Merge pull request #76 from usnistgov/develop

Merge develop into main

.github/workflows/generate_leveraged.yaml

@@ -9,21 +9,26 @@ on:
   pull_request: {}
 jobs:
   partial_ssp:
+
     runs-on: ubuntu-20.04
     defaults:
       run:
         working-directory: .
     steps:
+
       - name: Check out repository code.
         uses: actions/checkout@v3
+
       - uses: actions/setup-python@v4
         with:
           python-version: '3.10' 
+
       - name: Check environment.
         run: |
           ls -ltra
           python --version
           pip --version
+
       - name: Install dependencies.
         run: |
           pip install -r requirements.txt
@@ -33,6 +38,7 @@ jobs:
       - name: Execute script.
         run: |
           python oscal_leveraged.py
+
       - name: Save SSP.
         uses: actions/upload-artifact@v3
         with:

.github/workflows/generate_ssp.yaml

@@ -7,37 +7,48 @@ on:
       - develop
       - main
   pull_request: {}
+
 jobs:
+
   partial_ssp:
     runs-on: ubuntu-20.04
+
     defaults:
       run:
         working-directory: .
+
     steps:
-      - name: Check out repository code.
+      - name: Check-Out Repository Code into Virtual Environment.
         uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+
+      - name: Perform Python SetUp in the Virtual Environment.   
+        uses: actions/setup-python@v4
         with:
-          python-version: '3.10' 
-      - name: Check environment.
+          python-version: '3.11' 
+
+      - name: Post-SetUp Virtual Environment Checkup.
         run: |
           ls -ltra
           python --version
           pip --version
+
       - name: Install dependencies.
         run: |
           pip install -r requirements.txt
       # - name: Run tests.
       #   run: |
       #     pytest
+
       - name: Execute script.
         run: |
           python oscal.py
+
       - name: Save SSP.
         uses: actions/upload-artifact@v3
         with:
           name: artifact-ssp
           path: SSP.output.yaml
+
   validate_oscal:
     runs-on: ubuntu-20.04
     if: ${{ github.ref_name == 'main' || github.ref_name == 'develop' || github.ref_name == 'feature-doc-templates' }}
@@ -47,20 +58,24 @@ jobs:
       - name: Checkout
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
         id: checkout
+
       - name: Setup Java
         uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c
         with:
           distribution: adopt
           java-version: 11
+
       - name: Download SSP.
         uses: actions/download-artifact@v3
         with:
           name: artifact-ssp
+
       - name: Run oscal-cli Validation.
         uses: oscal-club/[email protected]
         id: validation
         with:
           args: ssp validate SSP.output.yaml
+
       - name: Validation Result
         shell: bash
         run: |

.gitignore

@@ -1,5 +1,11 @@
 .DS_Store
+.vscode/*
 *.pyc
 __pycache__/
 draft-*
-*.output.*
+*.output.*
+# Ignore virtual environments
+.venv*
+.pyenv*
+.env*
+oscal-cli.txt

README.md

@@ -1,2 +1,15 @@
 # blossom-oscal
 OSCAL content that supports the BloSS@M project.
+
+
+## Using local git-actions with NEKTOS/ACT
+- BASH is preferred by ACT as zsh has some known issues
+- Specify DOCKER_HOST location for Rancher or other alternative containerization tool. It informs Nektos/ACT to use current DOCKER_HOST in non-Docker configuration on MacOS. Alternative OS Guidance can be found [here](https://nektosact.com/usage/custom_engine.html)
+```
+export DOCKER_HOST=$(docker context inspect --format '{{.Endpoints.docker.Host}}') 
+```
+
+- To list actions available:
+  ```
+  act -l
+  ```

requirements.txt → build/py/requirements.txt

@@ -1,3 +1,5 @@
+ipykernel
+
 chevron
 pydantic
 PyYAML

system-security-plan/aws-leveraged-authorization-ssp.oscal.json → build/py/system-security-plan/aws-leveraged-authorization-ssp.json

@@ -159,7 +159,7 @@
           ],
           "telephone-numbers": [
             {
-              "number": "202-303-1000"
+              "number": "2023031000"
             }
           ],
           "remarks": "Org1-description"
@@ -180,7 +180,7 @@
           ],
           "telephone-numbers": [
             {
-              "number": "202-303-2000"
+              "number": "2023032000"
             }
           ],
           "remarks": "Org2-description"
@@ -201,7 +201,7 @@
           ],
           "telephone-numbers": [
             {
-              "number": "202-303-3000"
+              "number": "2023033000"
             }
           ],
           "remarks": "Org3-description"
@@ -218,7 +218,7 @@
           ],
           "telephone-numbers": [
             {
-              "number": "202-303-1001"
+              "number": "2023031001"
             }
           ],
           "email-addresses": [
@@ -241,7 +241,7 @@
           ],
           "telephone-numbers": [
             {
-              "number": "202-303-2001"
+              "number": "2023032001"
             }
           ],
           "email-addresses": [
@@ -310,17 +310,17 @@
         {
           "name": "identity-assurance-level",
           "ns": "https://fedramp.gov/ns/oscal",
-          "value": "IAL2"
+          "value": "2"
         },
         {
           "name": "authenticator-assurance-level",
           "ns": "https://fedramp.gov/ns/oscal",
-          "value": "AAL2"
+          "value": "2"
         },
         {
           "name": "federation-assurance-level",
           "ns": "https://fedramp.gov/ns/oscal",
-          "value": "FAL2"
+          "value": "2"
         },
         {
           "name": "cloud-service-model",
@@ -625,6 +625,7 @@
                     "responsibilities": [
                       {
                         "uuid": "ec432c5d-5506-4335-aa07-0026e8f955ca",
+                        "provided-uuid": "9678dd9d-6125-45b7-ba22-9fa41f03f72e",
                         "description": "The customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on EC2 instances and the customer's applications."
                       }
                     ],

