Skip to content

Latest commit

 

History

History
153 lines (138 loc) · 6.59 KB

auditree.md

File metadata and controls

153 lines (138 loc) · 6.59 KB
Raw

Plugin for Auditree

Example usage of C2P w/ mock data

  1. Generate auditree.json (C2P Compliance to Policy) 
    $ python ./samples_public/auditree/compliance_to_policy.py -h
usage: compliance_to_policy.py [-h] [-i INPUT] [-c COMPONENT_DEFINITION] [-o OUT]

options:
-h, --help            show this help message and exit
-i INPUT, --input INPUT
                        Path to auditree.json template (default: plugins_public/tests/data/auditree/auditree.template.json)
-c COMPONENT_DEFINITION, --component_definition COMPONENT_DEFINITION
                        Path to component-definition.json (default: plugins_public/tests/data/auditree/component-
                        definition.json
-o OUT, --out OUT     Path to generated auditree.json (default: system temporary directory)
    e.g. 
    $ python ./samples_public/auditree/compliance_to_policy.py -o auditree.json
$ cat auditree.json 
{
    "locker": {
        "default_branch": "main",
        "repo_url": "https://github.com/MY_ORG/MY_EVIDENCE_REPO"
},...
  2. Generate Assessment Result (C2P Result to Compliance) 
    $ python ./samples_public/auditree/result_to_compliance.py -h
usage: result_to_compliance.py [-h] [-i INPUT] [-c COMPONENT_DEFINITION]

options:
-h, --help            show this help message and exit
-i INPUT, --input INPUT
                        Path to check_results.json (default: plugins_public/tests/data/auditree/check_results.json)
-c COMPONENT_DEFINITION, --component_definition COMPONENT_DEFINITION
                        Path to component-definition.json (default: plugins_public/tests/data/auditree/component-
                        definition.json
    e.g. 
    $ python ./samples_public/auditree/result_to_compliance.py
...
    "results": [
    {
        "uuid": "853eeb24-6970-4f73-8fcc-fc274be669ec",
        "title": "Auditree Assessment Results",
        "description": "OSCAL Assessment Results from Auditree",
        "start": "2024-06-02T08:42:22+00:00",
        "reviewed-controls": {
        "control-selections": [
            {
            "include-controls": [
                {
                "control-id": "cm-2",
                "statement-ids": []
                },
                {
                "control-id": "ac-2",
                "statement-ids": []
                }
            ]
            }
        ]
        },
        "observations": [
        {
            "uuid": "3ea6d5dd-7a69-4f18-828c-a0e578594c63",
            "title": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty",
            "description": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty",
            "props": [
            {
                "name": "assessment-rule-id",
                "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty"
            }
            ],
            "methods": [
            "AUTOMATED"
            ],
            "subjects": [
            {
                "subject-uuid": "e3789a4f-f32a-4d59-b777-44df643631e6",
                "type": "inventory-item",
                "title": "Auditree Check: demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty_0_nasa",
                "props": [
                {
                    "name": "resource-id",
                    "value": "demo_examples.checks.test_github.GitHubOrgs.test_members_is_not_empty_0_nasa"
                },
                {
                    "name": "result",
                    "value": "pass"
        ...

Example usage of C2P w/ Auditree

Prerequisite:

  1. Clone auditree-framework and go to demo directory (See also https://complianceascode.github.io/auditree-framework/quick-start.html)

    git clone https://github.com/ComplianceAsCode/auditree-framework.git
cd auditree-framework/demo

  2. Clone c2p

    git clone https://github.com/oscal-compass/compliance-to-policy.git

  3. Generate auditree.json (C2P Compliance to Policy)

    1. Create OSCAL component-definition.json

      sed 's/nasa/oscal-compass/g' ./compliance-to-policy/plugins_public/tests/data/auditree/component-definition.json > ./component-definition.json

      1. (Optional) You can edit it in Spreadsheet component-definition.csv and then convert it to OSCAL JSON format through Trestle. To convert it, C2P also provides an utility (internally using Trestle)

        c2p tools csv-to-oscal-cd --title "Sample Component Definition using Auditree as PVP" --csv ./compliance-to-policy/plugins_public/tests/data/auditree/component-definition.csv --out <path to output directory>

    2. Generate auditree.json

      python ./compliance-to-policy/samples_public/auditree/compliance_to_policy.py -i ./auditree_demo.json -c ./component-definition.json -o auditree.json

  4. Run policy validation (Auditree fetchers and checks)

    compliance --fetch --evidence local -C auditree.json -v

    compliance --check demo.arboretum.accred,demo.custom.accred --evidence local -C auditree.json -v

    You'll see the path to the local evidence locker directory in the log.

    e.g.

    $ compliance --check demo.arboretum.accred,demo.custom.accred --evidence local -C auditree.json -v

INFO: Using locker found in /var/folders/yx/1mv5rdh53xd93bphsc459ht00000gn/T/compliance...
...

  5. Generate Assessment Result (C2P Result to Compliance)

    python ./compliance-to-policy/samples_public/auditree/result_to_compliance.py -i <PATH/TO/EVIDENCE_LOCKER/check_results.json> -c ./component-definition.json > assessment-results.json

    e.g.

    $ python ./compliance-to-policy/samples_public/auditree/result_to_compliance.py -i /var/folders/yx/1mv5rdh53xd93bphsc459ht00000gn/T/compliance/check_results.json -c ./component-definition.json > assessment_results.json

  6. OSCAL Assessment Results is not human readable format. You can see the merged report in markdown by a quick viewer.

    c2p tools viewer -ar assessment_results.json -cdef ./component-definition.json

    assessment-results-md.auditree.jpg