Create render-ssp script

.gitignore

@@ -1,3 +1,4 @@
 working_dir/*
 templates/.trestle/cache/
 templates/.trestle/_trash/
+.venv

Dockerfile

@@ -37,9 +37,15 @@ RUN adduser \
 # RUN --mount=type=cache,target=/root/.cache/pip \
 #     --mount=type=bind,source=requirements.txt,target=requirements.txt \
 #     python -m pip install -r requirements.txt
-ARG TRESTLE_VERSION=3.4.0
+# ARG TRESTLE_VERSION=3.4.0
+# RUN --mount=type=cache,target=/root/.cache/pip \
+#     python -m pip install "compliance-trestle==${TRESTLE_VERSION}"
+# RUN apt-get update && apt-get install -y pandoc && apt-get clean
+# remove below and uncomment above once more-jinja-tags branch has been merged and released
+RUN apt-get update && apt-get install -y git pandoc && apt-get clean
 RUN --mount=type=cache,target=/root/.cache/pip \
-    python -m pip install "compliance-trestle==${TRESTLE_VERSION}"
+    python -m pip install git+https://github.com/gsa-tts/compliance-trestle.git@77a6d5d0
+RUN apt-get remove -y git
 
 # Switch to the non-privileged user to run the application.
 USER appuser

README.md

@@ -12,7 +12,10 @@ This repository contains the source code for the `ghcr.io/gsa-tts/trestle` Docke
     1. Edit control statements within markdown files
     1. [Assemble markdown contents into a provisional OSCAL SSP](#assemble-ssp-json-from-markdown)
     1. Edit other sections of the SSPP within the smaller json files
+    1. [Check your progress](#check-control-status)
 1. [Assemble everything into a final OSCAL SSP (TODO: within a CI workflow)](#final-ssp-assembly)
+1. [Update non-OSCAL SSP sections](#update-non-oscal-ssp-files)
+1. [Render a human-readable SSPP (TODO: within a CI workflow)](#render-ssp)
 
 ### Pull down the trestle image and initialize a compliance trestle project
 
@@ -42,10 +45,29 @@ This step will create `system-security-plans/SYSTEM_NAME/system-security-plan.js
 
 This script should be given the same list of Component Definitions that were passed to `generate-ssp-markdown`
 
+### Check Control Status
+
+The `control-status` script will output a quick report of all of the `Implementation Status` lines for your controls. For instance, to report on the status of all controls except those marked as `implemented`:
+
+`control-status -i implemented`
+
+
 ### Final SSP Assembly
 
 `trestle assemble -n SYSTEM_NAME system-security-plan`
 
+### Update non-OSCAL SSP files.
+
+Edit the files within `ssp-markdown` to populate data for the rendered SSP that can't yet be pulled from OSCAL.
+
+*Hint:* Use [jinja templates](https://oscal-compass.github.io/compliance-trestle/trestle_author_jinja/#custom-jinja-tags) `md_clean_include` and `mdsection_include` to populate content from other existing documents your team is using.
+
+### Render SSP
+
+Output the SSP as a markdown file and html file, both within `ssp-render`
+
+`render-ssp`
+
 ### Import profile into working space:
 
 If you are using a `PROFILE_NAME` that does not ship with this docker container then you must first manually import it using:

scripts/copy-profile

@@ -1,10 +1,17 @@
 #! /usr/bin/env bash
 
-set -e
-
 if [ "$1" = "" ]; then
     echo "Usage: $0 PROFILE_NAME"
     exit 1
 fi
 
 trestle import -f "/app/templates/profiles/$1/profile.json" -o "$1"
+
+set -e
+
+if [ -d "/app/templates/ssp-rendering/$1" ]; then
+    mkdir ssp-render
+    cp -r "/app/templates/ssp-rendering/$1/templates" ssp-render/
+    cp -r /app/templates/ssp-rendering/img ssp-render/
+    cp -r "/app/templates/ssp-rendering/$1/markdown" ssp-markdown
+fi

