Skip to main content

The Auditree common fetchers, checks and harvest reports library

Project description

OS Compatibility Python Compatibility pre-commit Code validation Upload Python Package

auditree-arboretum

The Auditree common fetchers, checks and harvest reports library.

Introduction

Auditree Arboretum is a Python library of common compliance fetchers, checks & harvest reports built upon the Auditree compliance automation framework.

Repo content

Functionality categorization

Arboretum fetchers, checks, and Harvest reports are organized into functional grouping categories. The following categories have either been contributed to or will be contributed to in the near future. We anticipate that this list will grow as arboretum matures.

Fetchers

Please read the framework documentation for fetcher design principles before contributing a fetcher.

Fetchers must apply no logic to the data they retrieve. They must write unadulterated (modulo sorting & de-duplication) into the /raw area of the locker via the framework-provided decorators or context managers.

Fetchers must be atomic - retrieving and creating the data they are responsible for. Fetcher execution order is not guaranteed and so you must not assume that evidence already exists and is current in the locker. Use evidence dependency chaining if a fetcher depends on evidence gathered by another fetcher in order to gather its intended evidence.

Fetchers should be as fast as the API call allows. If a call is long running it should be separated into a dedicated evidence providing tool, which places data where a fetcher can retrieve it easily & quickly.

Checks

Please read the framework documentation for check design principles before contributing a check.

Checks should only use evidence from the evidence locker to perform check operations. Also, checks should not write or change evidence from the evidence locker. That is the job of a fetcher.

Jinja is used to produce reports from checks. As such each check class must have at least one associated report template in order to produce a check report. In keeping with the "DevSecOps" theme, check reports are meant to provide details on violations identified by checks. These violations are in the form of failures and warnings. They aren't meant to be used to format fetched raw evidence into a readable report. Harvest reports should be used to satisfy that need.

Harvest Reports

Harvest reports are hosted with the fetchers/checks that collect the evidence for the reports process. Within auditree-arboretum this means the harvest report code lives in reports folders throughout this repository. For more details check out harvest report development in the harvest README.

Usage

arboretum is available for download from PyPI.

Prerequisites

  • Supported for execution on OSX and LINUX.
  • Supported for execution with Python 3.6 and above.

Integration

Follow these steps to integrate auditree-arboretum fetchers and checks into your project:

  • Add this auditree-arboretum package as a dependency in your Python project.

  • The following steps can be taken to import individual arboretum fetchers and checks.

    • For a fetcher, add a fetch_<category>_common.py module, if one does not already exist, in your project's fetchers path where the <category> is the respective category folder within this repo of that fetcher. Having a separate common "category" module guards against name collisions across categories.
    • For a check, add a test_<category>_common.py module, if one does not already exist, in your project's checks path where the <category> is the respective category folder within this repo of that check. Having a separate common "category" module guards against name collisions across providers and technologies.
    • Import the desired fetcher or check class and the auditree-framework will handle the rest.

    For example to use the Abandoned Evidence fetcher from the auditree category, add the following to your fetch_auditree_common.py:

    from arboretum.auditree.fetchers.fetch_abandoned_evidence import AbandonedEvidenceFetcher
    
  • auditree-arboretum fetchers and checks are designed to execute as part of a downstream Python project, so you may need to setup your project's configuration in order for the fetchers and checks to execute as desired. Each category folder in this repository includes a README.md that documents each fetcher's and check's configuration.

    • In general auditree-arboretum fetchers and checks expect an org field with content that captures each fetcher's and check's configuration settings.

    For example:

    {
      "org": {
        "auditree": {
          "abandoned_evidence": {
            "threshold": 1234567,
            "exceptions": {
            "raw/path/to-evidence.json": "This is a good reason",
            "raw/path/to-evidence-2.json": "This is also a good reason"
          }
        }
      }
    }
    
  • Finally, for a check, be sure to add the appropriate entry into your project's controls.json file. Doing this allows you to group checks together as a control set which is useful for organizing check notifications and targeted check execution.

    For example to use the Abandoned Evidence check, add something similar to the following to your project's controls.json:

    {
      "arboretum.auditree.checks.test_abandoned_evidence.AbandonedEvidenceCheck": {
        "auditree_evidence": {
          "auditree_control": ["arboretum.auditree"]
        }
      }
    }
    

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

auditree-arboretum-0.17.1.tar.gz (46.1 kB view details)

Uploaded Source

Built Distribution

auditree_arboretum-0.17.1-py2.py3-none-any.whl (118.6 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file auditree-arboretum-0.17.1.tar.gz.

File metadata

  • Download URL: auditree-arboretum-0.17.1.tar.gz
  • Upload date:
  • Size: 46.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.18

File hashes

Hashes for auditree-arboretum-0.17.1.tar.gz
Algorithm Hash digest
SHA256 662202b30296c55315cb92626c0748668ac7fcb8e037362bd515cbdc05106461
MD5 24f6e7689f93514f3018203da10d3662
BLAKE2b-256 edd81b72f52ecae894fe4613c27dcc6e47adff1a0d4d722f1b02627866313db2

See more details on using hashes here.

File details

Details for the file auditree_arboretum-0.17.1-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for auditree_arboretum-0.17.1-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 12d2ecc8b300ab364fc27b4b3f3292ef59df10b0f2fd61e0c5310c0563d84e9c
MD5 5229b379c1014599cfef0fca7411fff5
BLAKE2b-256 39fa654937f708a6f5abf0eefaf3b12cc720bfba0530ef3d3f5b195104b49cf8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page