From 9eb7963437d9a74a1023f34bb0e587745a747fe3 Mon Sep 17 00:00:00 2001 From: Wendell Piez Date: Wed, 15 Nov 2017 15:08:36 -0500 Subject: [PATCH] Adjustments in view of #64 --- OSCAL-dev.xpr | 213 ++++++++++-------- docs/schema/oscal-oscal.xml | 11 + docs/schema/oscal-tag-library.html | 195 +++++++++------- docs/schema/oscal-tag-library.md | 7 + .../SP800-53/SP800-53-oscal-declarations.xml | 14 +- schema/xml/RNC/oscal-core.rnc | 19 +- schema/xml/Schematron/oscal-as-declared.sch | 41 ++-- schema/xml/XSD/oscal-core-interim.xsd | 71 +++--- schema/xml/XSD/xml.xsd | 2 +- schema/xml/oscal-core.xsd | 85 ++++--- working/COBIT5/cobit5-auto-declarations.xml | 105 +++++---- working/COBIT5/cobit5-tuned-declarations.xml | 6 +- working/ISO-27002/ISO-27002-OSCAL-refined.xml | 4 +- .../SP800-53/rev4/SP800-53-OSCAL-refined.xml | 1 + .../SP800-53/rev4/SP800-53-declarations.xml | 14 +- 15 files changed, 429 insertions(+), 359 deletions(-) diff --git a/OSCAL-dev.xpr b/OSCAL-dev.xpr index 9676206520..380b5a306b 100644 --- a/OSCAL-dev.xpr +++ b/OSCAL-dev.xpr @@ -8,6 +8,36 @@ scenario.associations + + + docs/schema/oscal-oscal.xml + + + + Run schema production pipeline + + + + + XPROC + + + + + + examples/mini-testing/mini-testing-catalog.xml + + + + Profile: resolve and render (saving HTML) + + + + + XPROC + + + examples/mini-testing/01a_param-only-profile.xml @@ -218,21 +248,6 @@ - - - docs/schema/oscal-oscal.xml - - - - Run schema production pipeline - - - - - XPROC - - - working/FedRAMP/FedRAMP-HIGH-working.xml @@ -383,21 +398,6 @@ - - - examples/mini-testing/mini-testing-catalog.xml - - - - Profile: resolve and render (saving HTML) - - - - - XPROC - - - examples/mini-testing/99includeRAx3-profile.xml @@ -2977,75 +2977,118 @@ - examples/FedRAMP/FedRAMP-MODERATE-working.xml + working/SP800-53/rev4/SP800-53-OSCAL-refined.xml - OSCAL profile (XSD) - OSCAL profile links (standalone) - OSCAL profile against its source(s) + OSCAL core RNC (standalone) + OSCAL against its declarations Validation_scenario Validation_scenario - Validation_scenario - examples/FedRAMP/FedRAMP-LOW-working.xml + docs/schema/oscal-oscal.xml - OSCAL profile (XSD) - OSCAL profile links (standalone) - OSCAL profile against its source(s) + OSCAL core RNC (standalone) + OSCAL against its declarations Validation_scenario Validation_scenario + + + + + + working/ISO-27002/ISO-27002-OSCAL-refined.xml + + + + OSCAL core RNC (standalone) + OSCAL against its declarations + + + + + Validation_scenario Validation_scenario - examples/FedRAMP/FedRAMP-HIGH-working.xml + working/COBIT5/cobit5-selection-oscal.xml - OSCAL profile (XSD) - OSCAL profile links (standalone) - OSCAL profile against its source(s) + OSCAL core RNC (standalone) + OSCAL against its declarations Validation_scenario Validation_scenario + + + + + + examples/SP800-53/SP800-53-oscal-declarations.xml + + + + OSCAL core RNC (standalone) + + + + Validation_scenario - working/FedRAMP/FedRAMP-LOW-working.xml + working/SP800-53/rev4/SP800-53-declarations.xml - OSCAL profile (XSD) - OSCAL profile links (standalone) - OSCAL profile against its source(s) + OSCAL core RNC (standalone) Validation_scenario + + + + + + examples/mini-testing/mini-testing-catalog.xml + + + + OSCAL against XSD + OSCAL links + OSCAL strict + OSCAL core RNC (standalone) + + + + + Validation_scenario + Validation_scenario Validation_scenario Validation_scenario @@ -3053,7 +3096,7 @@ - working/FedRAMP/FedRAMP-MODERATE-working.xml + examples/FedRAMP/FedRAMP-HIGH-working.xml @@ -3091,7 +3134,7 @@ - working/FedRAMP/profile-HIGH-edited.xml + examples/FedRAMP/FedRAMP-MODERATE-working.xml @@ -3110,14 +3153,13 @@ - examples/SP800-53/SP800-53-rev4-catalog.xml + examples/FedRAMP/FedRAMP-LOW-working.xml - OSCAL against its declarations - OSCAL links - OSCAL strict - OSCAL core RNC (standalone) + OSCAL profile (XSD) + OSCAL profile links (standalone) + OSCAL profile against its source(s) @@ -3125,13 +3167,12 @@ Validation_scenario Validation_scenario Validation_scenario - Validation_scenario - working/FedRAMP/fedramp-high-edited.xml + working/FedRAMP/FedRAMP-LOW-working.xml @@ -3150,24 +3191,26 @@ - working/FedRAMP/profile-HIGH-rough.xml + working/FedRAMP/FedRAMP-MODERATE-working.xml OSCAL profile (XSD) OSCAL profile links (standalone) + OSCAL profile against its source(s) Validation_scenario Validation_scenario + Validation_scenario - working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml + working/FedRAMP/profile-HIGH-edited.xml @@ -3186,13 +3229,14 @@ - working/FedRAMP/worksheet-HIGH-oscal.xml + examples/SP800-53/SP800-53-rev4-catalog.xml - OSCAL against XSD + OSCAL against its declarations OSCAL links OSCAL strict + OSCAL core RNC (standalone) @@ -3200,19 +3244,19 @@ Validation_scenario Validation_scenario Validation_scenario + Validation_scenario - examples/mini-testing/mini-testing-catalog.xml + working/FedRAMP/fedramp-high-edited.xml - OSCAL against XSD - OSCAL links - OSCAL strict - OSCAL core RNC (standalone) + OSCAL profile (XSD) + OSCAL profile links (standalone) + OSCAL profile against its source(s) @@ -3220,55 +3264,53 @@ Validation_scenario Validation_scenario Validation_scenario - Validation_scenario - examples/SP800-53/SP800-53-rev4-oscal.xml + working/FedRAMP/profile-HIGH-rough.xml - OSCAL against its declarations - OSCAL links - OSCAL strict - OSCAL core RNC (standalone) + OSCAL profile (XSD) + OSCAL profile links (standalone) Validation_scenario Validation_scenario - Validation_scenario - Validation_scenario - working/SP800-53/rev5/SP800-53rev5-OSCAL.xml + working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml - OSCAL core RNC (standalone) + OSCAL profile (XSD) + OSCAL profile links (standalone) + OSCAL profile against its source(s) Validation_scenario + Validation_scenario + Validation_scenario - working/SP800-53/rev4/SP800-53-OSCAL-refined.xml + working/FedRAMP/worksheet-HIGH-oscal.xml OSCAL against XSD - OSCAL core RNC (standalone) - OSCAL against its declarations + OSCAL links OSCAL strict @@ -3277,20 +3319,19 @@ Validation_scenario Validation_scenario Validation_scenario - Validation_scenario - working/ISO-27002/ISO-27002-OSCAL-refined.xml + examples/SP800-53/SP800-53-rev4-oscal.xml - OSCAL against XSD - OSCAL core RNC (standalone) OSCAL against its declarations + OSCAL links OSCAL strict + OSCAL core RNC (standalone) @@ -3304,22 +3345,16 @@ - working/COBIT5/cobit5-selection-oscal.xml + working/SP800-53/rev5/SP800-53rev5-OSCAL.xml - OSCAL against XSD OSCAL core RNC (standalone) - OSCAL against its declarations - OSCAL strict Validation_scenario - Validation_scenario - Validation_scenario - Validation_scenario diff --git a/docs/schema/oscal-oscal.xml b/docs/schema/oscal-oscal.xml index d38ce9ad81..138aa93994 100644 --- a/docs/schema/oscal-oscal.xml +++ b/docs/schema/oscal-oscal.xml @@ -461,6 +461,17 @@ their values will override any values assigned lower down the stack.

