run the following command
lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Keycloak' --requirements ac-2 --remarks assessment-objective --framework il4 -o only-ac2.yaml
Expected result
component-definition:
components:
- control-implementations:
- description: Control Implementation Description
implemented-requirements:
- control-id: ac-2
description: <how the specified control may be implemented if the containing component or capability is instantiated in a system security plan>
remarks: |
ASSESSMENT-OBJECTIVE:
AC-02a.
AC-02a.[01] account types allowed for use within the system are defined and documented;
AC-02a.[02] account types specifically prohibited for use within the system are defined and documented;
AC-02b. account managers are assigned;
AC-02c. [Assignment: organization-defined prerequisites and criteria] for group and role membership are required;
AC-02d.
AC-02d.01 authorized users of the system are specified;
AC-02d.02 group and role membership are specified;
AC-02d.03
AC-02d.03[01] access authorizations (i.e., privileges) are specified for each account;
AC-02d.03[02] [Assignment: organization-defined attributes (as required)] are specified for each account;
AC-02e. approvals are required by [Assignment: organization-defined personnel or roles] for requests to create accounts;
AC-02f.
AC-02f.[01] accounts are created in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
AC-02f.[02] accounts are enabled in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
AC-02f.[03] accounts are modified in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
AC-02f.[04] accounts are disabled in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
AC-02f.[05] accounts are removed in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
AC-02g. the use of accounts is monitored;
AC-02h.
AC-02h.01 account managers and [Assignment: organization-defined personnel or roles] are notified within [Assignment: organization-defined time period] when accounts are no longer required;
AC-02h.02 account managers and [Assignment: organization-defined personnel or roles] are notified within [Assignment: organization-defined time period] when users are terminated or transferred;
AC-02h.03 account managers and [Assignment: organization-defined personnel or roles] are notified within [Assignment: organization-defined time period] when system usage or the need to know changes for an individual;
AC-02i.
AC-02i.01 access to the system is authorized based on a valid access authorization;
AC-02i.02 access to the system is authorized based on intended system usage;
AC-02i.03 access to the system is authorized based on [Assignment: organization-defined attributes (as required)];
AC-02j. accounts are reviewed for compliance with account management requirements [Assignment: organization-defined frequency];
AC-02k.
AC-02k.[01] a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
AC-02k.[02] a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
AC-02l.
AC-02l.[01] account management processes are aligned with personnel termination processes;
AC-02l.[02] account management processes are aligned with personnel transfer processes.
uuid: 07c55091-d7e0-4fd1-b5e8-a35dd495ac96
props:
- name: generation
ns: https://docs.lula.dev/oscal/ns
value: lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Keycloak' --requirements ac-2 --remarks assessment-objective --framework il4
- name: framework
ns: https://docs.lula.dev/oscal/ns
value: il4
source: https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json
uuid: dd4d9f1c-1f23-577b-a783-800bfd156566
description: Component Description
title: Keycloak
type: software
uuid: 1e493e17-d222-4acc-b760-c35e8c037bfb
metadata:
last-modified: 2024-09-20T18:59:30.173827454Z
oscal-version: 1.1.2
published: 2024-09-20T18:52:24.101855956Z
remarks: Lula Generated Component Definition
title: Component Title
version: 0.0.1
uuid: 451a642c-22c9-4b09-ba8f-3e506bab0113
Actual Result
component-definition:
components:
- control-implementations:
- description: Control Implementation Description
implemented-requirements:
- control-id: ac-2
description: <how the specified control may be implemented if the containing component or capability is instantiated in a system security plan>
remarks: "ASSESSMENT-OBJECTIVE:\nAC-02a.\n\tAC-02a.[01] account types allowed for use within the system are defined and documented;\n\tAC-02a.[02] account types specifically prohibited for use within the system are defined and documented;\nAC-02b. account managers are assigned;\nAC-02c. [Assignment: organization-defined prerequisites and criteria] for group and role membership are required;\nAC-02d.\n\tAC-02d.01 authorized users of the system are specified;\n\tAC-02d.02 group and role membership are specified;\n\tAC-02d.03\n\t\tAC-02d.03[01] access authorizations (i.e., privileges) are specified for each account;\n\t\tAC-02d.03[02] [Assignment: organization-defined attributes (as required)] are specified for each account;\nAC-02e. approvals are required by [Assignment: organization-defined personnel or roles] for requests to create accounts;\nAC-02f.\n\tAC-02f.[01] accounts are created in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\n\tAC-02f.[02] accounts are enabled in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\n\tAC-02f.[03] accounts are modified in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\n\tAC-02f.[04] accounts are disabled in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\n\tAC-02f.[05] accounts are removed in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\nAC-02g. the use of accounts is monitored; \nAC-02h.\n\tAC-02h.01 account managers and [Assignment: organization-defined personnel or roles] are notified within [Assignment: organization-defined time period] when accounts are no longer required;\n\tAC-02h.02 account managers and [Assignment: organization-defined personnel or roles] are notified within [Assignment: organization-defined time period] when users are terminated or transferred;\n\tAC-02h.03 account managers and [Assignment: organization-defined personnel or roles] are notified within [Assignment: organization-defined time period] when system usage or the need to know changes for an individual;\nAC-02i.\n\tAC-02i.01 access to the system is authorized based on a valid access authorization;\n\tAC-02i.02 access to the system is authorized based on intended system usage;\n\tAC-02i.03 access to the system is authorized based on [Assignment: organization-defined attributes (as required)];\nAC-02j. accounts are reviewed for compliance with account management requirements [Assignment: organization-defined frequency];\nAC-02k.\n\tAC-02k.[01] a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;\n\tAC-02k.[02] a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;\nAC-02l.\n\tAC-02l.[01] account management processes are aligned with personnel termination processes;\n\tAC-02l.[02] account management processes are aligned with personnel transfer processes.\n"
uuid: adea905e-ad32-4894-9dc5-6c2c549b8267
props:
- name: generation
ns: https://docs.lula.dev/oscal/ns
value: lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Keycloak' --requirements ac-2 --remarks assessment-objective --framework il4
- name: framework
ns: https://docs.lula.dev/oscal/ns
value: il4
source: https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json
uuid: dd4d9f1c-1f23-577b-a783-800bfd156566
description: Component Description
title: Keycloak
type: software
uuid: 7909d41d-ed31-43fc-be7d-9c1b35b223ae
metadata:
last-modified: 2024-09-20T18:55:26.987495906Z
oscal-version: 1.1.2
published: 2024-09-20T18:55:26.987495906Z
remarks: Lula Generated Component Definition
title: Component Title
version: 0.0.1
uuid: c6f85a8b-719e-4cdf-be83-cbe51e4cda38
brandtkeller
commented
1 month ago
Environment
Device and OS: Ubuntu 22.04 App version: v0.7.0
Kubernetes distro: N/A Kubernetes version: N/A provider:
Steps to reproduce
lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Keycloak' --requirements ac-2 --remarks assessment-objective --framework il4 -o only-ac2.yamlExpected result
Actual Result
Visual Proof (screenshots, videos, text, etc)
Severity/Priority
Low/High
Blocks https://github.com/defenseunicorns/compliance-artifacts/pull/111 from clean OSCAL