Merge develop into main to prepare OSCAL Content v1.3.0 release

.github/workflows/content-artifacts.yml

@@ -34,7 +34,7 @@ jobs:
       - name: Install xmllint
         run: sudo apt-get install -y libxml2-utils          
       - name: Cache generated content for OSCAL build artifacts
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
         with:
           path: |
             build/oscal/build/node_modules
@@ -51,7 +51,7 @@ jobs:
         run: |
           zip ${{ runner.temp }}/generated-content.zip -r README.md examples/ nist.gov/
         working-directory: ${{ github.workspace }}
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         if: always()
         with:
           name: generated-content

.gitignore

@@ -3,3 +3,5 @@ generated/
 # Downloaded utilities for content transformation
 yq
 jq
+.DS_Store
+build/oscal-cli/

build/Makefile

@@ -17,7 +17,7 @@ all: artifacts checks ## Run all steps for content preparation
 artifacts: copy-readmes copy-xml-content resolve-xml-profiles convert-min-json-content reformat-json-content convert-yaml-content ## Generate all artifacts
 
 .PHONY: checks
-checks: validate-xml-content validate-json-content validate-yaml-content ## Check all content with schema and other validation methods
+checks: validate-xml-content validate-json-content validate-yaml-content validate-xml-by-cli ## Check all content with schema and other validation methods
 
 .PHONY: clean
 clean: clean-core-artifacts clean-readmes clean-json-content clean-xml-content clean-yaml-content ## Clean all generated content
@@ -26,6 +26,10 @@ clean: clean-core-artifacts clean-readmes clean-json-content clean-xml-content c
 # Dependencies
 #
 
+
+
+
+
 CURL_INSTALL_OPTS:=--silent --location
 
 # Used to automatically install certain executables
@@ -62,8 +66,25 @@ NPM_PKGS_DIR:=node_modules
 $(NPM_PKGS_DIR):
 	$(MAKE) -C $(OSCAL_CORE_DIR) dependencies
 
+OSCAL_CLI_VERSION=`curl -s https://api.github.com/repos/usnistgov/oscal-cli/releases/latest | jq -r '.name[1:]'`
+OSCAL_CLI_BIN:=oscal-cli
+OSCAL_CLI_INSTALL_URL:=https://repo1.maven.org/maven2/gov/nist/secauto/oscal/tools/oscal-cli/cli-core/$(OSCAL_CLI_VERSION)/cli-core-$(OSCAL_CLI_VERSION)-oscal-cli.zip
+OSCAL_CLI_INSTALL_PATH := $(shell which oscal-cli 2>/dev/null)
+ifeq ($(OSCAL_CLI_INSTALL_PATH),)
+OSCAL_CLI_INSTALL_PATH := ./oscal-cli/
+$(OSCAL_CLI_INSTALL_PATH):	
+	@echo "Downloading OSCAL CLI version $(OSCAL_CLI_VERSION)..."; \
+	mkdir -p $(OSCAL_CLI_INSTALL_PATH); \
+	curl $(CURL_INSTALL_OPTS) -o $(OSCAL_CLI_INSTALL_PATH)/oscal-cli.zip $(OSCAL_CLI_INSTALL_URL); \
+	unzip -o $(OSCAL_CLI_INSTALL_PATH)/oscal-cli.zip -d $(OSCAL_CLI_INSTALL_PATH); \
+	chmod +x $(OSCAL_CLI_INSTALL_PATH)/bin/$(OSCAL_CLI_BIN)
+else
+OSCAL_CLI_INSTALL_PATH := $(shell dirname $$(dirname $$(which oscal-cli)))
+endif
+
+
 .PHONY: dependencies
-dependencies: $(JQ_PATH) $(XMLLINT_PATH) $(YQ_PATH) $(NPM_PKGS_DIR) ## Install needed jq and yq binaries, and download needed downstream dependencies
+dependencies: $(JQ_PATH) $(XMLLINT_PATH) $(YQ_PATH) $(NPM_PKGS_DIR) $(OSCAL_CLI_INSTALL_PATH) ## Install needed jq and yq binaries, and download needed downstream dependencies
 
