Sync CAC Content

This tutorial provides how to use complyscribe sync-cac-content transform cac-content to OSCAL models. This command has three sub-commands catalog, profile and component-definition

WARNING: There is a sequential order when transformed, first Catalog, then Profile, last Component Definition. Because Profile depends on Catalog, and Component Definition depends on Profile.

Catalog#

This command is to generate OSCAL Catalog according to CaC content policy

1. Prerequisites#

• Initialize the complyscribe workspace if you do not have one.

• Clone the cac-content repository.

2. Run The CLI Sync-cac-content Catalog#

A real world example, if we want to transform cis_rhel8 to OSCAL Catalog, we run command like below,cac-policy-id is control file id, oscal-catalog is OSCAL Catalog directory name we will use when generating the OSCAL Catalog.

poetry run complyscribe sync-cac-content catalog \
--dry-run \
--repo-path $complyscribe_workspace_root_dir \
--committer-email tester@redhat.com \
--committer-name tester \
--branch main \
--cac-policy-id cis_rhel8 \
--oscal-catalog cis_rhel8 \
--cac-content-root $cac_content_root_dir

After successfully running above command, will generate catalogs/cis_rhel8/catalog.json

For more details about these options and additional flags, you can use the --help flag: poetry run complyscribe sync-cac-content catalog --help This will display a full list of available options and their descriptions.

After running the CLI with the right options, you would successfully generate an OSCAL Catalog under $complyscribe_workspace_root_dir/catalogs.

Profile#

This command is to generate OSCAL Profile according to content policy

1. Prerequisites#

• Initialize the complyscribe workspace if you do not have one.

• Clone the cac-content repository.

2. Run The CLI Sync-cac-content Profile#

A real world example, if we want to transform rhel8 product that using cis_rhel8 control file to OSCAL Profile, we run command like below, product is product name, oscal-catalog is OSCAL catalog directory name, cac-policy-id is control file id

poetry run complyscribe sync-cac-content profile \
--dry-run \
--repo-path $complyscribe_workspace_root_dir \
--committer-email tester@redhat.com \
--committer-name tester \
--branch main \
--cac-content-root $cac_content_root_dir \
--product rhel8 \
--oscal-catalog cis_rhel8 \
--cac-policy-id cis_rhel8

After successfully running above command, you will generate four OSCAL Profiles(rhel8-cis_rhel8-l1_server ,rhel8-cis_rhel8-l2_server, rhel8-cis_rhel8-l1_workstation, rhel8-cis_rhel8-l2_workstation), every level has its own Profile.

For more details about these options and additional flags, you can use the --help flag: poetry run complyscribe sync-cac-content profile --help This will display a full list of available options and their descriptions.

After running the CLI with the right options, you would successfully generate an OSCAL Profile under $complyscribe_workspace_root_dir/profiles/$product_$cac-policy-id_$level.

Component-definition#

This command creates OSCAL Component Definitions by transforming CaC content control files.

The CLI performs the following transformations:

• Populate CaC product information to OSCAL component title and description
• Ensure OSCAL component control mappings are populated with rule and rule parameter data from CaC control files
• Create a validation component from SSG rules to check mappings
• Ensure OSCAL Component Definition implemented requirements are populated from control notes in the control file
• Ensure implementation status of an implemented requirement in OSCAL Component Definitions are populated with the status from CaC control files

1. Prerequisites#

• Initialize the complyscribe workspace.

• Clone the cac-content repository.

2. Run The CLI Sync-cac-content Component-definition#

A real world example. If we want to transform cis_server_l1.profile to an OSCAL Component Definition, we run command like below. product is product name, cac-profile is CaC content profile file name you need transform, oscal-profile is OSCAL profile directory name corresponding to CaC content profile, component-definition-type is a category describing the purpose of the component.

poetry run complyscribe sync-cac-content component-definition \
--dry-run \
--repo-path $complyscribe_workspace_root_dir \
--committer-email tester@redhat.com \
--committer-name tester \
--branch main \
--cac-content-root $cac_content_root_dir \
--product rhel8 \
--component-definition-type software \
--oscal-profile rhel8-cis_rhel8-l1_server \
--cac-profile cis_server_l1

After successfully running above command, will generate an OSCAL Component Definition

For more details about these options and additional flags, you can use the --help flag: poetry run complyscribe sync-cac-content component-definition --help This will display a full list of available options and their descriptions.

After running the CLI with the right options, you would successfully generate an OSCAL Component Definition under $complyscribe_workspace_root_dir/component-definitions/$product_name/$OSCAL-profile-name.