation as an external tool.
The principle challenge in use of OSCAL is the (despite OSCAL's complexity) relatively simple structure which is supported by the parameters and/or property values: Only string values
At a first pass this seems extreme, however, OSCAL provides, with each value, 3 scoping / constraining elemenents: ns
, class
and name
With these constrains I believe we could configure most current scenarios for auditree. name
none of the above elements are required to be unique so lists could occur through group by style operation.
In terms of config vs OSCAL:
** in the case where a full SSP exists a component definition is unlikely to be needed to generated / used by Auditree
re. validation - yeah, I think a check (or set of checks) would make sense. Could do a few different things:
I think before we worry about flags etc (I think there are clear ways to add the functionality) the question of whether we should be configuring a run or more of the whole system from OSCAL (e.g. tekton run frequency). That might point to 'built into framework' or 'separate tool' a bit more clearly.
FWIW I think the OSCAL could replace the controls.json
, and be provided as an alternate switch to that, possibly allowing multiple (depending on which model is used - e.g. run my SOC2 assessment plan, and my ISO assessment plan, and my PCI assessment plan...). But, that's presupposing the interaction a bit.
I'll add more detail when i'm thinking clearly: The biggest issue I see here is operational / governance segregation. I'm wondering whether OSCAL should configure the objectives of auditree (aka the checks) and the associated fetchers; credentials should be delegated as an implementation detail for auditree.
Appreciate your thoughts - will reply my day time.
Definitely think creds should be held elsewhere:
Credential management will be a thing, especially in the more complete integration. Obviously creds should not be placed in the OSCAL files, but maybe names/references to them could be (to then be retrieved from Vault or sealed secrets).
Agree there's a scope/ease question around other parameters. Should OSCAL be used just to configure which fetchers/checks are run, with the config repo holding the actual configuration (which is a bit weird) or should it configure the fetchers/checks fully? If the latter, does that make updates awkward?
So the concern I would have is that i'm not sure how often an organisation will want to mess with the upstream OSCAL object.
For example if we assume for a second the profile
is storing the configuration of parameters - I would expect that this could become a velocity issues as I would imagine profile changes may need quite rigorous review. (i.e. I think everything in OSCAL could get very awkward).
An in-between might be that from OSCAL you may refer to specific URI's for configuration information for a fetch - which might allow you to keep the content bundled with a profile - or let it default to standard auditree locations. This is getting even messier thought.
Right, so some kind of reference ("my configuration is in git://foo/bar/config.git") and version?
I think so. To me that makes sense. In the end at some point you move from 'Governance' land to 'ops' land. I think this is that method. It also allows us to hide 'non-compliance relevant' configuration to keep the OSCAL cleaner.
Overview
NISTs OSCAL is a public standard used for describing controls, implmentations, systems and their assessment. We have done IBM internal POC work to confirgure Auditree from OSCAL files. This is about how to bring that into the open source project.
Requirements
You could image a tool that goes the other way (from an Auditree configuration to an OSCAL file). That's interesting, and might help with adoption of OSCAL, but out of scope here.
Approach
We have a few potential approaches, depending on how & where in the life cycle we want to introduce OSCAL. There may be more than one approach used, depending on circumstance. This issue is to discuss & form a plan to go forward.
Component definition
Our current POC uses a component definition to turn on/off fetchers/checks. It does this by scanning the file for
control-implementations
wheretype
ismonitoring
, and then scanning the properties of the implementation for aauditree_{fetcher,check}_path
. This is then "grafted" onto the configuration repository to produce a full config.To facilitate this, running auditree becomes a three step process:
controls.json
from the component defintionThis has some useful properties:
However, it doesn't help much with configuring the broader Auditree system, for example is says nothing about how often Auditree itself should run (though could if Auditree was defined as a component) nor which Harvest reports are required.
SSP
I think this would look a lot like the component defintion, with the potential further constraint of a specified inventory.
Assessment plan
An assessment plan would allow for "bigger" configuration - for example configuring the frequency at which Auditree is run, or schedule Harvest reports as additional
assets
/assessment-activities
.I think the workflow would look like:
An assessment plan seems more idiomatic, too.
Considerations & open questions
Security and Privacy
Provide the impact on security and privacy as it relates to the completion of this issue. This level of detail may not be available at the time of issue creation and can be completed at a later time. N/A if not applicable.
Credential management will be a thing, especially in the more complete integration. Obviously creds should not be placed in the OSCAL files, but maybe names/references to them could be (to then be retrieved from Vault or sealed secrets).
Test Plan
Provide the test process that will be followed to adequately verify that the approach above satisfies the requirements provided. This level of detail may not be available at the time of issue creation and can be completed at a later time.