Merge branch '32-oscal-package-validation' into 'main'

updated oscal-component with lula validations

Closes #32

See merge request !97

CHANGELOG.md

@@ -3,6 +3,16 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [6.16.2-bb.4] - 2024-08-30
+
+### Changed
+
+- Updating Promtail `oscal-component.yaml` to include Lula validations for automated assessment
+
+### Added
+
+- Added `oscal-assessment-results.yaml` as a threshold for automated governance
+
 ## [6.16.2-bb.3] - 2024-08-20
 
 ### Changed

README.md

 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # promtail
 
-![Version: 6.16.2-bb.3](https://img.shields.io/badge/Version-6.16.2--bb.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square)
+![Version: 6.16.2-bb.4](https://img.shields.io/badge/Version-6.16.2--bb.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square)
 
 Promtail is an agent which ships the contents of local logs to a Loki instance
 

chart/Chart.yaml

@@ -3,7 +3,7 @@ name: promtail
 description: Promtail is an agent which ships the contents of local logs to a Loki instance
 type: application
 appVersion: 3.0.0
-version: 6.16.2-bb.3
+version: 6.16.2-bb.4
 home: https://grafana.com/loki
 sources:
   - https://github.com/grafana/loki

oscal-assessment-results.yaml

+assessment-results:
+  import-ap:
+    href: ""
+  metadata:
+    last-modified: 2024-09-03T15:00:59.632950054Z
+    oscal-version: 1.1.2
+    published: 2024-09-03T15:00:59.632950054Z
+    remarks: Assessment Results generated from Lula
+    title: '[System Name] Security Assessment Results (SAR)'
+    version: 0.0.1
+  results:
+    - description: Assessment results for performing Validations with Lula version v0.5.1
+      findings:
+        - description: "Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7491f812-2997-4c93-bda4-6cfbe4981c9b\n# Control Implementation \nPromtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls.\nThis control is partially implemented by this tool. \"Partial\" implementation due to the fact that promtail does not actively identify what \"priviledged functions\" would be - it simply scapes all logs from the targets it is instrumented to tail.\n"
+          related-observations:
+            - observation-uuid: 4cc48544-d29b-4547-9cc4-92220cbdfb88
+            - observation-uuid: 2fc47c03-f121-4c92-93b2-3c3ac7e0ddc5
+            - observation-uuid: 94e8f8d8-132e-4e69-9ff7-973fab1dadbc
+            - observation-uuid: b65581bc-1dd4-4e70-9906-ab9b80ea2cd8
+          target:
+            status:
+              state: not-satisfied
+            target-id: ac-6.9
+            type: objective-id
+          title: 'Validation Result - Control: ac-6.9'
+          uuid: b678aa0f-2a5e-4054-804e-245578d96a4e
+        - description: |
+            Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0194ded5-1ee9-420c-b0f7-ce39ed4918c2
+            # Control Implementation
+              a. Identify the types of events that the system is capable of logging in support of the audit function for organization-defined event types that the system is capable of logging;
+              b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+              c. Specify the following event types for logging within the system organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type;
+              d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
+              e. Review and update the event types selected for logging on an organization-defined frequency.
+
+              Logging daemons are present on each node that BigBang is installed on.  Out of the box, the following events are captured:
+              * all containers emitting to STDOUT or STDERR (captured  by container runtime translating container logs to /var/log/containers).
+              * all kubernetes api server requests.
+              * all events emitted by the kubelet.
+
+              This control is fully implemented by this tool.
+          related-observations:
+            - observation-uuid: 4cc48544-d29b-4547-9cc4-92220cbdfb88
+            - observation-uuid: 94e8f8d8-132e-4e69-9ff7-973fab1dadbc
+            - observation-uuid: 2fc47c03-f121-4c92-93b2-3c3ac7e0ddc5
+            - observation-uuid: b65581bc-1dd4-4e70-9906-ab9b80ea2cd8
+          target:
+            status:
+              state: not-satisfied
+            target-id: au-2
+            type: objective-id
+          title: 'Validation Result - Control: au-2'
+          uuid: 904fc7fd-e560-44c5-98d9-b9f5cd860ae4
+        - description: |
+            Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7718d81c-342b-4971-99b5-95c9dd0fa0da
+            # Control Implementation
+              Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes.
+              Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config.
+              https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/
