OSCAL Exchange Protocol

OSCAL Exchange Protocol enables integration of various assessment tools with a cloud provider’s security and compliance engine (Complaince Automation Center) in a standardized manner.

Live demo

live demo

Install locally

Check Python version

It should be 3.9 or greater.

$ python -V
Python 3.9.9

Clone the project

$ cd
$ mkdir sandbox
$ cd sandbox
$ git clone https://github.com/degenaro/oscal-exchange-protocol.git
$ cd oscal-exchange-protocol

Install prereqs and launch webserver

$ make run

Visit website

Enter URL in browser http://127.0.0.1:8000/docs

Tutorials

Post OSCAL Profile using Lifecycle endpoint and get list of OSCAL Profiles using Validation endpoint

---

tutorial: using command line

0. Setup to issue curl commands

In new terminal window:

$ cd sandbox
$ cd oscal-exchange-protocol

1. Obtain bearer token

$ curl -X 'POST'   'http://localhost:8000/token'   -H 'accept: application/json'   -H 'Content-Type: application/x-www-form-urlencoded'   -d 'grant_type=&username=oxp-user&password=123&scope=&client_id=&client_secret='

result

{"access_token":"fc54ac91-f674-46b9-bb1d-4da2a169218d","token_type":"bearer"}degenaro:oscal-exchange-protocol

Use the access_token value (e.g. fc54ac91-f674-46b9-bb1d-4da2a169218d) for authorization below.

2. Post OSCAL Profile (Lifecycle)

$ curl -X 'POST' 'http://localhost:8000/profiles' -H 'accept: application/json' -H 'Authorization: Bearer fc54ac91-f674-46b9-bb1d-4da2a169218d' -H 'Content-Type: multipart/form-data'  -F 'profile=@trestle.workspace/profiles/osco.0.1.39.checks.0.1.58/profile.json;type=application/json'

Note: use the bearer token obtained in Step 1 above.

result

"f342c103-5fb0-4a6e-9bbb-fafb593f9036"

The uuid of the created Profile.

3. Fetch OSCAL Profile (Validation)

curl -X 'POST' 'http://localhost:8000/profile/component/pvp-component-id?pvp_component_id=roks-cis-node' -H 'accept: application/json' -H 'Content-Type: multipart/form-data' -F 'system_security_plan='

result

[
	{
		"profile": {
			"uuid": "31182b1c-32b3-422d-a366-62b39272058c",
			"metadata": {
				"title": "Tailored Profile",
				"last-modified": "2021-08-06T13:25:50.741+00:00",
				"version": "1.0",
				"oscal-version": "1.0.0",
				"props": [
					{
						"name": "profile_mnemonic",
						"ns": "https://my.github.io/compliance-trestle/schemas/oscal/my-cloud",
						"value": "roks-cis-node",
						"class": "scc_profile_mnemonic"
					},
					{
						"name": "base_profile_mnemonic",
						"ns": "https://my.github.io/compliance-trestle/schemas/oscal/my-cloud",
						"value": "ocp4-cis-node",
						"class": "scc_base_profile_mnemonic"
					},
					{
						"name": "osco_version",
						"value": "0.1.39"
					}
				]
			},
			"imports": [
				{
					"href": "https://github.com/ComplianceAsCode/content/blob/master/products/ocp4/profiles/cis-node.profile",
					"exclude-controls": [
						{
							"with-ids": [
								"xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver",
								"xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver",
								"xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager"
							]
						}
					]
				}
			],
			"modify": {
				"set-parameters": [
					{
						"param-id": "kubelet_eviction_thresholds_set_soft_memory_available",
						"values": [
							"500Mi"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_soft_nodefs_available",
						"values": [
							"10%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_soft_nodefs_inodesfree",
						"values": [
							"5%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_soft_imagefs_available",
						"values": [
							"15%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_soft_imagefs_inodesfree",
						"values": [
							"10%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_hard_memory_available",
						"values": [
							"200Mi"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_hard_nodefs_available",
						"values": [
							"5%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_hard_nodefs_inodesfree",
						"values": [
							"4%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_hard_imagefs_available",
						"values": [
							"10%"
						]
					},
					{
						"param-id": "kubelet_eviction_thresholds_set_hard_imagefs_inodesfree",
						"values": [
							"5%"
						]
					}
				]
			}
		}
	}
]

The list of profiles corresponding to the specified pvp_component_id.

---

tutorial: using browser

1. Obtain bearer token

1.1 Select Authorize.

1.2 Enter user name and password. Select 'Authorize. Select Close.

2. Post OSCAL Profile (Lifecycle)

2.1 Select Add Profile.

2.2 Select Try it out.

2.3 Select Choose file. Navigate to oscal-exchange-protocol.public/trestle.workspace/profiles/osco.0.1.39.checks.0.1.58/profile.json. Select Open. Select Execute.

2.4 Note Code 200 and response body UUID (e.g. "31182b1c-32b3-422d-a366-62b39272058c").

3. Fetch OSCAL Profile (Validation)

3.1 Select Policy Validation Point Driven: Get Profiles By Checks.

3.2 Select Try it out.

3.2 Enter roks-cis-node. Select Execute.

3.4 Note Code 200 and response body.

---