email about the state of Compliance Masonry

[afeld]

From the email:

[Company] has clients (or potentially has client) that would like to leverage opencontrol and compliance-masonry to speed up the ATO process. An example implementation might be running CF in AWS, and some apps on top of that. So one thing I'm working on is a HelloWorld-type app that demonstrates a complete SSP built up from various components.

The schema and tooling are great, but there are gaps more than a few areas of confusion. Before I dive in too deep on the schema or the Go code I should probably find out more where y'all are heading so we're not working at cross purposes.

Also of interest is the goal, per @NoahKunin, of "creating data structures that enable us to create continuous monitoring platforms". Some of the BDD examples are interesting, and I'd like to build on that with InSpec profiles that run against nodes or even the entire platform with inspec-aws. I'm also interested in how, potentially, Nessus scans are created and run as part of a pipeline.

So, that's what I'm up to. Are there any sources of information I should be tracking besides the repos and issues for opencontrol/compliance-masonry and opencontrol/schemas? I see that identity-idp has security committed in-place. Are there other examples that you'd recommend where this is happening?

[afeld]

So one thing I'm working on is a HelloWorld-type app that demonstrates a complete SSP built up from various components.

Fantastic! https://github.com/18F/compliance-toolkit/issues/12 is a good place to start.

The schema and tooling are great, but there are gaps more than a few areas of confusion. Before I dive in too deep on the schema or the Go code I should probably find out more where y'all are heading

Heh, yeah, you have every right to be confused. For context, we were building Masonry as a way to supplement cloud.gov, with the hope that it would be applicable more broadly. Masonry hasn't had a dedicated team in a month(?) or so, so the only work has been around getting what we need it to do for the cloud.gov FedRAMP process. This is why the information is a bit disorganized, and why the work has seemed to happen in fits and starts. We haven't really decided how much time 18F can dedicate to it in the near future—will bring that up with the team.

Some of the BDD examples are interesting, and I'd like to build on that

@geramirez @jcscottiii and @mogul can speak to this better than I can, but it seems that the BDD functionality is something we experimented with, but never fully fleshed out. My personal feeling is that we should put a disclaimer on that feature for now—or take it out altogether—while we get the usage for documentation stabilized.

I'm also interested in how, potentially, Nessus scans are created and run as part of a pipeline.

Anyone else have advice here?

Are there any sources of information I should be tracking besides the repos and issues for opencontrol/compliance-masonry and opencontrol/schemas?

I'd subscribe to all of the repositories in OpenControl, but other than that, relevant work is happening in:

• https://github.com/18F/cg-compliance
• https://github.com/18F/compliance-toolkit

I see that identity-idp has security committed in-place

What are you referring to specifically? Have a link?

[mogul]

it seems that the BDD functionality is something we experimented with, but never fully fleshed out. My personal feeling is that we should put a disclaimer on that feature for now—or take it out altogether—while we get the usage for documentation stabilized.

As far as I know the functionality is fine... The problem is that we haven't had time to actually supply specific BDD content for all of the assertions we're making in cg-compliance and the repos it depends on. I view that as tech debt on the part of that compliance material, not any sort of knock on the state of the functionality in compliance-masonry.

I'm also interested in how, potentially, Nessus scans are created and run as part of a pipeline.

Anyone else have advice here?

At 18F, we're treating generation of the compliance-masonry output as part of our continuous deployment pipeline. We expect instead to make that one of many steps in a "compliance toolkit" that constantly runs scans.

However, it could also be handled the inverse way... You can make BDD steps for the appropriate control sections that will run the Nessus scans! Then you basically generate the CM output, running the BDD along the way, and get a full result including note of the fact that the BDD tests passed as of the date the docs were generated. (Personally I prefer that concept, but it's not how compliance toolkit is set up to operate.)

[pburkholder]

Speaking of Nessus -- it looks like generation of nessus scan configs is supposed to be part of example pipeline -- at https://github.com/opencontrol/example-pipelines/blob/master/pws-fedramp.yml#L34

 uri: git@github.com:opencontrol/concourse-nessus-task.git

Is that a real repo and task? If so, how can I see it?

Thanks, Peter

[geramirez]

I'd like to build on that with InSpec profiles that run against nodes or even the entire platform with inspec-aws

Personally, I would love to see an open source integration for using InSpec test/results to update OpenControl documentation.

Before I dive in too deep on the schema or the Go code I should probably find out more where y'all are heading

I entirely agree with @afeld. Also keep in mind that this project is moving in the direction of its user and contributors' needs. Many of the major changes that have been made to the OpenControl schema or compliance-masonry have been discussed openly. ie:

opencontrol/compliance-masonry#85 opencontrol/compliance-masonry#2 opencontrol/compliance-masonry#11

[afeld]

Speaking of Nessus -- it looks like generation of nessus scan configs is supposed to be part of example pipeline... how can I see it?

Let's move to https://github.com/opencontrol/example-pipelines/issues/3.

Just so you know, everything for cloud.gov except the secrets is in public repositories, so if a link is broken, it's only because we forgot to update it / are disorganized 😉

[afeld]

I see that identity-idp has security committed in-place

What are you referring to specifically? Have a link?

Ah, found it!

https://github.com/18F/identity-idp/tree/master/docs/security

This is news to me 😆 Guess I was wrong about not having a use case outside of cloud.gov.

[pburkholder]

@afeld @mogul @geramirez Thanks for all the updates here. This has been really helpful! I'll close this as it seems we've covered the material in my original post. Cheers, Peter

[afeld]

Reopening for easier discoverability.

[mogul]

(Probably needs a better title if it's expected to be found.)

Reopening for easier discoverability.

[shawndwells]

Two year old discussion. Closing for inactivity. Feel free to reopen as appropriate!