Background
In order to support compliance reporting, SIMP modules should map which resources have been configured to support particular compliance requirements, with supporting annotations where needed.e
The Proposed Approach
The CCE is a unique and immutable reference used by compliance-checking solutions such as OpenSCAP. Our approach is to use the abstraction and tooling already provided by Puppet modules to
Our approach within modules will be to:
- Use Puppet Resource tags to refer to CCE ids.
- Provide an optional (and inert) custom type to provide additional annotations for a given CCE(s) as metadata in the catalog
- Use the catalog compiled for a given system to compile the relevant security compliance document.
To take advantage of these features:
- SIMP will provide a tool (TBD) that uses this information to generate compliance reports from Puppet catalogs
- The tool will PuppetDB (or local catalogs) can be queried to generate point-in-time compliance reports.
Problems
- SIMP supports multiple compliance profiles, which may differ on recommendations for which CCEs to implement, even for the same resources.