Merge branch 'ComplianceAsCode:master' into bsi-app-4.4

Author: benruland

.github/workflows/gate.yaml

@@ -35,14 +35,14 @@ jobs:
       - name: Update CA certificates
         run: update-ca-certificates
       - name: Zypper add factory repo - to install bats and ShellCheck
-        run: zypper --non-interactive ar  https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP5/standard/openSUSE:Backports:SLE-15-SP5.repo     
+        run: zypper --non-interactive ar  https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15-SP5/standard/openSUSE:Backports:SLE-15-SP5.repo
       - name: Zypper auto import keys
         run: zypper  --gpg-auto-import-keys --non-interactive ref
       - name: Zypper refs
         run: zypper refs
       - name: Zypper refresh
-        run: zypper refresh    
-      - name: Install Deps           
+        run: zypper refresh
+      - name: Install Deps
         run: zypper install -y git cmake make bats openscap-utils python3 python3-rpm python3-pip python3-devel python3-PyYAML python3-Jinja2 python3-setuptools libxslt-tools libxml2-tools ShellCheck
       - name: Upgrade pip python
         run: pip install pip --upgrade
@@ -135,52 +135,6 @@ jobs:
         run: ctest -j2 --output-on-failure -E unique-stigids
         working-directory: ./build
 
-  validate-fedora:
-    name: Build, Test on Fedora Latest (Container)
-    runs-on: ubuntu-latest
-    container:
-      image: fedora:latest
-    steps:
-      - name: Install Deps
-        run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install deps python
-        run: pip install pcre2 -r requirements.txt -r test-requirements.txt
-      - name: Build
-        run: |-
-          ./build_product \
-              alinux2 \
-              alinux3 \
-              anolis23 \
-              anolis8 \
-              chromium \
-              fedora \
-              firefox \
-              rhcos4 \
-              rhel7 \
-              rhel8 \
-              rhel9 \
-              uos20 \
-              ocp4 \
-              eks
-        env:
-          ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
-      - name: Test
-        run: ctest -j2 --output-on-failure -E unique-stigids
-        working-directory: ./build
-      - name: "Set git safe directory, ref: https://github.com/actions/checkout/issues/760"
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Upload coverage to Code Climate  # Requires: git package
-        if: ${{ github.repository == 'ComplianceAsCode/content' }}
-        uses: paambaati/codeclimate-action@v5.0.0
-        env:
-          CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854
-        with:
-          coverageLocations: build/tests/coverage.xml:coverage.py
-      - name: Validate gitmailmap
-        run: grep -E "\S" .mailmap | grep -Ev '^#' | git check-mailmap --stdin
-
   validate-fedora-rawhide:
     name: Build, Test on Fedora Rawhide (Container)
     runs-on: ubuntu-latest

.github/workflows/gate_fedora.yml

@@ -0,0 +1,54 @@
+name: Gate
+on:
+  merge_group:
+    branches: [ 'master' ]
+  push:
+    branches: ['*', '!stabilization*', '!stable*', 'master' ]
+  pull_request:
+    branches: [ 'master', 'stabilization*' ]
+jobs:
+    validate-fedora:
+        name: Build, Test on Fedora Latest (Container)
+        runs-on: ubuntu-latest
+        container:
+            image: fedora:latest
+        steps:
+            -   name: Install Deps
+                run: dnf install -y cmake make openscap-utils python3-pyyaml bats ansible python3-pip ShellCheck git gcc gcc-c++ python3-devel
+            -   name: Checkout
+                uses: actions/checkout@v4
+            -   name: Install deps python
+                run: pip install pcre2 -r requirements.txt -r test-requirements.txt
+            -   name: Build
+                run: |-
+                    ./build_product \
+                        alinux2 \
+                        alinux3 \
+                        anolis23 \
+                        anolis8 \
+                        chromium \
+                        fedora \
+                        firefox \
+                        rhcos4 \
+                        rhel7 \
+                        rhel8 \
+                        rhel9 \
+                        uos20 \
+                        ocp4 \
+                        eks
+                env:
+                    ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
+            -   name: Test
+                run: ctest -j2 --output-on-failure -E unique-stigids
+                working-directory: ./build
+            -   name: "Set git safe directory, ref: https://github.com/actions/checkout/issues/760"
+                run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+            -   name: Upload coverage to Code Climate  # Requires: git package
+                if: ${{ github.repository == 'ComplianceAsCode/content' }}
+                uses: paambaati/codeclimate-action@v5.0.0
+                env:
+                    CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854
+                with:
+                    coverageLocations: build/tests/coverage.xml:coverage.py
+            -   name: Validate gitmailmap
+                run: grep -E "\S" .mailmap | grep -Ev '^#' | git check-mailmap --stdin

.github/workflows/k8s-content.yaml

@@ -14,7 +14,8 @@ jobs:
     uses: metal-toolbox/container-push/.github/workflows/container-push.yml@main
     with:
       name: k8scontent
-      tag: latest
+      tag: ${GITHUB_SHA}
+      latest: true
       registry_org: complianceascode
       dockerfile_path: ./Dockerfiles/ocp4_content
       licenses: BSD

