Merge pull request #14685 from ggbecker/nist-800-53-control-split-per-product-infra-only

[Infra Only] Add NIST 800-53 Rev 5 control framework with OSCAL metadata and CIS mappings (Split per product)

Author: Mab879

.github/workflows/cis-nist-sync.yml

@@ -0,0 +1,124 @@
+name: CIS-NIST Control File Sync
+
+on:
+  pull_request:
+    branches:
+      - master
+  schedule:
+    # Run every Sunday at 2:00 PM UTC
+    - cron: '0 14 * * 0'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  generate-and-validate:
+    name: Generate CIS-NIST Control File and Profiles
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+
+    steps:
+      - name: Install system dependencies
+        run: |
+          dnf install -y \
+            cmake \
+            make \
+            ninja-build \
+            openscap-utils \
+            python3-pyyaml \
+            python3-jinja2 \
+            python3-pip \
+            git \
+            gcc \
+            gcc-c++ \
+            python3-devel \
+            libxml2-devel \
+            libxslt-devel \
+            python3-setuptools \
+            libxml2 \
+            expat \
+            gh
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Configure git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Install Python dependencies
+        run: |
+          pip install --upgrade pip
+          pip install ruamel.yaml PyPDF2
+
+      - name: Download OSCAL catalog
+        run: |
+          cd utils/nist_sync
+          python3 download_oscal.py
+
+      - name: Run CIS-NIST workflow
+        id: workflow
+        run: |
+          cd utils/nist_sync
+          echo "Running workflow for products: rhel8 rhel9 rhel10"
+          ./generate_cis_nist_workflow.sh --products "rhel8 rhel9 rhel10"
+
+      - name: Verify control files
+        run: ./utils/nist_sync/ci_sync.sh verify
+
+      - name: Render policies and generate HTML tables
+        run: |
+          cd build
+          ninja render-policies
+          cd ..
+          mkdir -p artifacts/tables artifacts/rendered-policies
+          for product in rhel8 rhel9 rhel10; do
+            SRC="build/$product/rendered-policies/nist_800_53.html"
+            DEST="artifacts/rendered-policies/nist_800_53-$product.html"
+            [ -f "$SRC" ] && cp "$SRC" "$DEST"
+          done
+
+      - name: Collect artifacts
+        run: ./utils/nist_sync/ci_sync.sh collect-artifacts
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: cis-nist-artifacts-${{ github.run_number }}
+          path: artifacts/
+          retention-days: 90
+
+      - name: Generate summary report
+        run: ./utils/nist_sync/ci_sync.sh summarize
+
+      - name: Check for changes in CIS reference
+        id: changes
+        run: ./utils/nist_sync/ci_sync.sh check-changes
+
+      - name: Show diff summary
+        if: steps.changes.outputs.has_changes == 'true'
+        run: ./utils/nist_sync/ci_sync.sh show-diff
+
+      - name: Create Pull Request for scheduled runs
+        if: >-
+          (github.event_name == 'schedule' ||
+          github.event_name == 'workflow_dispatch') &&
+          steps.changes.outputs.has_changes == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GHA_EVENT_NAME: ${{ github.event_name }}
+          GHA_RUN_ID: ${{ github.run_id }}
+          GHA_REPOSITORY: ${{ github.repository }}
+        run: ./utils/nist_sync/ci_sync.sh create-pr
+
+      - name: Workflow Summary
+        if: always()
+        env:
+          GHA_EVENT_NAME: ${{ github.event_name }}
+          GHA_RUN_ID: ${{ github.run_id }}
+          HAS_CHANGES: ${{ steps.changes.outputs.has_changes }}
+        run: ./utils/nist_sync/ci_sync.sh workflow-summary

