NIST Controls Assessment SKILL (plus rule to variable mapping)#14824
Open
ggbecker wants to merge 2 commits into
Open
NIST Controls Assessment SKILL (plus rule to variable mapping)#14824ggbecker wants to merge 2 commits into
ggbecker wants to merge 2 commits into
Conversation
ggbecker
requested review from
Mab879,
jan-cerny,
matusmarhefka and
vojtapolasek
as code owners
ggbecker
changed the title
ggbecker
force-pushed
the
nist-group-enhancements-assess-skill
branch
from
f39837a to
4512f84
Compare
Adds extract_rule_variable_mapping.py which scans per-rule OVAL XML files in build/<product>/checks/oval/ and checks_from_templates/oval/ to produce build/<product>/rule_variable_mapping.json — a mapping of each rule ID to the XCCDF external variables it depends on. The script is wired into the CMake build via ssg_extract_rule_variable_mapping() and runs as part of every product build after OVAL compilation. Adds test_profile_variables.py which validates that every profile selects all variables required by the rules it includes, warning when a rule's variable dependency would silently fall back to the .var file default.
ggbecker
force-pushed
the
nist-group-enhancements-assess-skill
branch
from
4512f84 to
8d058bb
Compare
|
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
assess-nist-controlClaude Code skill: OSCAL enrichment, CIS reverse lookup, automatability classification, rule selection, variable resolution, and YAML write-back for pending NIST 800-53 Rev 5 controls — base control and enhancements as a single unit.resolve-rule-variablessub-skill: looks up XCCDF variable dependencies frombuild/<product>/rule_variable_mapping.json, reads.varfiles, and collectsvar_name=keyselections interactively. Called byassess-nist-control; also usable standalone.build-scripts/extract_rule_variable_mapping.pyand CMake wiring to generaterule_variable_mapping.jsonat build time, mapping each rule ID to the XCCDF external variables it depends on.Rationale:
resolve-rule-variables) keeps the concern isolated: the key-vs-value distinction,.varfile lookup, deduplication across rules sharing a variable, and the planned future migration to a per-product variables file are all handled in one place.Review Hints:
/assess-nist-control ia-5 --product rhel9, this will trigger an assessment of the control which also contains the variable selections invocation.