scripts/render-ssp

@@ -0,0 +1,76 @@
+#! /usr/bin/env bash
+
+usage="
+$0: generate a human-readable SSP document
+
+Usage:
+    $0 -h
+    $0 -t TEMPLATE_FILE [-o OUTPUT] [-n SYSTEM_NAME] [-p PROFILE_NAME]
+
+Options:
+-h: show help and exit
+-t: SSP Template file. Defaults to ssp-render/templates/gsa_template.md.jinja
+-o: Output markdown document. Defaults to ssp-render/SYSTEM_NAME_ssp.md
+-n: System Name. Defaults to 'system-name' value in trestle-config.yaml
+-p: Profile Name. Defaults to 'profile' value in trestle-config.yaml
+
+Notes:
+* Will load defaults from trestle-config.yaml file, if present
+"
+
+set -e
+
+source /app/bin/functions.sh
+system_name=$(yaml_parse_value 'trestle-config.yaml' 'system-name')
+profile=$(yaml_parse_value 'trestle-config.yaml' 'profile')
+template="ssp-render/templates/gsa_template.md.jinja"
+output=""
+
+while getopts "ht:o:n:p:" opt; do
+    case "$opt" in
+        t)
+            template=${OPTARG}
+            ;;
+        o)
+            output=${OPTARG}
+            ;;
+        p)
+            profile=${OPTARG}
+            ;;
+        n)
+            system_name=${OPTARG}
+            ;;
+        h)
+            echo "$usage"
+            exit 0
+            ;;
+    esac
+done
+
+if [ "$template" = "" ]; then
+    echo "$usage"
+    exit 1
+fi
+
+if [ "$profile" = "" ]; then
+    echo "$usage"
+    exit 1
+fi
+
+if [ "$system_name" = "" ]; then
+    echo "$usage"
+    exit 1
+fi
+
+if [ "$output" = "" ]; then
+    output="ssp-render/${system_name}_ssp.md"
+fi
+
+if [ ! -f "$template" ]; then
+    echo "The template file: $template could not be found"
+    exit 1
+fi
+
+trestle author jinja -i "$template" -ssp "$system_name" -p "$profile" -o "$output" -lut ssp-markdown/ssp_data.yaml -elp gsa -bf "[.]" -vap "$system_name Assigned:" -vnap "Assignment:"
+
+pandoc "$output" --from markdown -t html -s -o "$output.html" --metadata title="${system_name} SSP"

templates/component-definitions/devtools_cloud_gov/component-definition.json

@@ -1,9 +1,9 @@
 {
   "component-definition": {
-    "uuid": "d8c6b192-f2c1-4434-8307-d8aed1826fe6",
+    "uuid": "6372eeac-753c-4d32-be21-9867a0f3e59a",
     "metadata": {
       "title": "Cloud.gov Best Practices for DevTools-based applications.",
-      "last-modified": "2024-08-15T01:28:29.538446+00:00",
+      "last-modified": "2024-08-28T17:13:07.537368+00:00",
       "version": "0.0.1",
       "oscal-version": "1.1.2"
     },
@@ -73,7 +73,9 @@
             "set-parameters": [
               {
                 "param-id": "gov.cloud.org-name",
-                "values": ["TODO - cloud.gov org name"]
+                "values": [
+                  "TODO - cloud.gov org name"
+                ]
               },
               {
                 "param-id": "gov.cloud.space-names",
@@ -98,7 +100,7 @@
                   {
                     "statement-id": "sc-7_smt.a",
                     "uuid": "7980db8d-2517-4c1d-a1ac-ab28bceefc35",
-                    "description": "SSH access to production spaces: {{ insert: param, gov.cloud.space-names }} within Cloud.gov organization {{ insert: param, gov.cloud.org-name }} has been disabled.",
+                    "description": "SSH access to production spaces has been disabled.",
                     "props": [
                       {
                         "name": "Rule_Id",
@@ -141,7 +143,7 @@
                   {
                     "statement-id": "si-4_smt.b",
                     "uuid": "30e83cb4-8214-491b-85d8-ce85b1a58e9d",
-                    "description": "SSH Access has been disabled to production spaces {{ insert: param, gov.cloud.space-names }} in organization {{ insert: param, gov.cloud.org-name }} to limit potential unauthorized use.",
+                    "description": "SSH Access has been disabled to production spaces to limit potential unauthorized use.",
                     "props": [
                       {
                         "name": "Rule_Id",

templates/profiles/lato/profile.json

@@ -50,6 +50,9 @@
         ]
       }
     ],
+    "merge": {
+      "as-is": true
+    },
     "modify": {
       "set-parameters": [
         {
@@ -974,4 +977,4 @@
       "alters": []
     }
   }
-}
+}

