Releases: opencontrol/compliance-masonry
Schema Update and Refactor
This update contains both a schema change and refactor.
Schema change
In v0.1, component yamls are stored as:
components/
system/
component.yaml
In v0.2 components and system data is stored in yaml format under a folder that serves as a key for that component or system. Additionally, artifacts are placed inside the specific component folder and can be referenced inside the documentation.
components/
system_key/
system.yaml
component_key/
component.yaml
image.png
table.md
Refactor
The refactor aims to replace in Python script with a core base of classes that can be easily overwritten and overloaded in order to speed up development of new renderers.
Creating new renderers in Python
New Renderers can be built quickly in Python by inheriting the Certification class
class NewRenderer(Certification):
...The Certification class contains methods for importing the certification yaml and loading standards, controls, systems, and components data into objects, which can be overwritten and overloaded to create new export methods.
Additionally, Compliance Masonry reads and writes to standard schemas so non-python users can implement their own renderers without depending on the core classes.
First Release
Documentation Format
Documentation Structure
components/
system/
component.yaml
component_artifact.png
Components Documentation
Component documentation contains information about individual system components and the standards they satisfy.
name: Amazon Elastic Compute Cloud # Name of the component
documentation_complete: false # Manual check if the documentation is complete (for gap analysis)
references:
- name: Reference # Name of the reference ie. EC2 website
url: Refernce URL # Url of the reference
type: URL # type of reference (will affect how it's rendered in the documentation)
verifications:
EC2_Verification_1: # ID of verification
name: EC2 Verification 1 # Name of verification
url: Verification 1 URL # URL of the verification
type: URL # type of reference (will affect how it's rendered in the documentation)
EC2_Verification_2:
name: EC2 Governor 2
url: Verification 2 URL
type: Image
satisfies:
NIST-800-53:
CM-2:
narrative: Justification in narrative form # Justification text
implementation_status: partial # Manual status of implementation (for gap analysis)
references:
- verification: EC2_Verification_1 # The specific verification ID that the reference links, no component or system is needed for internal references
- system: CloudFoundry # System name of the verification (can link to other systems / components)
component: UAA # System name of the verification (can link to other systems / components)
verification: UAA_Verification_1 # The specific verification ID that the reference links toStandards Documentation
Contain information about security standards.
# nist-800-53.yaml
standards:
C-2:
name: User Access
description: There is an affordance for managing access by...
# PCI.yaml
standards:
Regulation-6:
name: User Access PCI
description: There is an affordance for managing access by...Certifications
Empty yaml for creating certification documentation. Serve as a template for combining controls and standards yamls.
# Fisma.yaml
standards:
nist-800-53:
C-2:
C-3:
PCI:
6: