Proposal for Layer 5 implementation #158
Description
Summary
This proposal adds information on a potential solution and flow for Layer 5
Schema
#EnforcementAction: {
id: string
timestamp: #Datetime
target: #Target
decision: #Decision
finding?: #Finding
"remediation-plan-id"?: string @go(RemediationPlanId)
"notification-plan-id"?: string @go(NotificationPlanId)
}
// #Decision is the high-level enforcement outcome.
#Decision: "Block" | "Mutate" | "Notify"
// #Finding is a self-contained record of a detected issue.
#Finding: {
"requirement-id": string @go(RequirementId)
result: #Result
message: string
}
// #Target defines the subject of the enforcement action.
#Target: {
"target-name": string @go(TargetName)
"target-type": string @go(TargetType)
"target-id"?: string @go(TargetId)
}
Example
func EnforcementDecision(log layer4.AssessmentLog, target Target) EnforcementAction {
enforcementID := uuid.New().String()
action := Decision("Audit")
// Simple logic: a failed evaluation leads to a "Mutate" decision.
if log.Result == layer4.Failed {
action = "Mutate"
}
return EnforcementAction{
Id: enforcementID,
Decision: action,
Target: target,
Finding: Finding{
RequirementId: log.RequirementId,
Result: log.Result,
Message: log.Message,
},
}
}
func GenerateRemediationPlan(action EnforcementAction) RemediationPlan {
planID := uuid.New().String()
steps := []RemediationStep{
{Id: "1", Name: "Enable Encryption"},
{Id: "2", Name: "Update Access Policy"},
}
return RemediationPlan{
Id: planID,
EnforcementId: action.Id,
Steps: steps,
}
}Diagram
graph TD
A(Layer 3 Enforcement Method) -- Autoremedation--> B(Layer 5 Remediation Plan)
C(Layer 4 Evaluation Log) --Findings--> B
A --Manual Remediation--> D(Layer 5 Notification Plan)
C --Findings--> D
A --Deployment Gate--> F(Layer 5 Enforcement Plan)