docs/python-schema-tools.md

@@ -0,0 +1,16 @@
+## XSD/JSONSchema Tooling Packages for Python
+
+1. XSD->Python [info source 1](https://stackoverflow.com/questions/1072853/how-to-convert-xsd-to-python-class)
+   1. Pip-installable [xmlschema](https://xmlschema.readthedocs.io/en/latest/usage.html)
+       - The project has support of EU project MaX ([**Ma**terials design at the e**X**ascale](http://www.max-centre.eu/)). MaX project is on official [EU Registry](https://cordis.europa.eu/project/id/824143) and one can learn about it in the [video](http://www.max-centre.eu/).
+       - 
+   2. [generateDS](https://www.davekuhlman.org/generateDS.html) project is in two repositories [gitlab](https://gitlab.com/cdehealth/generateds/-/tree/main) 
+       - Written and supported predominantly by a single developer - [Dave Kuhlman](http://www.davekuhlman.org/)
+       - [+] Has a one-page [usage guide](https://www.davekuhlman.org/generateDS.html)
+       - [+] Has an accompanying CLI tool to generate XSD mapping to Python classes
+   3. PyXB - originally was intended to be JaXB equivalent
+      - Works with very limited XSD versions
+      - Reached the End-of-Life, but still can be used
+      - [GitHub Repo](https://github.com/pabigot/pyxb) is stale since 2018-02-11
+      - Has an [extended fork PyXB-X](https://github.com/renalreg/PyXB-X) for projects with dependent pipelines and if pip-deployable
+

oscal-content/json/profile/blossom_moderate_profile.json

@@ -0,0 +1,138 @@
+{
+  "profile": {
+    "uuid": "384f9e3b-ae28-4ac2-b945-f18071f0ee15",
+    "metadata": {
+      "title": "NIST BloSS@M Tailored Moderate Baseline",
+      "last-modified": "2024-03-20T16:16:00Z",
+      "version": "0.0.1",
+      "oscal-version": "1.1.2",
+      "roles": [
+        {
+          "id": "creator",
+          "title": "Document Creator"
+        },
+        {
+          "id": "contact",
+          "title": "Contact"
+        }
+      ],
+      "parties": [
+        {
+          "uuid": "1741c4fb-3b8b-41f2-af60-7c5565c916a4",
+          "type": "organization",
+          "name": "BloSS@M",
+          "email-addresses": [
+            "[email protected]"
+          ],
+          "addresses": [
+            {
+              "addr-lines": [
+                "National Institute of Standards and Technology",
+                "Attn: Computer Security Division",
+                "Information Technology Laboratory",
+                "100 Bureau Drive (Mail Stop 8930)"
+              ],
+              "city": "Gaithersburg",
+              "state": "MD",
+              "postal-code": "20899-8930"
+            }
+          ]
+        }
+      ],
+      "responsible-parties": [
+        {
+          "role-id": "creator",
+          "party-uuids": [
+            "1741c4fb-3b8b-41f2-af60-7c5565c916a4"
+          ]
+        },
+        {
+          "role-id": "contact",
+          "party-uuids": [
+            "1741c4fb-3b8b-41f2-af60-7c5565c916a4"
+          ]
+        }
+      ]
+    },
+    "imports": [
+      {
+        "href": "#f4faee53-d96f-4fdb-b491-4a1a79066b9b",
+        "include-controls": [
+          {
+            "with-ids": [
+              "ac-2",
+              "ac-2.1",
+              "ac-2.2",
+              "ac-2.3",
+              "ac-2.4",
+              "ac-2.5",
+              "ac-2.13",
+              "ac-3",
+              "ac-6",
+              "ac-6.1",
+              "ac-6.2",
+              "ac-6.5",
+              "ac-6.7",
+              "ac-6.9",
+              "ac-6.10",
+              "ac-7",
+              "ac-8",
+              "ac-17",
+              "ac-17.1",
+              "ac-17.2",
+              "ac-17.3",
+              "ac-17.4",
+              "au-2",
+              "au-3",
+              "au-3.1",
+              "au-12",
+              "ia-2",
+              "ia-2.1",
+              "ia-2.2",
+              "ia-2.8",
+              "ia-2.12",
+              "ra-5",
+              "ra-5.2",
+              "ra-5.5",
+              "ra-5.11",
+              "sa-11",
+              "sc-2",
+              "sc-5",
+              "sc-7",
+              "sc-7.3",
+              "sc-7.4",
+              "sc-7.5",
+              "sc-7.7",
+              "sc-7.8"
+            ]
+          }
+        ]
+      }
+    ],
+    "merge": {
+      "as-is": true
+    },
+    "back-matter": {
+      "resources": [
+        {
+          "uuid": "f4faee53-d96f-4fdb-b491-4a1a79066b9b",
+          "description": "NIST OSCAL SP 800-53 Rev5 Moderate Baseline",
+          "rlinks": [
+            {
+              "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml",
+              "media-type": "application/oscal.profile+xml"
+            },
+            {
+              "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json",
+              "media-type": "application/oscal.catalog+json"
+            },
+            {
+              "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml",
+              "media-type": "application/oscal.catalog+yaml"
+            }
+          ]
+        }
+      ]
+    }
+  }
+}