From ec7629648d99a7b448efab19024d011b82c99815 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 19 Jun 2024 04:28:23 +0000 Subject: [PATCH 01/68] feat(oscal): begin integration of composed oscal with validations --- src/istio/component.yaml | 1451 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 1451 insertions(+) create mode 100644 src/istio/component.yaml diff --git a/src/istio/component.yaml b/src/istio/component.yaml new file mode 100644 index 000000000..9bb372756 --- /dev/null +++ b/src/istio/component.yaml @@ -0,0 +1,1451 @@ +component-definition: + back-matter: + resources: + - rlinks: + - href: https://github.com/istio/istio/ + title: Istio Operator + uuid: 60826461-D279-468C-9E4B-614FAC44A306 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioMeshConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } + type: opa + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for event logging support + validate { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } { + msg := "Tracing logging not supported." + } + type: opa + title: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate { + has_prometheus_annotation.result + } + msg = has_prometheus_annotation.msg + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: peerAuths + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + + # Default policy result + default validate = false + default all_strict = false + default msg = "Not evaluated" + + validate { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." + } + type: opa + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_exempt + validation: validate.validate + rego: | + package validate + import future.keywords.every + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_gateways_allowed.result + } + msg := check_gateways_allowed.msg + msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { + count(gateways_disallowed) == 0 + } else = {"result": false, "msg": msg} { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + type: opa + title: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: networkPolicies + resource-rule: + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + provider: + opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + type: opa + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + lula-version: "" + metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + provider: + opa-spec: + rego: | + package validate + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. + type: opa + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - description: "" + name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 + type: kubernetes + lula-version: "" + metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + provider: + opa-spec: + output: + observations: + - istiohealth.deployment_message + - istiohealth.hpa_message + validation: istiohealth.is_istio_healthy + rego: | + package istiohealth + + default is_istio_healthy = false + default deployment_message = "Deployment status not evaluated" + default hpa_message = "HPA status not evaluated" + + # Check if the Istio Deployment is healthy + is_istio_healthy { + count(input.istioddeployment.status.conditions) > 0 + all_deployment_conditions_are_true + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + } + + all_deployment_conditions_are_true { + # Ensure every condition in the array has a status that is not "False" + all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} + count(all_true) == count(input.istioddeployment.status.conditions) + } + + deployment_message = msg { + all_deployment_conditions_are_true + msg := "All deployment conditions are true." + } else = msg { + msg := "One or more deployment conditions are false." + } + + hpa_message = msg { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = msg { + msg := "HPA does not have sufficient replicas." + } + type: opa + title: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + - description: | + lula-version: "" + metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_actual + - validate.msg_expected + validation: validate.validate + rego: "package validate\n\nimport future.keywords.every\nimport future.keywords.in\n\n# + default values\ndefault validate = false\ndefault msg = \"Not evaluated\"\n\nvalidate + {\n check_expected_gw2vs.result\n}\nmsg := check_expected_gw2vs.msg\nmsg_actual + := sprintf(\"Gateways configured: %v. VirtualServices using Gateways: %v\", + [gateways, gateway_virtual_services])\nmsg_expected := sprintf(\"Expected VirtualServices + using Gateways: %v\", [expected_gw2vs])\n\ncheck_expected_gw2vs = {\"result\": + true, \"msg\": msg} {\n every gw in gateways {\n gw_uses_vs(gw) \n }\n + \ msg := \"Expected Virtual Services using expected Gateways\"\n} else = {\"result\": + false, \"msg\": \"Expected Virtual Services not using expected Gateways\"}\n\ngw_uses_vs(gw) + {\n expected_vs := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n + \ count(expected_vs - actual_vs) == 0\n}\ngw_uses_vs(gw) {\n expected_vs + := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n count(expected_vs) + == 0\n count(actual_vs) == 0\n}\n\n# Expected admin gateway details\nexpected_gw2vs + := {\n \"istio-admin-gateway/admin-gateway\": {\n \"keycloak-admin-admin-access-with-optional-client-certificate\",\n + \ \"neuvector-admin-neuvector-8443-neuvector-service-webui\", \"grafana-admin-grafana-80-grafana\",\n + \ },\n \"istio-passthrough-gateway/passthrough-gateway\": [],\n \"istio-tenant-gateway/tenant-gateway\": + {\n \"keycloak-tenant-remove-private-paths-from-public-gateway\",\n \"keycloak-tenant-public-auth-access-with-optional-client-certificate\",\n + \ \"keycloak-tenant-emulate-gitlab-authorize-endpoint\", \"keycloak-tenant-emulate-gitlab-user-endpoint\",\n + \ \"keycloak-tenant-emulate-gitlab-token-endpoint\",\n },\n}\n\n# Helper + to find Gateways\ngateways = {sprintf(\"%s/%s\", [gw.metadata.namespace, gw.metadata.name]) + |\n gw := input.gateways[_]\n}\n\n# Helper to find VirtualServices\nvirtual_services + = {vs.metadata.name |\n vs := input.virtualServices[_]\n}\n\n# Helper to list + VirtualServices using each Gateway\ngateway_virtual_services := {gw: {vs.metadata.name + |\n vs := input.virtualServices[_]\n gw_name := vs.spec.gateways[_]\n gw_name + == gw\n} |\n gw := gateways[_]\n}\n" + type: opa + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: jwt-authz + namespaces: + - istio-system + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Authorization Policies do not require authentication" + + # Evaluation for Istio Authorization Policies + validate { + result_auth_policy.result + } + + msg = result_auth_policy.msg + + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" + + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" + } else = {"result": false, "msg": msg} { + msg := "Authorization Policy does not require authentication" + } + type: opa + title: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicies + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_authPolicies + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Istio RBAC not enforced" + + # Evaluation for Istio Authorization Policies + validate { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" { + validate + } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) + type: opa + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + - description: | + lula-version: "" + metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: namespaces + resource-rule: + group: "" + name: "" + namespaces: [] + resource: namespaces + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempted_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.every + import future.keywords.in + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + type: opa + title: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: adminGateway + resource-rule: + group: networking.istio.io + name: admin-gateway + namespaces: + - istio-admin-gateway + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + # Default policy result + default validate = false + default admin_gw_exists = false + default admin_vs_match = false + default msg = "Not evaluated" + + validate { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := "Admin gateway exists." + } else = {"result": false, "msg": msg} { + msg := "Admin gateway does not exist." + } + + result_admin_vs_match = {"result": true, "msg": msg}{ + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + type: opa + title: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + - description: | + lula-version: "" + metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: requestAuthentication + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: requestauthentications + version: v1beta1 + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both RequestAuthentication and AuthorizationPolicy are configured + validate { + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result + } + + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) + + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) + } + + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." + } else = {"result": false, "msg": msg} { + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) + } + + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } + + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } + + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } + type: opa + title: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb + - description: | + lula-version: "" + metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + provider: + opa-spec: + rego: | + package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + type: opa + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + + validate { + has_proxyv2_sidecar.result + } + msg = has_proxyv2_sidecar.msg + + # Check for proxyv2 container in pod spec + no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] + + has_proxyv2_sidecar = {"result": true, "msg": msg} { + count(no_proxyv2) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) + } + + contains_proxyv2(pod) { + images := pod.spec.containers[_].image + contains(images, "/proxyv2:") + } + + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": true, "msg": msg } { + input.istioConfig.enablePrometheusMerge + msg := "Metrics logging supported" + } else = { "result": false, "msg": msg } { + msg := "Metrics logging not supported" + } + type: opa + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + components: + - control-implementations: + - description: Controls implemented by Istio and authservice that are inherited by applications + implemented-requirements: + - control-id: ac-4 + description: |- + # Control Implementation + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' + rel: lula + text: Check ingress traffic is encrypted + remarks: '# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.' + uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a + - control-id: ac-4.4 + description: |- + # Control Implementation + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' + rel: lula + text: Check ingress traffic is encrypted + remarks: '# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method.' + uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + - control-id: ac-4.21 + description: |- + # Control Implementation + Istio is configured to use ingress and egress gateways to provide logical flow separation. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#0da39859-a91a-4ca6-bd8b-9b117689188f' + rel: lula + text: Check namespaces are istio injected + - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: 'Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].' + uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d + - control-id: ac-6.3 + description: |- + # Control Implementation + Configured with an "admin" gateway to restrict access to applications that only need administrative access. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + remarks: 'Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.' + uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 + - control-id: ac-6.9 + description: |- + # Control Implementation + Istio produces logs for all traffic in the information system. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' + rel: lula + text: Check that Istio is logging all traffic which could contain priviledged function calls + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: Log the execution of privileged functions. + uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 + - control-id: ac-14 + description: |- + # Control Implementation + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#e38c0695-10f6-40b6-b246-fa58b26ccd25' + rel: lula + text: Authorization policy implemented that enforces authentication for Keycloak + remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' + uuid: c8c03abd-244d-4813-a966-3feece1bad6a + - control-id: au-2 + description: |- + # Control Implementation + Istio logs all Istio event logs within the system's mesh network. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' + rel: lula + text: Check that Istio is logging all traffic which could contain audit events + remarks: 'a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency].' + uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb + - control-id: au-3 + description: |- + # Control Implementation + Istio logs all Istio event logs within the system's mesh network. