Lula is a tool designed to bridge the gap between expected configuration required for compliance and actual configuration.
- Assess compliance of a system against user-defined controls
- Evaluate an evolving system for compliance over time
- Generate machine-readible OSCAL artifacts
- Accelerate the compliance and accreditation process
- Lula is not meant to compete with policy engines - rather augment the auditing and alerting process
- Often admission control processes have a difficult time establishing
big pictureglobal context control satisfaction, Lula fills this gap - Lula is meant to allow modularity and inheritance of controls based upon the components of the system you build
Cloud-Native Infrastructure, Platforms, and Applications can establish OSCAL documents that are maintained alongside source-of-truth code bases. These documents provide an inheritance model to prove when a control that the technology can satisfy IS satisfied in a live-environment.
These controls can be well established and regulated standards such as NIST 800-53. They can also be best practices, Enterprise Standards, or simply team development standards that need to be continuously monitored and validated.
Lula operates on a framework of proof by adding custom overlays mapped to the these controls, Lula Validations, to measure system compliance. These Validations are constructed by establishing the collection of measurements about a system, given by the specified Domain, and the evaluation of adherence, performed by the Provider.
Domain is the identifier for where and which data to collect as "evidence". Below are the active and planned domains:
| Domain | Current | Roadmap |
|---|---|---|
| Kubernetes | ✅ | - |
| API | ✅ | - |
| Cloud Infrastructure | ❌ | ✅ |
Provider is the "engine" performing the validation using policy and the data collected. Below are the active providers:
| Provider | Current | Roadmap |
|---|---|---|
| OPA | ✅ | - |
| Kyverno | ✅ | - |
Install Lula and check out the Simple Demo to get familiar with Lula's validate and evaluate workflow to assess system compliance and establish thresholds. See the other tutorials for more advanced Lula use cases and information on how to develop your own Lula Validations!