Introduction
This document tries to provide information useful for ComplianceAsCode/content project contributors. We will guide you through the structure of the project. We will explain the directory layout, used formats and the build system.
Overview
See our README for a thorough introduction.
ComplianceAsCode/content aims to provide security and compliance content for various distributions and products.
The project contains three major parts:
Compliance benchmark content in a format agnostic, easy to read and modify layout.
Rules: checks and remediations for specific items, for example, ensuring that
/var/log
has the desired permission. This includes automation for both auditing compliance with this rule as well as handling remediation if the desired state is not met.Profiles and Controls: ways of grouping rules (both in product-specific and product-agnostic settings)to achieve compliance with a specific benchmark or policy (such as PCI-DSS, STIG, CIS, &c).
A build system and utilities for transforming this content into standard-compliant, scanner-agnostic content.
A test harness for validating this content by executing it on the target platform.
Contributing
We welcome contributions big and small! Feel free to open an issue or a pull request; see our CONTRIBUTING.md file for more information.
Communication Channels
We have various means of communication for anyone interested in learning more or reaching out to existing members:
Mailing List
Join the mailing list at scap-security-guide.
Gitter
We now have a room (Compliance-As-Code-The/content
) on Gitter.im!
Libera.chat
We lurk on #openscap
on the libera.chat network.