complyctl - Man Page

Use the info command functionality to explore information about controls, rules, and parameters within a framework.

$ complyctl info anssi_bp28_minimal
# List the controls in the framework

$ complyctl info anssi_bp28_minimal --control <control-id>
# List details about a control and rules used by that control

$ complyctl info anssi_bp28_minimal --rule <rule-id>
# List the parameters used be a specific rule

$ complyctl info anssi_bp28_minimal --parameter <parameter-id>
# See the current set value and valid alternatives for a parameter

The plan command is used for scoping an OSCAL Assessment Plan. Default scope can be changed via a configuration file generated by the --dry-run option. The fields of the config.yml can be updated to scope controls, rules, and parameters.

$ complyctl plan anssi_bp28_minimal --dry-run --out config.yml 
# Populate framework-id defaults in config.yml

$ complyctl plan anssi_bp28_minimal --scope-config config.yml  
# Configure plan based on updates made in config.yml

Excluding components of the assessment plan works the same way for both controls and rules. To exclude a control from the assessment plan, delete the entire group of YAML keys associated with that controlId. Activities associated with that controlId will be marked as “skipped” if there are no other controls in scope of the activity.

All rules associated with a controlId are included by default and indicated by the “*” global wildcard. To exclude a rule specific to a controlId, use the excludeRules YAML key. To exclude a rule across all controls, use the globalExcludeRules YAML key. The globalExcludeRules YAML key takes priority over includeRules globally.

Parameters of the assessment-plan are grouped by remarks value. To configure the selectParameters field, update the second-level YAML key value with a valid alternative for the selected parameter. Selecting parameter values in the selectParameters field will allow you to update the initial set value for a parameter. If the update to the parameter value is not a valid parameter alternative, the assessment-plan.json will not be written and an error will be produced, listing the valid alternatives.

Below is an example config.yml. The example excludes the controlId r30 and uses the excludeRules YAML key to exclude accounts_password_set_max_life_root. The globalExcludeRules YAML key is used to exclude all rules for all controlIds in the config.yml. The controlId r31 has a valid parameter update to var_password_pam_ucredit from “1” to “365.”

frameworkId: anssi_bp28_minimal
includeControls:
#- controlId: r30 # Delete all fields associated with r30
#  controlTitle: Removal Of Unused User Accounts
#  includeRules:
#  - "*"
#  selectParameters:
#  - name: N/A
#    value: N/A
- controlId: r31
  controlTitle: User Password Strength
  includeRules:
  - "*"
  excludeRules: # Use to exclude a rule specific to the controlId
  - "accounts_password_set_max_life_root"
  waiveRules: # Use to waive a rule specific to the controlId
  - "accounts_password_pam_minlen"
  selectParameters:
  - name: var_password_pam_ucredit # Initial value = "1"
    value: "365" # Update parameter value to a valid alternative ("365")
  - name: var_password_pam_unix_rounds
    value: "11" # Initial value = "11"
globalExcludeRules:
- "*" # This will exclude all rules for all controlIds
globalWaiveRules:
- "*" # This will waive all rules for all controlIds

When excluding a controlId from the config.yml, all rules associated with the controlId will be skipped and not assessed in the assessment plan. If a rule is associated with multiple controls, they should be explicitly excluded for all related controls or via globalExcludeRules. Otherwise the rule will still be executed by the scanner if any control includes it.

The activities of the assessment plan will be indicated as “skipped” for rules that are globally excluded. Therefore, all parameters associated with a globally excluded rule will not be used in the generated assessment-plan.json.

When waiving a rule, the values of includeRules will first be checked to ensure the rule was not skipped. If the rule is not skipped, it will be marked as “waived” in the Assessment Plan. Waived rules are expected to fail due to any known exception related to the environment being scanned. Waiving rules with waiveRules has the same functionality of globalWaiveRules. All rules marked as “waived” will be propogated across controlIds.

The output in assessment-results.md will reflect the Waived Rules within the Failed Rules section. In the case of a rule passing, it will be included in the Passed Rules section.

The activities of the assessment plan will be indicated as “waived” for rules that are globally waived. Therefore, all parameters associated with a globally waived rule will not be altered in the generated assessment-plan.json.

After configuring the assessment-plan.json the activities of the assessment plan and their selected parameter values will be updated.

The complyctl generate command will generate the plugin-specific policy from the OSCAL Assessment Plan, more specifically it processes the validation component from the assessment-plan.json.

The scan command will scan the environment with the OSCAL Assessment Plan using the generated policy. Observations will be returned to complyctl to be carried out and produced as an assessment-results.json.

Assessment Results will be generated in the assessment-results.json file and can be viewed as Markdown by passing the --with-md flag.