...
Use Puppet Resource tags to refer to CCE ids.(Trevor doesn't like tags because they are mutable under some circumstances)- Provide an inert custom type to track CCE->resource mappings as metadata in the catalog.
- It will accept:
- The CCE ID
- A collection of mapped resources (as a list or individually)
- Additional (optional) annotations for a given CCE(s)
Hypothetical example:
cce{ 'cce_indentifier':resources => [Package['foo'], Service['foo']. File['/etc/foo.bar']] comments => 'An optional annotation about this particular mapping'
}
- It will accept:
- Use the catalog compiled for a given system to compil relevant security-compliance documentation.
The Benefits: Advanced Compliance Tooling
To take advantage of these features:
- SIMP will provide a tool (TBD) that uses this information to generate compliance reports from Puppet catalogs
- PuppetDB (or local catalogs) can be queried to generate point-in-time compliance reports, with resources mapped to each CCE.
NOTE: Mapping is not Validation
It is important to note that the mapping of resources necessary to satisfy a CCE is not a validation that the CCE's requirements have been enforced.
- OpenSCAP already validates CCEs CCE compliance and this is not an attempt to re-implement it.
- The presence of a CCE->resource mapping in the Puppet catalog is not proof that it has been implemented correctly.
...