-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(oscal): begin integration of composed oscal with validations #496
Conversation
…oot oscal-component.yaml
…ula-integration-istio
Compliance unicorn Evaluation: success CC: @defenseunicorns/lula-dev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two small comments but this LGTM! Thanks for all the hard work here @defenseunicorns/lula-dev
Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving with intent to track https://github.com/defenseunicorns/compliance-artifacts/issues/51
🤖 I have created a release *beep* *boop* --- ## [0.24.1](v0.24.0...v0.24.1) (2024-07-22) ### Bug Fixes * **ci:** snapshot release publish, passthrough test on upgrade ([#575](#575)) ([d4afe00](d4afe00)) * **ci:** workflow permissions ([cacf1b5](cacf1b5)) * only allow istio gateways to set x509 client certificate header ([#572](#572)) ([5c62279](5c62279)) * **sso:** delete orphaned SSO secrets ([#578](#578)) ([5a6b9ef](5a6b9ef)) * unicorn flavor proxy image reference ([#590](#590)) ([db081fa](db081fa)) * update monitor mutation to not overwrite explicitly defined scrape class ([#582](#582)) ([7e550d3](7e550d3)) ### Miscellaneous * **deps:** update grafana chart + sidecar image ([#567](#567)) ([85b6de4](85b6de4)) * **deps:** update pepr to v0.32.7 ([#556](#556)) ([e594f13](e594f13)) * **deps:** update uds-identity-config to v0.5.1 ([#591](#591)) ([b9c5bd3](b9c5bd3)) * **deps:** update uds-k3d to v0.8.0 ([#581](#581)) ([fab8919](fab8919)) * **loki:** default query settings, config as secret ([#579](#579)) ([5fa889c](5fa889c)) * **oscal:** begin integration of composed oscal with validations ([#496](#496)) ([047fd30](047fd30)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Description
This change proposes the integration of Lula with uds-core for the purposes of compliance assessment on Pull-Request. This Proposal includes:
How does it work?
Each component that comprises
uds-core
contains an OSCAL file in the form of thecomponent-definition
model. This captures 1 -> N controls for 1 -> N standards (control implementations) that pertain to a specific component.When controls are identified as implemented by a component, we can create or update a
component-definition
artifact through:Validation
Lula operates on a model where controls are marked as satisfied when presented with programmatic and repeatable processes to to produce evidence that the control is satisfied.
These are often developed on a control-by-control basis and then composed into a single OSCAL component-definition in a schema-compliant addition in the back-matter. Reducing required network connectivity and making the compliance information portable.
One control may require evidence from many
validations
. Onevalidation
is the collection of data from some source and the measurement of that data for required adherence.The
lula validate
operation is an objective assessment - determining controlsatisfied/not-satisfied
state and writing the results to theassessment-results
artifact.Evaluation
The last step for determining greater, equal, or lesser compliance than the previous state is to execute a
lula evaluate
. This consumes the latestresult
in theassessment-results
artifact and compares it against thethreshold
result.The
threshold
result is identified as theresult
containing the following prop:If the compliance of this latest result is worse than the threshold - the execution fails with a non-zero exit code - allowing for pipeline operations to fail.
If the compliance is equal - the command passes without any modification required.
If the compliance is greater - Lula will automatically move the threshold identifier to the applicable result item. (this would mean that the updated
assessment-results
artifact should be downloaded and submitted for update to the repository).Naming
All files are titled with "oscal-" prepended to the OSCAL model type:
This is primarily to allow for identification for linting workflows to target oscal files for Lula to Lint.
Metrics
The following are derived from the FedRAMP Moderate baseline:
Note
DISA has recently published a new revision to the Cloud Computing Security Requirements Guide which may result in future iterations to a small subset of controls when reconciled.
DISA link
Review
The Lula team is actively working to make the review process better. Composed OSCAL has it's benefits for portability but that comes with the drawbacks of review.
To assist with the review process:
src/istio/oscal-component.yaml
file. This will map controls to the current state of validations.compliance/oscal-component.yaml
to the individual components undersrc/
Troubleshooting
If the pipeline should begin failing in the future - notify the @defenseunicorns/lula-dev team.
It should be expected that any major revisions to applications could break known assumptions about configuration required for compliance. The Lula team can help navigate failures.
Related Issue
Resolves #458
Type of change
Checklist before merging