OSCAL Exchange Protocol enables integration of various assessment tools with a cloud provider’s security and compliance engine (Complaince Automation Center) in a standardized manner.
Check Python version
It should be 3.9 or greater.
$ python -V
Python 3.9.9
Clone the project
$ cd
$ mkdir sandbox
$ cd sandbox
$ git clone https://github.com/degenaro/oscal-exchange-protocol.git
$ cd oscal-exchange-protocol
Install prereqs and launch webserver
$ make run
Visit website
Enter URL in browser http://127.0.0.1:8000/docs
Post OSCAL Profile using Lifecycle endpoint and get list of OSCAL Profiles using Validation endpoint
tutorial: using command line
0. Setup to issue curl commands
In new terminal window:
$ cd sandbox
$ cd oscal-exchange-protocol
1. Obtain bearer token
$ curl -X 'POST' 'http://localhost:8000/token' -H 'accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=&username=oxp-user&password=123&scope=&client_id=&client_secret='
result
{"access_token":"fc54ac91-f674-46b9-bb1d-4da2a169218d","token_type":"bearer"}degenaro:oscal-exchange-protocol
Use the access_token
value (e.g. fc54ac91-f674-46b9-bb1d-4da2a169218d) for authorization below.
2. Post OSCAL Profile (Lifecycle)
$ curl -X 'POST' 'http://localhost:8000/profiles' -H 'accept: application/json' -H 'Authorization: Bearer fc54ac91-f674-46b9-bb1d-4da2a169218d' -H 'Content-Type: multipart/form-data' -F 'profile=@trestle.workspace/profiles/osco.0.1.39.checks.0.1.58/profile.json;type=application/json'
Note: use the bearer token obtained in Step 1 above.
result
"f342c103-5fb0-4a6e-9bbb-fafb593f9036"
The uuid of the created Profile.
3. Fetch OSCAL Profile (Validation)
curl -X 'POST' 'http://localhost:8000/profile/component/pvp-component-id?pvp_component_id=roks-cis-node' -H 'accept: application/json' -H 'Content-Type: multipart/form-data' -F 'system_security_plan='
result
[
{
"profile": {
"uuid": "31182b1c-32b3-422d-a366-62b39272058c",
"metadata": {
"title": "Tailored Profile",
"last-modified": "2021-08-06T13:25:50.741+00:00",
"version": "1.0",
"oscal-version": "1.0.0",
"props": [
{
"name": "profile_mnemonic",
"ns": "https://my.github.io/compliance-trestle/schemas/oscal/my-cloud",
"value": "roks-cis-node",
"class": "scc_profile_mnemonic"
},
{
"name": "base_profile_mnemonic",
"ns": "https://my.github.io/compliance-trestle/schemas/oscal/my-cloud",
"value": "ocp4-cis-node",
"class": "scc_base_profile_mnemonic"
},
{
"name": "osco_version",
"value": "0.1.39"
}
]
},
"imports": [
{
"href": "https://github.com/ComplianceAsCode/content/blob/master/products/ocp4/profiles/cis-node.profile",
"exclude-controls": [
{
"with-ids": [
"xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver",
"xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver",
"xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager"
]
}
]
}
],
"modify": {
"set-parameters": [
{
"param-id": "kubelet_eviction_thresholds_set_soft_memory_available",
"values": [
"500Mi"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_soft_nodefs_available",
"values": [
"10%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_soft_nodefs_inodesfree",
"values": [
"5%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_soft_imagefs_available",
"values": [
"15%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_soft_imagefs_inodesfree",
"values": [
"10%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_hard_memory_available",
"values": [
"200Mi"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_hard_nodefs_available",
"values": [
"5%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_hard_nodefs_inodesfree",
"values": [
"4%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_hard_imagefs_available",
"values": [
"10%"
]
},
{
"param-id": "kubelet_eviction_thresholds_set_hard_imagefs_inodesfree",
"values": [
"5%"
]
}
]
}
}
}
]
The list of profiles corresponding to the specified pvp_component_id
.
tutorial: using browser
1. Obtain bearer token
1.1 Select Authorize
.
1.2 Enter user name and password. Select 'Authorize
. Select Close
.
2. Post OSCAL Profile (Lifecycle)
2.1 Select Add Profile
.
2.2 Select Try it out
.
2.3 Select Choose file
. Navigate to oscal-exchange-protocol.public/trestle.workspace/profiles/osco.0.1.39.checks.0.1.58/profile.json
. Select Open
. Select Execute
.
2.4 Note Code 200 and response body UUID (e.g. "31182b1c-32b3-422d-a366-62b39272058c").
3. Fetch OSCAL Profile (Validation)
3.1 Select Policy Validation Point Driven: Get Profiles By Checks
.
3.2 Select Try it out
.
3.2 Enter roks-cis-node
. Select Execute
.
3.4 Note Code 200 and response body.