.github/workflows/update-oscal.yml

@@ -0,0 +1,62 @@
+name: Update vendored OSCAL content
+
+on:
+    workflow_dispatch:
+    schedule:
+        # Run weekly at 05:00 on Sunday
+        - cron: "0 5 * * 0"
+
+jobs:
+    update-oscal:
+        name: Update content
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+            pull-requests: write
+        strategy:
+            matrix:
+                variables:
+                    - catalog-source: "https://raw.githubusercontent.com/usnistgov/oscal-content/690f517daaf3a6cbb4056d3cde6eae2756765620/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json"
+                      profile-source: "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json"
+                      profile-name: "fedramp_rev5_high"
+                      catalog-name: "nist_rev5_800_53"
+                    - catalog-source: "https://raw.githubusercontent.com/usnistgov/oscal-content/690f517daaf3a6cbb4056d3cde6eae2756765620/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json"
+                      profile-source: "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json"
+                      profile-name: "fedramp_rev4_high"
+                      catalog-name: "nist_rev4_800_53"
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+            - name: Install Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: '3.9'
+            - name: Install python deps
+              run: pip3 install requests compliance-trestle==2.4.0
+            - name: Update catalogs
+              run: |
+                  rm -rf "catalogs/${{ matrix.variables.catalog-name }}"
+                  trestle import -f "${{ matrix.variables.catalog-source }}" -o "${{ matrix.variables.catalog-name }}"
+              working-directory: ./shared/references/oscal
+            - name: Update profiles
+              run: |
+                  rm -rf "profiles/${{ matrix.variables.profile-name }}"
+                  trestle import -f "${{ matrix.variables.profile-source }}" -o "${{ matrix.variables.profile-name }}"
+                  trestle href --name "${{ matrix.variables.profile-name }}" -hr "trestle://catalogs/${{ matrix.variables.catalog-name }}/catalog.json"
+              working-directory: ./shared/references/oscal
+            - name: Update content
+              uses: peter-evans/create-pull-request@v5.0.2
+              with:
+                  base: master
+                  branch: "oscal-update-${{ github.run_id }}"
+                  delete-branch: true
+                  commit-message: "Update OSCAL content in shared/references/oscal"
+                  title: "Update upstream OSCAL content from usnistogv and GSA"
+                  body: |
+                      Updates upstream OSCAL content
+                      - usnistgov NIST 800-53 from "${{ matrix.variables.catalog-source }}"
+                      - GSA FedRAMP OSCAL profiles from "${{ matrix.variables.profile-source }}"
+                    
+                      Auto-generated by the [update-oscal](https://github.com/ComplianceAsCode/content/blob/master/.github/workflows/update-oscal.yml) workflow.
+                  add-paths: |
+                      shared/references/oscal/

.gitignore

@@ -79,3 +79,6 @@ ocp4/profiles/test.profile
 # Ignore coverage files
 .coverage
 coverage.xml
+
+# Trestle specfic
+shared/references/oscal/.trestle/cache

CONTRIBUTING.md

@@ -69,11 +69,11 @@ The PR ...
 * ... passes PR gating tests, or failing tests are waived in a comment by the reviewer explaining the reasoning.
 * ... adheres to the [coding style](docs/manual/developer/04_style_guide.md#complianceascode-style-guide).
 * ... has been tested. The following options allow for testing various aspects of the project:
-  * [SSG Test Suite](tests/README.md) for rule tests to ensure that OVAL checks are correct and test the ability of remediations to satisfy those checks.
+  * [Automatus](tests/README.md) for rule tests to ensure that OVAL checks are correct and test the ability of remediations to satisfy those checks.
     Every testable rule that is newly created or that just got modified has to have at least one test scenario.
     If a PR interacts with a testable rule without tests, the author shall supply a test scenario as part of the PR to get it merged.
   * [BATS framework](tests/unit/bash) for bash tests that allows for fast and exhaustive testing of remediations that are parametrized by Jinja2.
-  * [Unit tests](tests/unit) that test components of the build system as well as components of the SSG Test Suite.
+  * [Unit tests](tests/unit) that test components of the build system as well as components of the Automatus.
   * Ad-hoc tests that are integrated into the `ctest` chain directly, i.e. the shellcheck test.
 * ... updates READMEs, man pages or other documentation when changes of described behavior are introduced.
 * ... doesn't contain merge commits - those can be removed by rebasing.

Dockerfiles/test_suite-sle15

@@ -7,7 +7,7 @@ ARG ADDITIONAL_PACKAGES
 
 RUN true \
         && zypper --non-interactive in openssh-clients openssh-server openscap-utils \
-        python3 python3-rpm tar \
+        python3 python3-rpm tar gawk\
         $ADDITIONAL_PACKAGES \
 && true
 

applications/openshift/master/file_groupowner_openvswitch/rule.yml

@@ -20,8 +20,6 @@ severity: medium
 references:
     cis@ocp4: 1.1.10
 
-platform: ocp4-node-on-sdn or ocp4-node-on-ovn
-
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.*", group="root") }}}'
 
 ocil: |-

applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml

@@ -2,6 +2,8 @@ documentation_complete: true
 
 prodtype: ocp4
 
+platform: ocp4-node
+
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
 
 description: |-
@@ -26,8 +28,6 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-platform: ocp4-node-on-sdn or ocp4-node-on-ovn
-
 ocil_clause: |-
   <code>/etc/openvswitch/conf.db</code> does not have a group owner of
   code>hugetlbfs</code> on architectures other than s390x or <code>openvswitch</code>

applications/openshift/master/file_groupowner_ovs_conf_db/tests/ocp4/e2e.yml

@@ -1,2 +1,2 @@
 ---
-default_result: NOT-APPLICABLE
+default_result: PASS