templates/ssp-rendering/lato/markdown/aws.md

@@ -0,0 +1,71 @@
+# 10.10.1 List of AWS Services Used
+<!--
+Instructions: List AWS services used in the system boundary in the table below.
+-->
+
+Table 10-5. AWS Services
+
+| AWS Service Name | Approval Status (FedRAMP and/or OCISO Approved) | Brief Description of Use(s) |
+| ---------------- | ----------------------------------------------- | --------------------------- |
+
+# 10.10.2 Identity and Access Control Management
+<!--
+Instructions: Describe the identity and access control design for AWS platform level access. It should include technology used for authentication and authorization such as federation, single sign-on and/or identity access management (IAM). Describe how MFA is achieved. Provide details on authentication and authorization for API access, how is MFA achieved for interactive API or command line access. Describe how least privilege is being implemented, what methods and tools are being utilized to develop and assign IAM policies to meet least privilege requirements.
+-->
+
+# 10.10.3 Separation of Workloads
+<!--
+Instructions: Describe the AWS account strategy for defining separation of workloads (e.g., Dev, Test, Prod are separate AWS Accounts). Describe the network segregation in place between these environments (e.g., All AWS Accounts are logically separated from each other with no mesh network or connectivity between them.). Describe how new code, features, enhancements, and fixes are promoted from lower environments to production environments.
+-->
+
+# 10.10.4 Cloud Network Design
+<!--
+Instructions: Describe the network's high availability strategy. For example:
+•	Web server fleet is behind elastic load balancers
+•	Utilizing multiple FedRAMP authorized regions
+•	Utilizing multiple availability zones
+•	Public websites are behind CloudFront
+•	Utilizing Web Application Firewalls to mitigate exploits and denial of service attacks
+•	Utilizing public and private subnets
+•	Utilizing private endpoints so traffic does not traverse public internet if it can stay internal to AWS.
+-->
+
+# 10.10.5 Network Security and Microsegmentation
+<!--
+Instructions: Describe the network's security group and network access control list (NACL) strategy. (e.g., wide permissions are not in place and each Security Group only allows the traffic it requires, 0.0.0.0/0 rules are not in place).
+-->
+
+# 10.10.6 Data Encryption in Transit
+<!--
+Instructions: Describe the network's encryption in transit strategy (e.g., Secure Sockets Layer/Transport Layer Security [SSL/TLS] is in use for public web servers, the SSL connections are terminated on the hosts instead of the load balancer to provide true end to end encryption, uses of other application layer encryption technology such as SSH, Secure File Transfer Protocol (SFTP), etc.).
+-->
+
+# 10.10.7 Data Encryption at Rest
+<!--
+Instructions: Describe the encryption at rest strategy. (e.g., all Elastic Block Store (EBS) Drives and Simple Storage Service (S3) Buckets have AES-256 Encryption Enabled, Relational Database Service (RDS) databases have force encryption parameters enabled, Simple Notification Service (SNS) Topics have encryption enabled, data encrypted in field, table, column level to protect sensitive data stored within the database, files and logs with sensitive information are encrypted before placing in buckets and file systems).
+-->
+
+# 10.10.8 S3 Bucket Security
+<!--
+Instructions: Describe the S3 Bucket Security Strategy. (e.g., all S3 Buckets have AES-256 encryption enabled, all S3 Buckets do not have public access enabled or is explicitly blocked from being public, least privilege access in place for each bucket, AWS config rules are monitoring changes to S3 Bucket posture and changes to provide operational assurance, no static websites are in use, Amazon Macie is enabled to monitor for sensitive information stored in S3).
+-->
+
+# 10.10.9 Key Management Service (KMS) Key Monitoring and Governance
+<!--
+Instructions: Describe the KMS and Key Management Strategy. (e.g., all AWS encryptable services that can utilize KMS Keys have KMS Keys in place, IAM policies are in place that only allow specific users to manage keys for such services, IAM policies are applied granularly per KMS Key, KMS Keys are rotated every 60 days, KMS activity is monitored in CloudTrail).
+-->
+
+# 10.10.10 Governance and Management of AWS Accounts
+<!--
+Instructions: Describe the AWS account provisioning and decommissioning strategy for all AWS accounts (e.g., production, test, development). Describe any governance, guardrails, or security inheritance achieved by using centralized AWS account provisioning, or by using AWS services such as AWS organization, Service Control Policies (SCPs), AWS Single Sign-On (SSO).
+-->
+
+# 10.10.11 Uses of Cloud Native Security Services
+<!--
+Instructions: Describe the Cloud Native Security Services utilized and how they are implemented. (e.g., Security Hub is enabled to validate meeting CIS Benchmarks, Guard Duty is enabled with flowlog monitoring, AWS Web Application Firewalls (WAFs) are in front of public Elastic Compute Cloud (EC2) servers, AWS Secret Manager is used for key/secret rotation, AWS Macie is enabled to identify and protect sensitive data in S3).
+-->
+
+# 10.10.12 Continuous Monitoring and Assessment of AWS Security Posture
+<!--
+Instructions: Describe how baseline AWS Security is implemented and monitored. (e.g., AWS Security Hub is enabled and meets CIS Benchmarks, AWS Config is used for continuous checks against best practices and deviation, third-party tools are used for continuous assessment of cloud posture, CloudTrail and CloudWatch logs are configured and shipped to the GSA Enterprise Logging Platform (ELP), automated alerts are in place for sensitive changes, Security Hub is periodically reviewed to validate compliance against CIS).
+-->