 # By default we install xmllint with operating system package manager, so
 # to be sensible, we will not uninstall or delete it even with the package
@@ -157,6 +178,25 @@ validate-xml-content: $(GEN_XML_FILES) ## Validate XML files
 	$(MAKE) -C $(OSCAL_CORE_DIR) $(subst $(OSCAL_CORE_DIR)/,,$(OSCAL_COMPLETE_XML_SCHEMA))
 	$(XMLLINT_PATH) --schema $(OSCAL_COMPLETE_XML_SCHEMA) --noout $(GEN_XML_FILES)
 
+
+#
+# Validate XML with oscal-cli
+#
+.PHONY: validate-xml-by-cli
+validate-xml-by-cli: $(OSCAL_CLI_INSTALL_PATH) ## Validate XML files by directory using OSCAL CLI Tool
+	@echo "Validating XML files by directory using OSCAL CLI Tool"
+	@$(OSCAL_CLI_INSTALL_PATH)/bin/$(OSCAL_CLI_BIN) --version
+	@echo "latest oscal-cli version is $(OSCAL_CLI_VERSION)"
+	@echo "Validating OSCAL content with $(OSCAL_CLI_INSTALL_PATH)/bin/oscal-cli version $(OSCAL_CLI_VERSION)"
+	@find $(SRC_DIR)/examples -mindepth 1 -maxdepth 1 -type d | while read example_dir; do \
+		example_type=$$(basename "$$example_dir"); \
+		echo "Processing example type: $$example_type"; \
+		find "$$example_dir" -name '*.xml' | while read xml_file; do \
+			echo "Validating $$xml_file with OSCAL CLI as $$example_type"; \
+			$(OSCAL_CLI_INSTALL_PATH)/bin/oscal-cli "$$example_type" validate "$$xml_file"; \
+		done \
+	done
+
 .PHONY: clean-xml-content
 clean-xml-content: ## Clean generated XML content
 	@echo Cleaning XML content

