Compliance Auditor is a tool written to bridge the gap between expected configruation required for compliance and actual configuration.
Cloud Native Infrastructure, Platforms, and applications can establish OSCAL documents that live beside source-of-truth code bases. Providing an inheritance model for when a control that the technology can satisfy IS satisfied in a live-environment.
This can be well established and regulated standards such as NIST 800-53. It can also be best practices, Enterprise Standards, or simply team development standards that need to be continuously monitored and validated.
The primary functionality is leveraging Kyverno CLI/Engine. Compliance Auditor:
- Ingests a
oscal-component.yaml
and creates an object in memory - Queries all
implemented-requirements
for arules
field- This rules block is a strict port from the rules of a Kyverno ClusterPolicy resource
- If a rules field exists:
- Generate a
ClusterPolicy
resource on the filesystem - Execute the
applyCommandHelper
function from Kyverno CLI- This will return the number of passing/failing resources in the cluster (or optionally static manifests on the filesystem)
- If any fail, given valid exclusions that may be present, the control is declared as
Fail
- Remove
ClusterPolicy
from the filesystem - This is done for each
implemented-requirement
that has arules
field
- Generate a
- Generate a report of the findings (
Pass
orfail
for each control) on the filesystem (optional - can be run with--dry-run
in order to not write to filesystem)
- A running Kubernetes cluster
- GoLang version 1.19.1
- Clone the repository to your local machine
- While in the
compliance-auditor
directory, rungo build .
to compile the tool - Apply the
namespace.yaml
file in thedemo
directory to your cluster using thekubectl apply -f ./demo/namespace.yaml
command - Apply the
pod.fail.yaml
file to your cluster using thekubectl apply -f ./demo/pod.fail.yaml
command - Run the following command in the
compliance-auditor
directory,./compliance-auditor execute ./demo/oscal-component.yaml
- The tool should inform you that there is at least one failing pod in the cluster
- Now, apply the
pod.pass.yaml
file to your cluster using thekubectl apply -f ./demo/pod.pass.yaml
command- This should modify the configuration for the pod to have the validation pass
- Run the following command in the
compliance-auditor
directory,./compliance-auditor execute ./demo/oscal-component.yaml
- The tool should now show the pod as passing the compliance requirement
- Support for cloud infrastructure state queries
- Support for API validation
- GO 1.19