Merge pull request #43 from shawndwells/tailoring

Properly build CXO/PMO directories, fix typos

Makefile

@@ -18,12 +18,46 @@ K := $(foreach exec,$(EXECUTABLES),\
 
 default: rhel7 openshiftv3
 
-clean:
+clean-all: clean
 	- cd RHEL7 && make clean
 	- cd OpenShift-v3 && make clean
 
-rhel7: clean
-	- cd RHEL7 && make
+clean:
+	- rm -rf exports/ opencontrols/
+
+rhel7-clean:
+	- cd RHEL7 && clean
+
+rhel7: rhel7-clean
+	- cd RHEL7 && make clean
+
+openshiftv3-clean:
+	- cd OpenShift-v3 && make clean
 
-openshiftv3: clean
+openshiftv3: openshiftv3-clean
 	- cd OpenShift-v3 && make
+
+###
+### Sample 'MyApp' targets
+###
+opencontrols: opencontrol.yaml
+	- ${CM} get
+
+exports: opencontrols
+	- ${CM} docs gitbook FedRAMP-low
+
+pdf: exports
+	- cd exports/ && gitbook pdf ./ ./MyApp_Compliance_Guide.pdf
+
+serve: exports
+	- cd exports/ && gitbook serve
+
+fedramp:
+	- ${GOPATH}/bin/fedramp-templater fill opencontrols/ ./FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx exports/FedRAMP-Filled-v2.1.docx
+
+fedramp-diff:
+	- ${GOPATH}/bin/fedramp-templater diff opencontrols/ ./FedRAMP_Template/FedRAMP-System-Security-Plan-Template-v2.1.docx
+
+checks:
+	- yamllint customer_cxo_controls/policies/
+	- yamllint customer_pmo_controls/policies/

OpenShift-v3/opencontrol.yaml

@@ -1,5 +1,5 @@
 schema_version: "1.0.0"
-name: OpenShift-v3.fd
+name: OpenShift v3
 metadata:
   description: Red Hat OpenShift v3
   maintainers:

OpenShift-v3/policies/AC-Access_Control/component.yaml

@@ -4,59 +4,67 @@ name: Access Control
 schema_version: 3.0.0
 satisfies:
 
+#
+# AC-2(2) NOTES:
+#       The customer will be responsible for automatically removing or
+#       disabling emergency and temporary accounts within the required
+#       timeframe. A successful control response will need to address
+#       all of the procedures and mechanisms involved in disabling these
+#       accounts.
+#
 - control_key: AC-2 (2)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: Not applicable
+  implementation_status: Not applicable
   narrative:
     - text: |
-        '//*
-        The customer will be responsible for automatically removing or
-        disabling emergency and temporary accounts within the required
-        timeframe. A successful control response will need to address
-        all of the procedures and mechanisms involved in disabling these
-        accounts.
-
-        3rd party software must be used to fully support management of
-        temporary and emergency accounts. OpenShift does not have the capability
-        to automatically disable accounts after a configured period of time. To
-        meet this requirement, an authentication provider (such as Active
-        Directory) must be used. Integration between OpenShift and Active
-        Directory can be accomplished through the use of Kerberos cross-realm
-        trusts. Refer to the LDAP Authentication section of the OpenShift
-        Administrators guide:
-
-        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth
-        */'
-
+        'OpenShift relies upon 3rd party authentication providers, such as
+        Microsoft Active Directory, Red Hat IdM, or LDAP. By relying on 3rd
+        party authentication providers, OpenShift is not responsible for
+        automatic disablement of temporary and emergency accounts after a
+        configured period of time.
+
+        Refer to the LDAP Authentication section of the OpenShift
+        Administrators Guide for configuration references to 3rd parties, e.g.
+        configuration of Kerberos cross-realm trusts with Active Directory.
+        The guide can be found at:
+
+        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth'
+
+#
+# AC-2(3) NOTES:
+#       The customer will be responsible for automatically disabling user
+#       accounts after the specified period of inactivity. A successful
+#       control response will need to address all automated mechanisms
+#       involved in disabling inactive accounts.
+#       
+# ADMIN NOTE:
+#       AC-2(2) disables temp/emergency accounts after period of time.
+#       AC-2(3) differs by disabling *every other* account type
+#
 - control_key: AC-2 (3)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
-        '//*
-        The customer will be responsible for automatically disabling user
-        accounts after the specified period of inactivity. A successful control
-        response will need to address all automated mechanisms involved in
-        disabling inactive accounts.>
-
-        <3rd party software must be used to fully support automatic disablement
-        of inactive OpenShift accounts. OpenShift does not have the capability
-        to automatically disable accounts after a configured period of time. To
-        meet this requirement, an authentication provider (such as Active
-        Directory) must be used. Integration between OpenShift and Active
-        Directory can be accomplished throguh the use of Kerberos cross-realm
-        trusts. Refer to the LDAP Authentication section of the OpenShift
-        Administrators guide:
-
-        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth
-        */'
+        'OpenShift relies upon 3rd party authentication providers, such as
+        Microsoft Active Directory, Red Hat IdM, or LDAP. By relying on 3rd
+        party authentication providers, OpenShift is not responsible for
+        automatic disablement of inactive accounts after a configured period
+        of time.
+
+        Refer to the LDAP Authentication section of the OpenShift
+        Administrators Guide for configuration references to 3rd parties, e.g.
+        configuration of Kerberos cross-realm trusts with Active Directory.
+        The guide can be found at:
+
+        https://docs.openshift.com/container-platform/3.3/admin_solutions/authentication.html#ldap-auth'
 
