...
Use Puppet Resource tags to refer to CCE ids.(Trevor doesn't like tags because they are mutable under some circumstances)- Provide an inert custom type to track CCE->resource mappings as metadata in the catalog.
- It will accept:
- The CCE ID
- A collection of mapped resources (as a list or individually)
- Additional (optional) annotations for a given CCE(s)
Hypothetical example:
cce{ 'cce_indentifier':resources => [Package['foo'], Service['foo']. File['/etc/foo.bar']] comments => 'An optional annotation about this particular mapping'
}
- It will accept:
- Use the catalog compiled for a given system to compile the compil relevant security-compliance documentdocumentation.
To take advantage of these features:
- SIMP will provide a tool (TBD) that uses this information to generate compliance reports from Puppet catalogs
- The tool will PuppetDB (or local catalogs) can be queried to generate point-in-time compliance reports, .
NOTE: Mapping is not Validation
It is important to note that the mapping of resources necessary to satisfy a CCE is not a validation of the CCE itself.
- OpenSCAP validates CCEs and this is not an attempt to re-implement it.
- The presence of a CCE->resource mapping in the Puppet catalog is not proof that it has been implemented correctly.
Puppet-managed resources may differ from a CCE's requirements under many circumstances:
- Class parameters may be tweaked (via Hiera, ENC, or due to internal logic such as ::params)
- Different CCEs may prescribe mutually-exclusive requirements for the same resource.
- SIMP must support multiple compliance profiles, which may recommend CCEs that are mutually-exclusive wrt a given resource.
It is important to note that the mapping of resources necessary to satisfy a CCE is not a validation of the CCE itself.
...
Advantages
Enables the development of tools:
...