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#f346b797-be35-40a8-a93a-585db6fd56ec' + rel: lula + text: Check that Istio is configured to provide tracing data + remarks: 'Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.' + uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + - control-id: au-3.1 + description: |- + # Control Implementation + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#70d99754-2918-400c-ac9a-319f874fff90' + rel: lula + text: Check that Istio is configured to provide metrics data + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#f345c359-3208-46fb-9348-959bd628301e' + rel: lula + text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape + remarks: 'Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]' + uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 + - control-id: au-12 + description: |- + # Control Implementation + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' + rel: lula + text: Check that Istio is logging all traffic which could contain audit events + remarks: 'a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.' + uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 + - control-id: cm-5 + description: |- + # Control Implementation + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28' + rel: lula + text: Check that Istio is enforcing RBAC + - href: '#9b361d7b-4e07-40db-8b86-3854ed499a4b' + rel: lula + text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] + remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be + - control-id: sc-3 + description: |- + # Control Implementation + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: Isolate security functions from nonsecurity functions. + uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 + - control-id: sc-4 + description: |- + # Control Implementation + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#7455f86d-b79c-4226-9ce3-f3fb7d9348c8' + rel: lula + text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] + - href: '#ecdb90c7-971a-4442-8f29-a8b0f6076bc9' + rel: lula + text: Egress Gateway exists and is configured [PLACEHOLDER] + remarks: Prevent unauthorized and unintended information transfer via shared system resources. + uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c + - control-id: sc-7.4 + description: |- + # Control Implementation + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#570e2dc7-e6c2-4ad5-8ea3-f07974f59747' + rel: lula + text: Resources in namespaces can securely communicate with Istio control plane via network policies + - href: '#3e217577-930e-4469-a999-1a5704b5cecb' + rel: lula + text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to prevent unauthorized exchange of control plane traffic. + - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: '(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks.' + uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 + - control-id: sc-7.8 + description: |- + # Control Implementation + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ecdb90c7-971a-4442-8f29-a8b0f6076bc9' + rel: lula + text: Egress Gateway exists and is configured [PLACEHOLDER] + - href: '#19faf69a-de74-4b78-a628-64a9f244ae13' + rel: lula + text: Check that external traffic is managed [PLACEHOLDER] + remarks: 'Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.' + uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 + - control-id: sc-7.20 + description: |- + # Control Implementation + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.' + uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 + - control-id: sc-7.21 + description: |- + # Control Implementation + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].' + uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 + - control-id: sc-8 + description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.' + uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 + - control-id: sc-8.1 + description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.' + uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C + - control-id: sc-8.2 + description: |- + # Control Implementation + Istio implements with global configuration. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#3e217577-930e-4469-a999-1a5704b5cecb' + rel: lula + text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to ensure confidentiality of information sent/received + remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' + uuid: c158b75a-cefc-4794-b124-f1e56ff5646d + - control-id: sc-10 + description: |- + # Control Implementation + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#663f5e92-6db4-4042-8b5a-eba3ebe5a622' + rel: lula + text: Istio terminates communication sessions after inactivity [PLACEHOLDER] + remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' + uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c + - control-id: sc-13 + description: |- + # Control Implementation + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' + rel: lula + text: Istio is encrypting ingress traffic + - href: '#8be1601e-5870-4573-ab4f-c1c199944815' + rel: lula + text: Istio is providing TLS origination at egress [PLACEHOLDER] + - href: '#73434890-2751-4894-b7b2-7e583b4a8977' + rel: lula + text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] + remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' + uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 + - control-id: sc-23 + description: |- + # Control Implementation + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + remarks: 'Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.' + uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 + - control-id: sc-39 + description: |- + # Control Implementation + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: Maintain a separate execution domain for each executing system process. + uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + description: | + Istio Service Mesh + purpose: Istio Service Mesh + responsible-roles: + - party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + role-id: provider + title: Istio Controlplane + type: software + uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 + metadata: + last-modified: 2024-06-19T04:24:37.102736858Z + oscal-version: 1.1.2 + parties: + - links: + - href: https://uds.defenseunicorns.com/ + rel: website + name: Unicorn Delivery Service + type: organization + uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + title: Istio Controlplane + version: "20240614" + uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 From b43e6dffae0b0d42699340d02527820abdcbac4a Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 28 Jun 2024 04:55:38 +0000 Subject: [PATCH 02/68] renamed /src/istio oscal, created root compliance dir, pre-composed root oscal-component.yaml --- compliance/oscal-component.yaml | 33 + src/istio/component.yaml | 1451 ---------------------- src/istio/oscal-component.yaml | 2068 +++++++++++++++++++++---------- 3 files changed, 1457 insertions(+), 2095 deletions(-) create mode 100644 compliance/oscal-component.yaml delete mode 100644 src/istio/component.yaml diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml new file mode 100644 index 000000000..a5aa0b804 --- /dev/null +++ b/compliance/oscal-component.yaml @@ -0,0 +1,33 @@ +component-definition: + uuid: 8ef481dd-7924-42de-b426-ac300db35ec8 + metadata: + title: UDS Core + last-modified: "2024-06-28T12:00:00Z" + version: "20240628" + oscal-version: 1.1.2 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://github.com/defenseunicorns + rel: website + + import-component-definitions: + - href: 'file:../src/istio/oscal-component.yaml' + + capabilities: + - uuid: 857dcaf8-9080-4cf0-8029-8a03fcdde2df + name: UDS Core + description: >- + UDS Core is a secure runtime platform for mission-critical capabilities. + incorporates-components: + - component-uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 + description: Secure Istio Service Mesh + + back-matter: + resources: + - rlinks: + - href: https://github.com/defenseunicorns/uds-coore/ + title: UDS Core + uuid: 8fe4806d-4aef-4cf0-b9ed-d95d224e97bc diff --git a/src/istio/component.yaml b/src/istio/component.yaml deleted file mode 100644 index 9bb372756..000000000 --- a/src/istio/component.yaml +++ /dev/null @@ -1,1451 +0,0 @@ -component-definition: - back-matter: - resources: - - rlinks: - - href: https://github.com/istio/istio/ - title: Istio Operator - uuid: 60826461-D279-468C-9E4B-614FAC44A306 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioMeshConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Logging not enabled or configured" - - # Check if Istio's Mesh Configuration has logging enabled - validate { - logging_enabled.result - } - - msg = logging_enabled.msg - - logging_enabled = {"result": true, "msg": msg} { - # Check for access log file output to stdout - input.istioMeshConfig.accessLogFile == "/dev/stdout" - msg := "Istio is logging all traffic" - } else = {"result": false, "msg": msg} { - msg := "Istio is not logging all traffic" - } - type: opa - title: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-tracing-logging-support - uuid: f346b797-be35-40a8-a93a-585db6fd56ec - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for event logging support - validate { - check_tracing_enabled.result - } - msg = check_tracing_enabled.msg - - check_tracing_enabled = { "result": true, "msg": msg } { - input.istioConfig.defaultConfig.tracing != null - input.istioConfig.defaultConfig.tracing.zipkin.address != "" - msg := "Tracing logging supported." - } else = { "result": false, "msg": msg } { - msg := "Tracing logging not supported." - } - type: opa - title: istio-tracing-logging-support - uuid: f346b797-be35-40a8-a93a-585db6fd56ec - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.in - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Check for required Istio and Prometheus annotations - validate { - has_prometheus_annotation.result - } - msg = has_prometheus_annotation.msg - - # Check for prometheus annotations in pod spec - no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - - has_prometheus_annotation = {"result": true, "msg": msg} { - count(no_annotation) == 0 - msg := "All pods have correct prometheus annotations." - } else = {"result": false, "msg": msg} { - msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) - } - - contains_annotation(pod) { - annotations := pod.metadata.annotations - annotations["prometheus.io/scrape"] == "true" - annotations["prometheus.io/path"] != "" - annotations["prometheus.io/port"] == "15020" - } - - # Exemptions - exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - - description: | - lula-version: "" - metadata: - name: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - title: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: peerAuths - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: peerauthentications - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - import future.keywords.every - - # Default policy result - default validate = false - default all_strict = false - default msg = "Not evaluated" - - validate { - result_all_strict.result - } - - msg = concat(" ", [result_all_strict.msg]) - - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." - } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." - } - type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_exempt - validation: validate.validate - rego: | - package validate - import future.keywords.every - - default validate = false - default msg = "Not evaluated" - - # Validation - validate { - check_gateways_allowed.result - } - msg := check_gateways_allowed.msg - msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) - - # Collect gateways that do not encrypt ingress traffic - gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | - gateway := input.gateways[_]; - not allowed_gateway(gateway) - } - - check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { - count(gateways_disallowed) == 0 - } else = {"result": false, "msg": msg} { - msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) - } - - # Check allowed gateway - allowed_gateway(gateway) { - every server in gateway.spec.servers { - allowed_server(server) - } - } - - exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} - allowed_gateway(gateway) { - sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways - # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic - # Find all virtual services that use this gateway - # Check that vs has https scheme - } - - # Check allowed server spec in gateway - allowed_server(server) { - server.port.protocol == "HTTP" - server.tls.httpsRedirect == true - } - - allowed_server(server) { - server.port.protocol == "HTTPS" - server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} - } - type: opa - title: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: networkPolicies - resource-rule: - group: networking.k8s.io - name: "" - namespaces: [] - resource: networkpolicies - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - provider: - opa-spec: - output: - observations: - - validate.msg_correct - - validate.msg_incorrect - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg_correct = "Not evaluated" - default msg_incorrect = "Not evaluated" - - # Expected values - expected_istiod_port := 15012 - expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} - - # Validate NetworkPolicy for Istiod in required namespaces - validate { - count(required_namespaces - correct_istiod_namespaces) == 0 - } - - msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) - msg_incorrect = msg { - missing_namespace := required_namespaces - correct_istiod_namespaces - count(missing_namespace) > 0 - msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) - } else = "No incorrect istiod NetworkPolicies found." - - # Helper to find correct NetworkPolicies - correct_istiod_policies = {policy | - policy := input.networkPolicies[_] - policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" - policy.spec.egress[_].ports[_].port == expected_istiod_port - policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol - } - - # Helper to extract namespaces of correct NetworkPolicies - correct_istiod_namespaces = {policy.metadata.namespace | - policy := correct_istiod_policies[_] - } - type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - - description: | - lula-version: "" - metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - provider: - opa-spec: - rego: | - package validate - validate := false - - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. - type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - - description: | - lula-version: "" - metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - provider: - opa-spec: - rego: | - package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioddeployment - resource-rule: - group: apps - name: istiod - namespaces: - - istio-system - resource: deployments - version: v1 - - description: "" - name: istiodhpa - resource-rule: - group: autoscaling - name: istiod - namespaces: - - istio-system - resource: horizontalpodautoscalers - version: v2 - type: kubernetes - lula-version: "" - metadata: - name: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - provider: - opa-spec: - output: - observations: - - istiohealth.deployment_message - - istiohealth.hpa_message - validation: istiohealth.is_istio_healthy - rego: | - package istiohealth - - default is_istio_healthy = false - default deployment_message = "Deployment status not evaluated" - default hpa_message = "HPA status not evaluated" - - # Check if the Istio Deployment is healthy - is_istio_healthy { - count(input.istioddeployment.status.conditions) > 0 - all_deployment_conditions_are_true - input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas - } - - all_deployment_conditions_are_true { - # Ensure every condition in the array has a status that is not "False" - all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} - count(all_true) == count(input.istioddeployment.status.conditions) - } - - deployment_message = msg { - all_deployment_conditions_are_true - msg := "All deployment conditions are true." - } else = msg { - msg := "One or more deployment conditions are false." - } - - hpa_message = msg { - input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas - msg := "HPA has sufficient replicas." - } else = msg { - msg := "HPA does not have sufficient replicas." - } - type: opa - title: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - - description: | - lula-version: "" - metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - - description: "" - name: virtualServices - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: virtualservices - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_actual - - validate.msg_expected - validation: validate.validate - rego: "package validate\n\nimport future.keywords.every\nimport future.keywords.in\n\n# - default values\ndefault validate = false\ndefault msg = \"Not evaluated\"\n\nvalidate - {\n check_expected_gw2vs.result\n}\nmsg := check_expected_gw2vs.msg\nmsg_actual - := sprintf(\"Gateways configured: %v. VirtualServices using Gateways: %v\", - [gateways, gateway_virtual_services])\nmsg_expected := sprintf(\"Expected VirtualServices - using Gateways: %v\", [expected_gw2vs])\n\ncheck_expected_gw2vs = {\"result\": - true, \"msg\": msg} {\n every gw in gateways {\n gw_uses_vs(gw) \n }\n - \ msg := \"Expected Virtual Services using expected Gateways\"\n} else = {\"result\": - false, \"msg\": \"Expected Virtual Services not using expected Gateways\"}\n\ngw_uses_vs(gw) - {\n expected_vs := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n - \ count(expected_vs - actual_vs) == 0\n}\ngw_uses_vs(gw) {\n expected_vs - := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n count(expected_vs) - == 0\n count(actual_vs) == 0\n}\n\n# Expected admin gateway details\nexpected_gw2vs - := {\n \"istio-admin-gateway/admin-gateway\": {\n \"keycloak-admin-admin-access-with-optional-client-certificate\",\n - \ \"neuvector-admin-neuvector-8443-neuvector-service-webui\", \"grafana-admin-grafana-80-grafana\",\n - \ },\n \"istio-passthrough-gateway/passthrough-gateway\": [],\n \"istio-tenant-gateway/tenant-gateway\": - {\n \"keycloak-tenant-remove-private-paths-from-public-gateway\",\n \"keycloak-tenant-public-auth-access-with-optional-client-certificate\",\n - \ \"keycloak-tenant-emulate-gitlab-authorize-endpoint\", \"keycloak-tenant-emulate-gitlab-user-endpoint\",\n - \ \"keycloak-tenant-emulate-gitlab-token-endpoint\",\n },\n}\n\n# Helper - to find Gateways\ngateways = {sprintf(\"%s/%s\", [gw.metadata.namespace, gw.metadata.name]) - |\n gw := input.gateways[_]\n}\n\n# Helper to find VirtualServices\nvirtual_services - = {vs.metadata.name |\n vs := input.virtualServices[_]\n}\n\n# Helper to list - VirtualServices using each Gateway\ngateway_virtual_services := {gw: {vs.metadata.name - |\n vs := input.virtualServices[_]\n gw_name := vs.spec.gateways[_]\n gw_name - == gw\n} |\n gw := gateways[_]\n}\n" - type: opa - title: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: jwt-authz - namespaces: - - istio-system - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Authorization Policies do not require authentication" - - # Evaluation for Istio Authorization Policies - validate { - result_auth_policy.result - } - - msg = result_auth_policy.msg - - result_auth_policy = {"result": true, "msg": msg} { - # Check that authorization policy exists and require authentication - input.authorizationPolicy.kind == "AuthorizationPolicy" - - # "require authentication" is defined as having requestPrincipals defined - # and the selector.protect label is set to "keycloak" - input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null - input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" - msg := "Authorization Policy requires authentication for keycloak" - } else = {"result": false, "msg": msg} { - msg := "Authorization Policy does not require authentication" - } - type: opa - title: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicies - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_authPolicies - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Istio RBAC not enforced" - - # Evaluation for Istio Authorization Policies - validate { - count(all_auth_policies) > 0 - } - - # Get all authorization policies - all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - - msg = "Istio RBAC enforced" { - validate - } - msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) - type: opa - title: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - - description: | - lula-version: "" - metadata: - name: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - title: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: namespaces - resource-rule: - group: "" - name: "" - namespaces: [] - resource: namespaces - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempted_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.every - import future.keywords.in - - default validate = false - default msg = "Not evaluated" - - # Validation - validate { - check_non_istio_injected_namespaces.result - } - msg = check_non_istio_injected_namespaces.msg - exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) - - # List of exempted namespaces - exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", - "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", - "uds-dev-stack", "uds-policy-exemptions", "zarf"} - - # Collect non-Istio-injected namespaces - non_istio_injected_namespaces := {ns.metadata.name | - ns := input.namespaces[_] - ns.kind == "Namespace" - not ns.metadata.labels["istio-injection"] == "enabled" - not ns.metadata.name in exempted_namespaces - } - - # Check no non-Istio-injected namespaces - check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { - count(non_istio_injected_namespaces) == 0 - } else = { "result": false, "msg": msg } { - msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) - } - type: opa - title: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: adminGateway - resource-rule: - group: networking.istio.io - name: admin-gateway - namespaces: - - istio-admin-gateway - resource: gateways - version: v1beta1 - - description: "" - name: virtualServices - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: virtualservices - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Expected admin gateway details - expected_gateway := "admin-gateway" - expected_gateway_namespace := "istio-admin-gateway" - expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) - - # Default policy result - default validate = false - default admin_gw_exists = false - default admin_vs_match = false - default msg = "Not evaluated" - - validate { - result_admin_gw_exixts.result - result_admin_vs_match.result - } - - msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) - - result_admin_gw_exixts = {"result": true, "msg": msg} { - input.adminGateway.kind == "Gateway" - input.adminGateway.metadata.name == expected_gateway - input.adminGateway.metadata.namespace == expected_gateway_namespace - msg := "Admin gateway exists." - } else = {"result": false, "msg": msg} { - msg := "Admin gateway does not exist." - } - - result_admin_vs_match = {"result": true, "msg": msg}{ - count(admin_vs-admin_vs_using_gateway) == 0 - count(all_vs_using_gateway-admin_vs_using_gateway) == 0 - msg := "Admin virtual services are using admin gateway." - } else = {"result": false, "msg": msg} { - msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) - } - - # Count admin virtual services - admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} - - # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") - admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} - - # Count all VirtualServices using the admin gateway - all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} - type: opa - title: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - - description: | - lula-version: "" - metadata: - name: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - title: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: requestAuthentication - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: requestauthentications - version: v1beta1 - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate := false - default msg := "Not evaluated" - - # Validate both RequestAuthentication and AuthorizationPolicy are configured - validate { - authorization_policies_exist_and_configured.result - request_authentications_exist_and_configured.result - } - - msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) - - # Check AuthorizationPolicies exist and are configured - bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicy[_] - authPolicy.kind == "AuthorizationPolicy" - authorization_policy_not_configured(authPolicy) - } - - authorization_policy_not_configured(ap) { - # Check for missing or improperly configured rules - not ap.spec.rules - } - - authorization_policies_exist_and_configured = {"result": true, "msg": msg} { - count(input.authorizationPolicy) > 0 - count(bad_auth_policies) == 0 - msg := "All AuthorizationPolicies properly configured." - } else = {"result": false, "msg": msg} { - count(input.authorizationPolicy) == 0 - msg := "No AuthorizationPolicies found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) - } - - # Check RequestAuthentications exist and are configured - bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | - ra := input.requestAuthentication[_] - ra.kind == "RequestAuthentication" - request_authentication_not_configured(ra) - } - - request_authentication_not_configured(ra) { - # Check for missing or improperly configured JWT rules - not ra.spec.jwtRules - } - - request_authentications_exist_and_configured = {"result": true, "msg": msg} { - count(input.requestAuthentication) > 0 - count(bad_request_authentications) == 0 - msg := "All RequestAuthentications properly configured." - } else = {"result": false, "msg": msg} { - count(input.requestAuthentication) == 0 - msg := "No RequestAuthentications found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) - } - type: opa - title: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb - - description: | - lula-version: "" - metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - provider: - opa-spec: - rego: | - package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - - import future.keywords.every - import future.keywords.in - - # Default policy result - default validate = false - default msg = "Not evaluated" - - exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - - validate { - has_proxyv2_sidecar.result - } - msg = has_proxyv2_sidecar.msg - - # Check for proxyv2 container in pod spec - no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] - - has_proxyv2_sidecar = {"result": true, "msg": msg} { - count(no_proxyv2) == 0 - msg := "All pods have Istio sidecar proxy." - } else = {"result": false, "msg": msg} { - msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) - } - - contains_proxyv2(pod) { - images := pod.spec.containers[_].image - contains(images, "/proxyv2:") - } - - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for metrics logging support - validate { - check_metrics_enabled.result - } - msg = check_metrics_enabled.msg - - check_metrics_enabled = { "result": true, "msg": msg } { - input.istioConfig.enablePrometheusMerge - msg := "Metrics logging supported" - } else = { "result": false, "msg": msg } { - msg := "Metrics logging not supported" - } - type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - components: - - control-implementations: - - description: Controls implemented by Istio and authservice that are inherited by applications - implemented-requirements: - - control-id: ac-4 - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' - rel: lula - text: Check ingress traffic is encrypted - remarks: '# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.' - uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - - control-id: ac-4.4 - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' - rel: lula - text: Check ingress traffic is encrypted - remarks: '# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method.' - uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 - - control-id: ac-4.21 - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#0da39859-a91a-4ca6-bd8b-9b117689188f' - rel: lula - text: Check namespaces are istio injected - - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: 'Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].' - uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - - control-id: ac-6.3 - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - remarks: 'Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.' - uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 - - control-id: ac-6.9 - description: |- - # Control Implementation - Istio produces logs for all traffic in the information system. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' - rel: lula - text: Check that Istio is logging all traffic which could contain priviledged function calls - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: Log the execution of privileged functions. - uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - - control-id: ac-14 - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#e38c0695-10f6-40b6-b246-fa58b26ccd25' - rel: lula - text: Authorization policy implemented that enforces authentication for Keycloak - remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' - uuid: c8c03abd-244d-4813-a966-3feece1bad6a - - control-id: au-2 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' - rel: lula - text: Check that Istio is logging all traffic which could contain audit events - remarks: 'a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency].' - uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb - - control-id: au-3 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#f346b797-be35-40a8-a93a-585db6fd56ec' - rel: lula - text: Check that Istio is configured to provide tracing data - remarks: 'Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.' - uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 - - control-id: au-3.1 - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#70d99754-2918-400c-ac9a-319f874fff90' - rel: lula - text: Check that Istio is configured to provide metrics data - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: '#f345c359-3208-46fb-9348-959bd628301e' - rel: lula - text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape - remarks: 'Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]' - uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 - - control-id: au-12 - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' - rel: lula - text: Check that Istio is logging all traffic which could contain audit events - remarks: 'a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.' - uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 - - control-id: cm-5 - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28' - rel: lula - text: Check that Istio is enforcing RBAC - - href: '#9b361d7b-4e07-40db-8b86-3854ed499a4b' - rel: lula - text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] - remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be - - control-id: sc-3 - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: Isolate security functions from nonsecurity functions. - uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - - control-id: sc-4 - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#7455f86d-b79c-4226-9ce3-f3fb7d9348c8' - rel: lula - text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] - - href: '#ecdb90c7-971a-4442-8f29-a8b0f6076bc9' - rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - remarks: Prevent unauthorized and unintended information transfer via shared system resources. - uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c - - control-id: sc-7.4 - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#570e2dc7-e6c2-4ad5-8ea3-f07974f59747' - rel: lula - text: Resources in namespaces can securely communicate with Istio control plane via network policies - - href: '#3e217577-930e-4469-a999-1a5704b5cecb' - rel: lula - text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to prevent unauthorized exchange of control plane traffic. - - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: '(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks.' - uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - - control-id: sc-7.8 - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ecdb90c7-971a-4442-8f29-a8b0f6076bc9' - rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - - href: '#19faf69a-de74-4b78-a628-64a9f244ae13' - rel: lula - text: Check that external traffic is managed [PLACEHOLDER] - remarks: 'Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.' - uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - - control-id: sc-7.20 - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: 'Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.' - uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 - - control-id: sc-7.21 - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: 'Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].' - uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 - - control-id: sc-8 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: 'Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.' - uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - - control-id: sc-8.1 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: 'Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.' - uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C - - control-id: sc-8.2 - description: |- - # Control Implementation - Istio implements with global configuration. