In OSCAL - links
contains the following fields:
links:
- href: https://www.example.com/
rel: reference
text: Example
media-type: text/html
resource-fragment: some-fragment
These links are a "reference to a local or remote resource, that has a specific relation to the containing object" - Component Definition Links.
As such, links are a native OSCAL attribute that Lula can use to map to Validations.
After identifying a control and writing a Lula Validation, we need to store that Lula Validation within the OSCAL artifact for referencing.
This is accomplished by adding a new resource
to the back-matter
as shown below:
back-matter:
resources:
- uuid: a7377430-2328-4dc4-a9e2-b3f31dc1dff9
description: >-
domain:
type: kubernetes
kubernetes-spec:
resources:
- name: podsvt
resource-rule:
group:
version: v1
resource: pods
namespaces: [validation-test]
provider:
type: opa
opa-spec:
rego: |
package validate
import future.keywords.every
validate {
every pod in input.podsvt {
podLabel := pod.metadata.labels.foo
podLabel == "bar"
}
}
Now we need to map an existing control (or Component-Definition Implemented-Requirement) to this Lula Validation.
The default workflow is to use the rel attribute to indicate that Lula has work to perform.
In the instance of a standard validation - A link to a Lula Validation might look like this:
links:
- href: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
rel: lula
Where href: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
points to an OSCAL object with a UUID reference and rel: lula
indicates that the link is to a Lula Validation.
UUID's should always be unique per object in the OSCAL artifact.
Tip
You can generate a random UUID using lula tools uuidgen
or a deterministic UUID using lula tools uuidgen <string>
.
In addition to storing validaitons in the BackMatter
, links
may be used to fetch resources external to the component-definition
.
- must be prefixed with
file:
file:
must be a relative path to thecomponent-definition
or an absolute path
links:
- href: file:./validation.yaml
rel: lula
- href: file:/home/user/validations/validation.yaml
rel: lula
- must be prefixed with
https:
orhttp:
https:
orhttp:
must be a valid URL
links:
- href: https://example.com/validation.yaml
rel: lula
- A checksum may be provided in the href using the suffix
@<checksum>
- Supports
sha1
,sha256
,sha512
,md5
links:
- href: https://example.com/validation.yaml@0123456789abcdef
rel: lula
- A file with multiple validations may be provided in the link.
---
should be used to separate each validationresource-fragment: <UUID>
will run the validation with the UUID specifiedresource-fragment: *
will run all validations
// Only runs the validation with the UUID of a7377430-2328-4dc4-a9e2-b3f31dc1dff9
links:
- href: https://example.com/multi-validations.yaml
rel: lula
resource-fragment: '#a7377430-2328-4dc4-a9e2-b3f31dc1dff9'
// All validations
- href: file:./multi-validations.yaml
rel: lula
resource-fragment: *
Note
An example component-definition
with remote validations can be found here.