 - control_key: AC-2 (4)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: Implemented
+  implementation_status: Implemented
   narrative:
     - text: |
         '//*
@@ -87,7 +95,7 @@ satisfies:
 - control_key: AC-2 (5)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: Implemented
+  implementation_status: Implemented
   narrative:
     - text: |
         '//*
@@ -99,7 +107,7 @@ satisfies:
 - control_key: AC-2 (10)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -114,7 +122,7 @@ satisfies:
 - control_key: AC-3
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -129,7 +137,7 @@ satisfies:
 - control_key: AC-4
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -149,7 +157,7 @@ satisfies:
 - control_key: AC-4 (21)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -163,7 +171,7 @@ satisfies:
 - control_key: AC-6 (2)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -176,7 +184,7 @@ satisfies:
 - control_key: AC-6 (9)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -189,7 +197,7 @@ satisfies:
 - control_key: AC-6 (10)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -203,7 +211,7 @@ satisfies:
 - control_key: AC-7
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - key: a
       text: |
@@ -221,7 +229,7 @@ satisfies:
 - control_key: AC-8
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - key: a
       text: |
@@ -283,7 +291,7 @@ satisfies:
 - control_key: AC-10
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -296,7 +304,7 @@ satisfies:
 - control_key: AC-11
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - key: a
       text: |
@@ -313,7 +321,7 @@ satisfies:
 - control_key: AC-11 (1)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         'Not applicable. When AC-2(5) is implemented, the non-configurable
@@ -323,7 +331,7 @@ satisfies:
 - control_key: AC-12
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -337,7 +345,7 @@ satisfies:
 - control_key: AC-17 (1)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         'All system events, regardless of local or remote, are captured through
@@ -347,7 +355,7 @@ satisfies:
 - control_key: AC-17 (2)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         'OpenShift uses the following cryptographic algorithms and ciphers to
@@ -368,7 +376,7 @@ satisfies:
 - control_key: AC-17 (3)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -383,7 +391,7 @@ satisfies:
 - control_key: AC-17 (9)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*
@@ -409,7 +417,7 @@ satisfies:
 - control_key: AC-18 (1)
   standard_key: NIST-800-53
   covered_by: []
-  implimentation_status: none
+  implementation_status: none
   narrative:
     - text: |
         '//*