Compliance Masonry allows users to construct certification documentation, which is required for approval of government IT systems and applications.
Alpha Note: Compliance Masonry is an emerging project. We recognize that in its current state, Compliance Masonry's user experience still needs to mature. Nevertheless, we are "eating our own dog food" and working to make continuous improvements.
Only Tested on Python 3+
$ https://github.com/opencontrol/compliance-masonry.git
$ cd compliance-masonry
$ python setup.py install
masonry init
New data directory will be created called data
containing certifications, standards, and components folders.
masonry new component system_name component_name
New component template will be created as data/components/system_name/component_name.yaml
masonry certs
Creates certification yamls in exports/certifications
masonry docs gitbook FedRAMP-low
Generates the markdowns for a gitbook.
masonry inventory FedRAMP-low
Generates a yaml inventory of listing missing certification and components documentation.
import masonry
masonry.build_certifications(
data_dir="data_directory", output_dir="output_directory"
)
masonry.build_gitbook(
certification="certification_name",
certification_dir="location of certification's directory",
output_dir="location to output gitbook"
)
Component documentation contains information about individual system components and the standards they satisfy.
name: User Account and Authentication (UAA) Server
system: CloudFoundry
documentation_complete: true
references:
- name: User Account and Authentication (UAA) Server
url: http://docs.pivotal.io/pivotalcf/concepts/architecture/uaa.html
- name: Creating and Managing Users with the UAA CLI (UAAC)
url: http://docs.pivotal.io/pivotalcf/adminguide/uaa-user-management.html
governors:
- name: Cloud Foundry Roles
url: https://cf-p1-docs-prod.cfapps.io/pivotalcf/concepts/roles.html
- name: Cloud Foundry Org Access
url: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/spec/unit/access/organization_access_spec.rb
- name: Cloud Foundry Space Access
url: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/spec/unit/access/space_access_spec.rb
satisfies:
NIST-800-53:
AC-2: Cloud Foundry accounts are managed through the User Account and Authentication
(UAA) Server.
IA-2: The UAA is the identity management service for Cloud Foundry. Its primary
role is as an OAuth2 provider, issuing tokens for client applications to use when
they act on behalf of Cloud Foundry users.
SC-13: All traffic from the public internet to the Cloud Controller and UAA happens
over HTTPS and operators configure encryption of the identity store in the UAA
SC-28 (1): Operators configure encryption of the identity store in the UAA. When
users register an account with the Cloud Foundry platform, the UAA, acts as the
user store and stores user passwords in the UAA database using bcrypt. Bcrypt
is a blowfish encryption algorithm, which enables cloud foundry to store a secure
hash of your users' passwords.
Contain information about security standards.
# nist-800-53.yaml
standards:
C-2:
name: User Access
description: There is an affordance for managing access by...
# PCI.yaml
standards:
Regulation-6:
name: User Access PCI
description: There is an affordance for managing access by...
Empty yaml for creating certification documentation. Serve as a template for combining controls and standards yamls.
# Fisma.yaml
standards:
nist-800-53:
C-2:
C-3:
PCI:
6:
Modern applications are build on existing systems such as S3, EC2, and Cloud Foundry. Documentation for how these underlying systems fulfill NIST controls or PCI SSC Data Security Standards is a prerequisite for receiving authorization to operate (ATO). Unlike most System Security Plan documentation, Compliance Masonry documentation is organized by components making it easier for engineers and security teams to collaborate.
Compliance Masonry simplifies the process of certification documentations by providing:
- a data store for certifications (ex FISMA), standards (ex NIST-800-53), and the individual system components (ex AWS-EC2).
- a way for government project to edit existing files and also add new control files for their applications and organizations.
- a pipeline for generating clean and standardized certification documentation
(Here's the .gliffy source.)