src/examples/ap/xml/ifa_assessment-plan-example.xml

@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<assessment-plan
+    uuid="60077e84-e62f-4375-8c6c-b0e0d4560c5f"
+    xmlns="http://csrc.nist.gov/ns/oscal/1.0">
+    <metadata>
+        <title>IFA GoodRead Assessment Plan</title>
+        <last-modified>2024-02-01T13:57:28.355446-04:00</last-modified>
+        <version>1.0</version>
+        <oscal-version>1.1.2</oscal-version>
+        <role id="assessor">
+            <title>IFA Security Control Assessor</title>
+        </role>
+        <party uuid="e7730080-71ce-4b20-bec4-84f33136fd58" type="person">
+            <name>Amy Assessor</name>
+            <member-of-organization>3a675986-b4ff-4030-b178-e953c2e55d64</member-of-organization>
+        </party>
+        <party uuid="3a675986-b4ff-4030-b178-e953c2e55d64" type="organization">
+            <name>Important Federal Agency</name>
+            <short-name>IFA</short-name>
+            <link href="https://www.ifa.gov" rel="website" />
+        </party>
+        <responsible-party role-id="assessor">
+            <party-uuid>e7730080-71ce-4b20-bec4-84f33136fd58</party-uuid>
+        </responsible-party>
+    </metadata>
+    <import-ssp href="../3-implementation/ssp.oscal.xml" />
+    <local-definitions>
+        <activity uuid="52277182-1ba3-4cb6-8d96-b1b97aaf9d6b">
+            <title>Examine System Elements for Least Privilege Design and Implementation</title>
+            <description>
+                <p>The activity and it steps will be performed by the assessor and facilitated by
+                    owner, ISSO, and product team for the IFA GoodRead system with necessary
+                    information and access about least privilege design and implementation of the
+                    system's elements: the application, web framework, server, and cloud account
+                    infrastructure.</p>
+            </description>
+            <prop name="method" value="EXAMINE" />
+            <step uuid="733e3cbf-e398-46b6-9c02-a2cb534c341e">
+                <title>Obtain Network Access via VPN to IFA GoodRead Environment</title>
+                <description>
+                    <p>The assessor will obtain network access with appropriately configured VPN
+                        account to see admin frontend to the application for PAO staff, which is
+                        only accessible via VPN with an appropriately configured role for PAO staff
+                        accounts.</p>
+                </description>
+            </step>
+            <step uuid="4ce7e0b4-d69e-4b80-a700-8600b4d4d933">
+                <title>Obtain Credentials and Access to AwesomeCloud Account for IFA GoodRead System</title>
+                <description>
+                    <p>The assessor will obtain access to the GoodRead Product Team's AwesomeCloud
+                        account with their single sign-on credentials to a read-only assessor role.</p>
+                </description>
+            </step>
+            <step uuid="3d0297de-e47b-4360-b9c3-cf5c425f86cd">
+                <title>Obtain Applcation Access Provided by Product Team</title>
+                <description>
+                    <p>The assessor will obtain non-privileged account credentials with the PAO
+                        staff role to test this role in the application does not permit excessive
+                        administrative operations.</p>
+                </description>
+            </step>
+            <step uuid="64ca1ef6-3ad4-4747-97c6-40890222463f">
+                <title>Confirm Load Balancer Blocks Access to Admin Frontend from Internet</title>
+                <description>
+                    <p>The assessor will confirm that the load balancer for public access does not
+                        allow access to Admin Frontend of the application from the Internet.</p>
+                </description>
+            </step>
+            <step uuid="715f0592-166f-44f6-bb66-d99623e035dc">
+                <title>Confirm GoodRead's PAO Role Cannot Manage Users</title>
+                <description>
+                    <p>The assessor will confirm that user's logged into the GoodRead Application
+                        with the PAO staff role cannot add, modify, or disable users from the
+                        system.</p>
+                </description>
+            </step>
+            <step uuid="4641957b-a0fa-4c61-af1a-d3e9101efe40">
+                <title>Confirm Django Admin Panel Not Available</title>
+                <description>
+                    <p>The assessor will confirm with web-based interface and API methods users with
+                        the PAO Staff role cannot access the Django admin panel functions and
+                        interactively change application's database records.</p>
+                </description>
+            </step>
+            <related-controls>
+                <control-selection>
+                    <include-control control-id="ac-6.1" />
+                </control-selection>
+            </related-controls>
+            <responsible-role role-id="assessor">
+                <party-uuid>e7730080-71ce-4b20-bec4-84f33136fd58</party-uuid>
+            </responsible-role>
+        </activity>
+    </local-definitions>
+    <reviewed-controls>
+        <control-selection>
+            <include-control control-id="ac-6.1" />
+        </control-selection>
+        <control-objective-selection>
+            <include-all />
+        </control-objective-selection>
+    </reviewed-controls>
+    <assessment-subject type="component">
+        <description>
+            <p>The assessor for the IFA GoodRead Project, including the application and
+                infrastructure for this information system, are within scope of this assessment.</p>
+        </description>
+        <include-all />
+    </assessment-subject>
+    <task uuid="b3504d22-0e75-4dd7-9247-618661beba4e" type="action">
+        <title>Examine Least Privilege Design and Implementation</title>
+        <associated-activity activity-uuid="0d243b23-a889-478f-9716-6d4870e56209">
+            <subject type="component">
+                <include-all />
+            </subject>
+        </associated-activity>
+        <responsible-role role-id="assessor" />
+        <remarks>
+            <p>Per IFA's use of NIST SP-800 53A, the assessor, with the support of the owner,
+                information system security officer, and product team for the IFA GoodRead project,
+                will examine least privilege design and implementation with the following:</p>
+            <ul>
+                <li>list of security functions (deployed in hardware, software, and firmware) and
+                    security-relevant information for which access must be explicitly authorized;</li>
+                <li>system configuration settings and associated documentation;</li>
+            </ul>
+        </remarks>
+    </task>
+</assessment-plan>