+          related-observations:
+            - observation-uuid: 4cc48544-d29b-4547-9cc4-92220cbdfb88
+            - observation-uuid: 94e8f8d8-132e-4e69-9ff7-973fab1dadbc
+            - observation-uuid: ff34549a-bc4e-404b-aba0-363bea641cae
+          target:
+            status:
+              state: not-satisfied
+            target-id: au-3
+            type: objective-id
+          title: 'Validation Result - Control: au-3'
+          uuid: 8d6aaca8-fa1d-4e8d-ae47-03f78c2e4dcf
+        - description: "Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 932f46fc-8f02-47df-8e1f-1bbe21d7df69\n# Control Implementation\nRecords captured by the logging daemon are enriched to  ensure the following are always present:\n* time of the event (UTC).\n* source of event (pod, namespace, container id).\nApplications are responsible for providing all other information.\\\nValidating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. \nWe will ensure the promtail.yaml file is at a minimum the target config https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ \n"
+          related-observations:
+            - observation-uuid: 4cc48544-d29b-4547-9cc4-92220cbdfb88
+            - observation-uuid: 94e8f8d8-132e-4e69-9ff7-973fab1dadbc
+            - observation-uuid: ff34549a-bc4e-404b-aba0-363bea641cae
+          target:
+            status:
+              state: not-satisfied
+            target-id: au-8
+            type: objective-id
+          title: 'Validation Result - Control: au-8'
+          uuid: cddaeeb5-396d-46bd-b0db-a134b7c96cc3
+      observations:
+        - collected: 2024-09-03T15:00:59.617598008Z
+          description: |
+            [TEST]: 50237372-d02c-48fa-9b23-12eeb62345e6 - logformat-configuration-valid
+          methods:
+            - TEST
+          relevant-evidence:
+            - description: |
+                Result: not-satisfied
+              remarks: |
+                Error running validation: domain GetResources error: secrets "promtail-promtail" not found
+          uuid: ff34549a-bc4e-404b-aba0-363bea641cae
+        - collected: 2024-09-03T15:00:59.620189002Z
+          description: |
+            [TEST]: 786bc911-6956-450e-92e8-67e0646b1cd7 - promtail-healthcheck
+          methods:
+            - TEST
+          relevant-evidence:
+            - description: |
+                Result: not-satisfied
+              remarks: |
+                OPA validation not performed: No resources to validate
+          uuid: 4cc48544-d29b-4547-9cc4-92220cbdfb88
+        - collected: 2024-09-03T15:00:59.624905458Z
+          description: |
+            [TEST]: 71f6b6d0-c850-44c8-937c-24af940d5f57 - promtail-configured-to-tail-kubernetes-pods
+          methods:
+            - TEST
+          relevant-evidence:
+            - description: |
+                Result: not-satisfied
+              remarks: |
+                Error running validation: domain GetResources error: secrets "promtail-promtail" not found
+          uuid: 2fc47c03-f121-4c92-93b2-3c3ac7e0ddc5
+        - collected: 2024-09-03T15:00:59.62744896Z
+          description: |
+            [TEST]: 420d8ee3-afb5-4d60-8907-e5141bce6995 - check-promtail-configuration-file-used-by-container
+          methods:
+            - TEST
+          relevant-evidence:
+            - description: |
+                Result: not-satisfied
+              remarks: |
+                OPA validation not performed: No resources to validate
+          uuid: 94e8f8d8-132e-4e69-9ff7-973fab1dadbc
+        - collected: 2024-09-03T15:00:59.631769766Z
+          description: |
+            [TEST]: 95babf3a-3858-43eb-b34e-55878ef8b1e8 - promtail-configured-to-tail-system-logs
+          methods:
+            - TEST
+          relevant-evidence:
+            - description: |
+                Result: not-satisfied
+              remarks: |
+                Error running validation: domain GetResources error: secrets "promtail-promtail" not found
+          uuid: b65581bc-1dd4-4e70-9906-ab9b80ea2cd8
+      props:
+        - name: threshold
+          ns: https://docs.lula.dev/oscal/ns
+          value: "true"
+        - name: target
+          ns: https://docs.lula.dev/oscal/ns
+          value: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
+      reviewed-controls:
+        control-selections:
+          - description: Controls Assessed by Lula
+            include-controls:
+              - control-id: ac-6.9
+              - control-id: au-2
+              - control-id: au-3
+              - control-id: au-8
+        description: Controls validated
+        remarks: Validation performed may indicate full or partial satisfaction
+      start: 2024-09-03T15:00:59.632937598Z
+      title: Lula Validation Result
+      uuid: 4864d874-1e6b-43c3-863d-56f65d3013ec
+  uuid: 8e1c54d8-2614-495b-93dc-7c1ee5ef4025