Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(oscal): begin integration of composed oscal with validations #496

Merged
merged 86 commits into from
Jul 19, 2024

Conversation

brandtkeller
Copy link
Member

@brandtkeller brandtkeller commented Jun 19, 2024

Description

This change proposes the integration of Lula with uds-core for the purposes of compliance assessment on Pull-Request. This Proposal includes:

  • all proposed future changes meet the minimum threshold for compliance
  • framework established for iterating control body-of-evidence
  • process for consuming uds-core compliance for downstream utilization

How does it work?

Each component that comprises uds-core contains an OSCAL file in the form of the component-definition model. This captures 1 -> N controls for 1 -> N standards (control implementations) that pertain to a specific component.

When controls are identified as implemented by a component, we can create or update a component-definition artifact through:

lula generate component -c <catalog-source> -r <controls-comma-delimited> --component "component name>

Validation

Lula operates on a model where controls are marked as satisfied when presented with programmatic and repeatable processes to to produce evidence that the control is satisfied.

These are often developed on a control-by-control basis and then composed into a single OSCAL component-definition in a schema-compliant addition in the back-matter. Reducing required network connectivity and making the compliance information portable.

One control may require evidence from many validations. One validation is the collection of data from some source and the measurement of that data for required adherence.

The lula validate operation is an objective assessment - determining control satisfied/not-satisfied state and writing the results to the assessment-results artifact.

Evaluation

The last step for determining greater, equal, or lesser compliance than the previous state is to execute a lula evaluate. This consumes the latest result in the assessment-results artifact and compares it against the threshold result.

The threshold result is identified as the result containing the following prop:

- name: threshold
   ns: https://docs.lula.dev/ns
   value: "true"

If the compliance of this latest result is worse than the threshold - the execution fails with a non-zero exit code - allowing for pipeline operations to fail.

If the compliance is equal - the command passes without any modification required.

If the compliance is greater - Lula will automatically move the threshold identifier to the applicable result item. (this would mean that the updated assessment-results artifact should be downloaded and submitted for update to the repository).

Naming

All files are titled with "oscal-" prepended to the OSCAL model type:

  • oscal-component.yaml -> component definition
  • oscal-assessment-results.yaml -> assessment results

This is primarily to allow for identification for linting workflows to target oscal files for Lula to Lint.

Metrics

The following are derived from the FedRAMP Moderate baseline:

24 controls of *329 total* mapped in OSCAL from Istio (7.29%)
24 controls of *161 total Technical* mapped in OSCAL from Istio (14.90%)
75 Unique controls captured in OSCAL of *329 total* (22.79%)
10 controls marked satisfied in OSCAL of *329 total* (3.03%)
75 Unique controls captured in OSCAL of *161 technical* (46.58%)
10 controls marked satisfied in OSCAL of *161 technical* (6.21%)

Note

DISA has recently published a new revision to the Cloud Computing Security Requirements Guide which may result in future iterations to a small subset of controls when reconciled.

DISA link

Review

The Lula team is actively working to make the review process better. Composed OSCAL has it's benefits for portability but that comes with the drawbacks of review.

To assist with the review process:

  • Ensure the pipeline additions are sound
  • Review the src/istio/oscal-component.yaml file. This will map controls to the current state of validations.
  • Understand the connection of compliance/oscal-component.yaml to the individual components under src/

Troubleshooting

If the pipeline should begin failing in the future - notify the @defenseunicorns/lula-dev team.

It should be expected that any major revisions to applications could break known assumptions about configuration required for compliance. The Lula team can help navigate failures.

Related Issue

Resolves #458

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

brandtkeller and others added 30 commits June 19, 2024 04:28
@brandtkeller brandtkeller marked this pull request as ready for review July 12, 2024 19:45
Copy link
Contributor

github-actions bot commented Jul 12, 2024

Compliance unicorn Evaluation: success

CC: @defenseunicorns/lula-dev

mjnagel
mjnagel previously approved these changes Jul 16, 2024
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two small comments but this LGTM! Thanks for all the hard work here @defenseunicorns/lula-dev

.github/actions/notify-lula/action.yaml Show resolved Hide resolved
mjnagel
mjnagel previously approved these changes Jul 16, 2024
tasks.yaml Outdated Show resolved Hide resolved
Copy link
Contributor

@rjferguson21 rjferguson21 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mjnagel mjnagel merged commit 047fd30 into main Jul 19, 2024
20 checks passed
@mjnagel mjnagel deleted the 458_lula-integration-istio branch July 19, 2024 18:43
mjnagel pushed a commit that referenced this pull request Jul 22, 2024
🤖 I have created a release *beep* *boop*
---


##
[0.24.1](v0.24.0...v0.24.1)
(2024-07-22)


### Bug Fixes

* **ci:** snapshot release publish, passthrough test on upgrade
([#575](#575))
([d4afe00](d4afe00))
* **ci:** workflow permissions
([cacf1b5](cacf1b5))
* only allow istio gateways to set x509 client certificate header
([#572](#572))
([5c62279](5c62279))
* **sso:** delete orphaned SSO secrets
([#578](#578))
([5a6b9ef](5a6b9ef))
* unicorn flavor proxy image reference
([#590](#590))
([db081fa](db081fa))
* update monitor mutation to not overwrite explicitly defined scrape
class ([#582](#582))
([7e550d3](7e550d3))


### Miscellaneous

* **deps:** update grafana chart + sidecar image
([#567](#567))
([85b6de4](85b6de4))
* **deps:** update pepr to v0.32.7
([#556](#556))
([e594f13](e594f13))
* **deps:** update uds-identity-config to v0.5.1
([#591](#591))
([b9c5bd3](b9c5bd3))
* **deps:** update uds-k3d to v0.8.0
([#581](#581))
([fab8919](fab8919))
* **loki:** default query settings, config as secret
([#579](#579))
([5fa889c](5fa889c))
* **oscal:** begin integration of composed oscal with validations
([#496](#496))
([047fd30](047fd30))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Lula Integration in CI
4 participants