...
- SIMP will provide a tool (TBD) that uses this information to generate compliance reports from Puppet catalogs
- The tool will PuppetDB (or local catalogs) can be queried to generate point-in-time compliance reports, with resources mapped to each CCE.
NOTE: Mapping is not Validation
It is important to note that the mapping of resources necessary to satisfy a CCE is not a validation of that the CCE itself's requirements have been enforced.
- OpenSCAP validates CCEs and this is not an attempt to re-implement it.
- The presence of a CCE->resource mapping in the Puppet catalog is not proof that it has been implemented correctly.
...
- Class parameters may be tweaked (via Hiera, ENC, or due to internal logic such as ::params)
- Different CCEs may prescribe mutually-exclusive requirements for the same resource.
- SIMP must support multiple compliance profiles, which may recommend CCEs that are mutually-exclusive wrt a given resource.
Advantages
...
The Benefits: Better Compliance Tooling
- Provide a security officer a detailed mapping of which resources have been prescribe to fite
...