+ + calc + Calculated value constraint + +

Indicates a permissible value for a parameter or property, calculated dynamically

+
+ +

Similar to value except that its contents are expanded to produce the + permitted value, instead of being given as a literal.

+
+
autonum Autonumbered (generated) value diff --git a/docs/schema/oscal-tag-library.html b/docs/schema/oscal-tag-library.html index c85de0a1c0..933503ade0 100644 --- a/docs/schema/oscal-tag-library.html +++ b/docs/schema/oscal-tag-library.html @@ -214,255 +214,261 @@ + @@ -531,7 +537,7 @@

Controls, components and their contents

The foundations of OSCAL are in control objects, such as controls and subcontrols, and the structured information (loosely objects, represented as valid XML elements). These contents will include both structured contents (using element types as described here) and - relatively uncontrolled or free-form contents (described elsewhere as prose).

+ relatively uncontrolled or free-form contents (described elsewhere as prose).

catalog @@ -1005,6 +1011,21 @@

+

+ calc + Calculated value constraint +

+ + +
+

Indicates a permissible value for a parameter or property, calculated dynamically

+
+
+

Similar to value except that its contents are expanded to produce the + permitted value, instead of being given as a literal.

+
+
+

autonum Autonumbered (generated) value @@ -1028,7 +1049,7 @@

-
+

inherit Inherited value @@ -1060,7 +1081,7 @@

-
+

desc Parameter description @@ -1073,10 +1094,10 @@

-
+

Structural elements

-
+

section Section @@ -1091,7 +1112,7 @@

of controls (group).

-
+

group Group @@ -1112,7 +1133,7 @@

-
+

title Title @@ -1124,7 +1145,7 @@

-
+

references References @@ -1136,7 +1157,7 @@

-
+

ref Reference @@ -1149,7 +1170,7 @@

-
+

std Standard @@ -1163,7 +1184,7 @@

Echoes the NISO JATS (and NISO STS) std element

-
+

citation Citation @@ -1179,7 +1200,7 @@

-
+

Prose

Prose may ordinarily appear anywhere in a control, subcontrol, or part, or at a higher level. @@ -1194,7 +1215,7 @@

Prose

part organization will be used to assign prose to specific known sections or enhancements of a control (modeled as part or subcontrol).

-
+

p Paragraph @@ -1210,7 +1231,7 @@

set off on its own line.

-
+

pre Preformatted text @@ -1224,7 +1245,7 @@

Echoes HTML pre.

-
+

ol Ordered List @@ -1242,7 +1263,7 @@

documents in scope for analysis.

-
+

ul Unordered list @@ -1265,7 +1286,7 @@

application that wants it.

-
+

li List item @@ -1276,7 +1297,7 @@

An item demarcated with a bullet or numerator

-
+

em Emphasis @@ -1293,7 +1314,7 @@

retrieval) may be provided via @class.

-
+

i Italics @@ -1308,7 +1329,7 @@

surrounding text is already italic.

-
+

b Bold @@ -1327,7 +1348,7 @@

marked with classes when possible.

-
+

a Anchor @@ -1349,7 +1370,7 @@

control).

-
+

q Quoted text @@ -1364,7 +1385,7 @@

to provide quotation marks in display.

-
+

code Code @@ -1379,7 +1400,7 @@

it may be enhanced using its class.

-
+

sup Superscript @@ -1390,7 +1411,7 @@

Superscripted text

-
+

sub Subscript @@ -1401,7 +1422,7 @@

Subscripted text

-
+

span Span @@ -1418,7 +1439,7 @@

-
+

Profiling

By means of its profiling functionality, OSCAL provides ways of specifying and documenting @@ -1428,7 +1449,7 @@

Profiling

Roughly speaking, a profile document is a specification of a selection of controls and subcontrols from a catalog, along with a series of operations over those controls and their use.

-
+

profile Profile @@ -1440,7 +1461,7 @@

and configuration of controls, maintained separately

-
+

invoke Authority invocation @@ -1451,7 +1472,7 @@

For invocation of controls and subcontrols from a catalog or other authority

-
+

include Include controls @@ -1470,7 +1491,7 @@

instruction calls controls specifically.