.github/workflows/gh-pages.yaml

@@ -1,11 +1,11 @@
 name: Github Pages
 on:
   push:
-    branches: [ 'master' ]
+    branches: ['master']
   pull_request:
-    branches: [ 'master',  'oscal-update-*' ]
+    branches: ['master', 'oscal-update-*']
   merge_group:
-    branches: [ 'master' ]
+    branches: ['master']
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
   cancel-in-progress: true
@@ -19,13 +19,17 @@ jobs:
       PAGES_DIR: __pages
     steps:
       - name: Install Deps
-        run: dnf install -y cmake git ninja-build openscap-utils python3-pyyaml python3-jinja2 python3-pytest ansible-lint libxslt python3-pip rsync python3-lxml python3-setuptools
+        run: |
+          dnf install -y \
+            cmake git ninja-build openscap-utils python3-pyyaml \
+            python3-jinja2 python3-pytest ansible-lint libxslt \
+            python3-pip rsync python3-lxml python3-setuptools
       - name: Install deps python
         run: pip3 install json2html prometheus_client
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-            persist-credentials: false
+          persist-credentials: false
       - name: Build
         run: cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Debug
         working-directory: ./build
@@ -38,8 +42,14 @@ jobs:
       - name: Render Policies (Using control files)
         run: ninja render-policies -j$(nproc)
         working-directory: ./build
+      - name: Generate NIST 800-53 Control Viewer
+        run: ninja nist-viewer
+        working-directory: ./build
       - name: Generate Prometheus Metrics
-        run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel10 rhel9 rhel8 sle12 sle15 -f ./build/policies_metrics
+        run: |
+          utils/controleval_metrics.py prometheus \
+            -p fedora ocp4 rhcos4 rhel10 rhel9 rhel8 sle12 sle15 \
+            -f ./build/policies_metrics
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate HTML pages
@@ -51,8 +61,11 @@ jobs:
         run:
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: Deploy
-        if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' && github.ref == 'refs/heads/master'  }}
-        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
+        if: >-
+          ${{ github.event_name == 'push' &&
+          github.repository == 'ComplianceAsCode/content' &&
+          github.ref == 'refs/heads/master' }}
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f
         with:
           branch: main # The branch the action should deploy to.
           folder: ${{ env.PAGES_DIR }} # The folder the action should deploy.

CMakeLists.txt

@@ -379,6 +379,9 @@ add_custom_target(html-profile-stats)
 
 add_custom_target(render-policies)
 
+# NIST 800-53 Control Viewer with Gap Analysis
+ssg_generate_nist_viewer()
+
 ssg_build_man_page()
 
 if(SSG_PRODUCT_AL2023)

cmake/SSGCommon.cmake

@@ -668,6 +668,26 @@ macro(ssg_render_policies_for_product PRODUCT)
     )
 endmacro()
 
+macro(ssg_generate_nist_viewer)
+    # Generate NIST 800-53 control viewer with gap analysis
+    # This generates for all RHEL products at once
+    set(NIST_PRODUCTS rhel8 rhel9 rhel10)
+    add_custom_command(
+        OUTPUT "${CMAKE_BINARY_DIR}/nist-controls-viewer/nist-controls-viewer.html"
+        COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/nist-controls-viewer"
+        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${Python_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/nist_sync/generate_nist_viewer.py"
+            --products ${NIST_PRODUCTS}
+            --output-dir "${CMAKE_BINARY_DIR}/nist-controls-viewer"
+            --repo-root "${CMAKE_SOURCE_DIR}"
+        COMMAND ${CMAKE_COMMAND} -E touch "${CMAKE_BINARY_DIR}/nist-controls-viewer/nist-controls-viewer.html"
+        COMMENT "[nist-viewer] generating NIST 800-53 control viewer with gap analysis"
+    )
+
+    add_custom_target(nist-viewer
+        DEPENDS "${CMAKE_BINARY_DIR}/nist-controls-viewer/nist-controls-viewer.html"
+    )
+endmacro()
+
 macro(ssg_make_all_tables PRODUCT)
     add_custom_command(
         OUTPUT "${CMAKE_BINARY_DIR}/tables/tables-${PRODUCT}-all.html"