...
In order to support compliance reporting, SIMP modules should record map which resources have been configured to support particular compliance requirements, with supporting annotations where needed.e
...
The CCE is a unique and immutable reference used by compliance-checking solutions such as OpenSCAP. Our approach is to use the abstraction and tooling already provided by Puppet modules to
Our approach within modules will be to:
- Use Puppet Resource tags to refer to CCE ids.
- Provide an optional (and inert) custom type to provide additional annotations for a given CCE(s) as metadata in the catalog
- Use the catalog compiled for a given system to compile the relevant security compliance document. An additional tool for generating compliance reports from catalogs containing this information will be developed
To take advantage of these features:
- SIMP will provide a tool (TBD) that uses this information to generate compliance reports from Puppet catalogs
- The tool will PuppetDB (or local catalogs) can be queried to generate point-in-time compliance reports.
Problems
- SIMP supports multiple compliance profiles, which may differ on recommendations for which CCEs to implement, even for the same resources.