-
+

exclude Exclude controls @@ -1489,7 +1510,7 @@

(explicitly, by ID) and excluded.

-
+

all Include all @@ -1526,7 +1547,7 @@

yes.)

-
+

call Call (control or subcontrol) @@ -1548,7 +1569,7 @@

them.

-
+

set-param Parameter setting @@ -1568,7 +1589,7 @@

one (when profiles are expected to provide baselines, for example).

-
+

alter Alteration @@ -1588,7 +1609,7 @@

confusion.

-
+

remove Removal @@ -1606,7 +1627,7 @@

augment to add it back again with changes.

-
+

augment Augmentation @@ -1618,14 +1639,14 @@

-
+

Constraints outside the core schema

Over and above what can be validated with a grammar (in the schema at the core level, but also distinct from OSCAL-flavor-specific validations, is a small set of constraints governing usage of @class assignments and element occurrence. Validations enforcing them can be implemented via Schematron or another process capable of static analysis of the data.

-
+

Order of items inside controls

@@ -1648,7 +1669,7 @@

Order of items inside controls

declarations model. (Such a functionality could be discussed.)

-
+

Interdicted @class assignments

@@ -1665,7 +1686,7 @@

Interdicted @class assignments

-
+

Developer notes and rationales

@@ -1701,7 +1722,7 @@

Developer notes and rationales

  • Standing something up quickly and changing names as we go gives us a chance to try things on, not just debate principles.
  • -
    +

    Controls, not (only) the documents that describe them

    OSCAL is a domain-specific language for the description and specification of collections of @@ -1720,7 +1741,7 @@

    Controls, not (only) the documents that describe them

    frameworks written in reference to controls catalogs, are all capabilities we aim to offer and support.

    -
    +

    Validation

    In order to enable catalog and profile-specific validation, we have developed an alternative validation model. It is intended to be (third) complementary to the (two) @@ -1742,7 +1763,7 @@

    Validation

    detected). Thus developers and users have the capability to define OSCAL control types without having to write any schema code.