templates/ssp-rendering/lato/markdown/containers.md

@@ -0,0 +1,49 @@
+# 10.9.1 Container Image Build and Management
+<!--
+Instructions: Describe how images for Containers are built, how a Continuous Integration/Continuous Delivery (CI/CD) pipeline is used to build and release container images, describe the steps involved in the CI/CD pipeline, describe security checks and tools used in the pipeline and describe how container images are protected.
+-->
+
+# 10.9.2 Container Image Scanning
+<!--
+Instructions: Describe how container images are scanned for security vulnerabilities. Which tools are used for container vulnerability scanning? How often are scans performed and how are images in the CI/CD pipeline scanned. Describe how vulnerabilities identified in containers are remediated. Note: GSA OCISO requires the use of Prisma Cloud for internal systems at GSA.
+-->
+
+# 10.9.3 Container Image Registry
+<!--
+Instructions: Describe which container registry is used (e.g., Amazon Elastic Container Registry [ECR], Docker Hub.). Describe what functions of the container registry are used. Describe if it is self-hosted or a managed service provided by a CSP. If it is an external provider, is the service FedRAMP compliant or approved by GSA? Describe the access control mechanisms and security control measures in place for the Container Registry.
+-->
+
+# 10.9.4 Dockerfile Usage
+<!--
+Instructions: Describe how Docker images are developed. Are the Docker images built from scratch or are base images from an external source used? If it is from scratch, explain any code quality mechanisms used, such as a linting tool. If images from an external source are used, explain the mechanisms in place to ensure this image can be trusted.
+-->
+
+# 10.9.5 Logs and Log Integration from Containers
+<!--
+Instructions: Describe how logs generated from containers are aggregated in a central log repository. Explain the tooling used to analyze logs and trigger action if needed.
+-->
+
+# 10.9.6 Hardening of Container Infrastructure
+<!--
+Instructions: Describe which Container Infrastructure is used. Is a fully managed or semi-managed container platform from a CSP used? Is the service FedRAMP compliant or approved by GSA? Has the cluster been hardened to security guidelines provided by Center for Internet Security (CIS) benchmarks or other similar benchmarks? Are underlying virtual machines run in the cluster hardened?
+-->
+
+# 10.9.7 Privilege Management in Cluster and Containers
+<!--
+Instructions: Describe how least privileges are applied to users or administrators that need access to a cluster. Is Role-Based Access Control (RBAC) used? Is a non-root user used to run the application with the container? Please explain the approach used to ensure least privilege both for the CSP and containers.
+-->
+
+# 10.9.8 Container Network Security
+<!--
+Instructions: Describe how network security control is implemented for communication between cluster resources. Describe the network topology for the container infrastructure? How is network traffic monitored and restricted between containers? How is network traffic isolated from containers to managed services such as a Database or a Caching cluster? Explain the use of any additional tools for container network security and segmentation in a multi-application multi-tenant/multi-application environment.
+-->
+
+# 10.9.9 Container Orchestration (Elastic Container Service (ECS), Elastic Kubernetes Service (EKS), Fargate, Kubernetes, etc.)
+<!--
+Instructions: Describe the Container Orchestrator used. Is it supported or managed by a vendor? Is it FedRAMP compliant or GSA OCISO approved? Has the Orchestrator been hardened to security guidelines provided by the CIS benchmarks or other similar benchmarks?
+-->
+
+# 10.9.10 Monitoring and Alerting
+<!--
+Instructions: Describe how monitoring on Containerized applications is performed. Does the monitoring provide a holistic view across Containers, Cluster, Host machines, communication, and telemetry between containers? Describe how notifications are received when monitoring finds issues of interest.
+-->