    -
    +

    Relationship to other document formats

    OSCAL captures chunks of transcribed natural/literate/technical language, i.e. "prose", but diff --git a/docs/schema/oscal-tag-library.md b/docs/schema/oscal-tag-library.md index daa2955d7a..d71c5bf469 100644 --- a/docs/schema/oscal-tag-library.md +++ b/docs/schema/oscal-tag-library.md @@ -29,6 +29,7 @@ > * [<identifier> Identifier constraint](#identifier-identifier-constraint) > * [<regex> Regular expression constraint](#regex-regular-expression-constraint) > * [<value> Value constraint](#value-value-constraint) +> * [<calc> Calculated value constraint](#calc-calculated-value-constraint) > * [<autonum> Autonumbered (generated) value](#autonum-autonumbered-(generated)-value) > * [<inherit> Inherited value](#inherit-inherited-value) > * [<desc> Parameter description](#desc-parameter-description) @@ -280,6 +281,12 @@ In a declaration, value will commonly be given in groups, indicating a set of en In a parameter, a value represents a value assignment to the parameter, overriding any value given at the point of insertion. When parameters are provided in OSCAL profiles, their values will override any values assigned "lower down the stack". +#### <calc> Calculated value constraint + +Indicates a permissible value for a parameter or property, calculated dynamically + +Similar to value except that its contents are expanded to produce the permitted value, instead of being given as a literal. + #### <autonum> Autonumbered (generated) value Generates a formatted numeric value based on the position of a control object among its siblings, the text contents providing a template for the numbering format (arabic, alphabetic, roman, etc.) diff --git a/examples/SP800-53/SP800-53-oscal-declarations.xml b/examples/SP800-53/SP800-53-oscal-declarations.xml index beef5c7085..3599d054f8 100644 --- a/examples/SP800-53/SP800-53-oscal-declarations.xml +++ b/examples/SP800-53/SP800-53-oscal-declarations.xml @@ -1,7 +1,5 @@ - - - + @@ -38,7 +36,7 @@ - (1) + (1) LOW @@ -72,12 +70,12 @@ - a. - (a) + a. + (a) - 1. - (1) + 1. + (1) diff --git a/schema/xml/RNC/oscal-core.rnc b/schema/xml/RNC/oscal-core.rnc index 10ab649ade..016db8f5f9 100644 --- a/schema/xml/RNC/oscal-core.rnc +++ b/schema/xml/RNC/oscal-core.rnc @@ -2,7 +2,7 @@ default namespace = "http://csrc.nist.gov/ns/oscal/1.0" # We can have a catalog, or we can have only declarations for catalogs, or we can have a framework # (which is kind of a 'catalog mockup' format) -start = (catalog | declarations | framework) +start = (catalog | declarations | framework | worksheet) catalog-contents = (title, declarations?, (section | group | control)*, references?) @@ -55,7 +55,7 @@ parameter_decl = empty property_decl = element declare-prop { requiredClass, contextAttr, singleton?, required?, element identifier { empty }?, - (regex | value* ) + ( regex | calc* | value* ) } # part declaration @@ -79,8 +79,15 @@ required = element required { empty } # element limit { requiredClass, text } w/ @type= upper-bound-inclusive, lower-bound-exclusive, (w/ inclusive/exclusive etc.) regex = element regex { text } -value = element value { attribute xml:space { 'preserve' }?, ( \inherit | autonum | text )* } -\inherit = element inherit { attribute from { text }?, text } + +value = element value { text } + +calc = element calc { attribute xml:space { 'preserve' }?, ( \inherit | autonum | text )* } + +# empty element because it represents a value to be calculated +\inherit = element inherit { attribute from { text }? } + +# this time the text content gives the format of the calculated number autonum = element autonum { text } # done with declarations - controls, subcontrols and groups are not declared @@ -142,9 +149,7 @@ link = element link { relAttr, hrefAttr, mix } desc = element desc { mix } -param = element param { idAttr?, optionalClass, desc, paramValue } - -paramValue = element value { text } +param = element param { idAttr?, optionalClass, desc, value } prop = element prop { diff --git a/schema/xml/Schematron/oscal-as-declared.sch b/schema/xml/Schematron/oscal-as-declared.sch index 2fd66a5adc..c8c4c38be0 100644 --- a/schema/xml/Schematron/oscal-as-declared.sch +++ b/schema/xml/Schematron/oscal-as-declared.sch @@ -84,7 +84,7 @@ - + ) is expected to be unique to this property (instance) within the document. + - - + + Value of property is expected to be + + + + + + + - - Value of property is expected to be - - - - + + Value of property is expected to be + + @@ -173,20 +179,21 @@ + - - - - - + + + + + - + + then parent::oscal:calc/parent::oscal:declare-prop/oscal:classes(.) else $named-classes"/> [RESOLUTIONFAIL] - + diff --git a/schema/xml/XSD/oscal-core-interim.xsd b/schema/xml/XSD/oscal-core-interim.xsd index bdc13cb639..e0a35a1a34 100644 --- a/schema/xml/XSD/oscal-core-interim.xsd +++ b/schema/xml/XSD/oscal-core-interim.xsd @@ -47,7 +47,7 @@ - + @@ -57,7 +57,7 @@ - + @@ -83,7 +83,7 @@ - + @@ -102,7 +102,7 @@ - + @@ -155,7 +155,8 @@ - + + @@ -212,24 +213,23 @@ element limit { requiredClass, text } w/ @type= upper-bound-inclusive, lower-bound-exclusive, (w/ inclusive/exclusive etc.) --> - - - - - - - - - - - - - - + + + + + + + + + + + + + @@ -464,7 +459,7 @@ - + @@ -474,7 +469,7 @@ - + @@ -491,7 +486,7 @@ - + @@ -634,12 +629,12 @@ --> - + - + - + + NIST SP800-53 diff --git a/working/SP800-53/rev4/SP800-53-declarations.xml b/working/SP800-53/rev4/SP800-53-declarations.xml index beef5c7085..3599d054f8 100644 --- a/working/SP800-53/rev4/SP800-53-declarations.xml +++ b/working/SP800-53/rev4/SP800-53-declarations.xml @@ -1,7 +1,5 @@ - - - + @@ -38,7 +36,7 @@ - (1) + (1) LOW @@ -72,12 +70,12 @@ - a. - (a) + a. + (a) - 1. - (1) + 1. + (1)