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: '#3e217577-930e-4469-a999-1a5704b5cecb' - rel: lula - text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to ensure confidentiality of information sent/received - remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' - uuid: c158b75a-cefc-4794-b124-f1e56ff5646d - - control-id: sc-10 - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#663f5e92-6db4-4042-8b5a-eba3ebe5a622' - rel: lula - text: Istio terminates communication sessions after inactivity [PLACEHOLDER] - remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' - uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - - control-id: sc-13 - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' - rel: lula - text: Istio is encrypting ingress traffic - - href: '#8be1601e-5870-4573-ab4f-c1c199944815' - rel: lula - text: Istio is providing TLS origination at egress [PLACEHOLDER] - - href: '#73434890-2751-4894-b7b2-7e583b4a8977' - rel: lula - text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] - remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' - uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - - control-id: sc-23 - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' - rel: lula - text: Check that Istio is enforcing mtls STRICT - remarks: 'Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.' - uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 - - control-id: sc-39 - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - links: - - href: '#67456ae8-4505-4c93-b341-d977d90cb125' - rel: lula - text: Check that Istio is healthy - - href: '#1761ac07-80dd-47d2-947e-09f67943b986' - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: Maintain a separate execution domain for each executing system process. - uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c - description: | - Istio Service Mesh - purpose: Istio Service Mesh - responsible-roles: - - party-uuids: - - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - role-id: provider - title: Istio Controlplane - type: software - uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 - metadata: - last-modified: 2024-06-19T04:24:37.102736858Z - oscal-version: 1.1.2 - parties: - - links: - - href: https://uds.defenseunicorns.com/ - rel: website - name: Unicorn Delivery Service - type: organization - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - title: Istio Controlplane - version: "20240614" - uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index e1f621528..bce79cc33 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -1,671 +1,1451 @@ -# add the descriptions inline component-definition: - uuid: cc873a43-e9fa-433b-8c20-222d733daf1e - metadata: - title: Istio Controlplane - last-modified: "2024-01-18T16:41:56Z" - version: "20240118" - oscal-version: 1.1.1 - parties: - - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - type: organization - name: Defense Unicorns - links: - - href: https://defenseunicorns.com - rel: website + back-matter: + resources: + - rlinks: + - href: https://github.com/istio/istio/ + title: Istio Operator + uuid: 60826461-d279-468c-9e4b-614fac44a306 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioMeshConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } + type: opa + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for event logging support + validate { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } { + msg := "Tracing logging not supported." + } + type: opa + title: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate { + has_prometheus_annotation.result + } + msg = has_prometheus_annotation.msg + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: peerAuths + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + + # Default policy result + default validate = false + default all_strict = false + default msg = "Not evaluated" + + validate { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." + } + type: opa + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_exempt + validation: validate.validate + rego: | + package validate + import future.keywords.every + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_gateways_allowed.result + } + msg := check_gateways_allowed.msg + msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { + count(gateways_disallowed) == 0 + } else = {"result": false, "msg": msg} { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + type: opa + title: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: networkPolicies + resource-rule: + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + provider: + opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + type: opa + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + lula-version: "" + metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + provider: + opa-spec: + rego: | + package validate + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. + type: opa + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - description: "" + name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 + type: kubernetes + lula-version: "" + metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + provider: + opa-spec: + output: + observations: + - istiohealth.deployment_message + - istiohealth.hpa_message + validation: istiohealth.is_istio_healthy + rego: | + package istiohealth + + default is_istio_healthy = false + default deployment_message = "Deployment status not evaluated" + default hpa_message = "HPA status not evaluated" + + # Check if the Istio Deployment is healthy + is_istio_healthy { + count(input.istioddeployment.status.conditions) > 0 + all_deployment_conditions_are_true + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + } + + all_deployment_conditions_are_true { + # Ensure every condition in the array has a status that is not "False" + all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} + count(all_true) == count(input.istioddeployment.status.conditions) + } + + deployment_message = msg { + all_deployment_conditions_are_true + msg := "All deployment conditions are true." + } else = msg { + msg := "One or more deployment conditions are false." + } + + hpa_message = msg { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = msg { + msg := "HPA does not have sufficient replicas." + } + type: opa + title: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + - description: | + lula-version: "" + metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_actual + - validate.msg_expected + validation: validate.validate + rego: "package validate\n\nimport future.keywords.every\nimport future.keywords.in\n\n# + default values\ndefault validate = false\ndefault msg = \"Not evaluated\"\n\nvalidate + {\n check_expected_gw2vs.result\n}\nmsg := check_expected_gw2vs.msg\nmsg_actual + := sprintf(\"Gateways configured: %v. VirtualServices using Gateways: %v\", + [gateways, gateway_virtual_services])\nmsg_expected := sprintf(\"Expected VirtualServices + using Gateways: %v\", [expected_gw2vs])\n\ncheck_expected_gw2vs = {\"result\": + true, \"msg\": msg} {\n every gw in gateways {\n gw_uses_vs(gw) \n }\n + \ msg := \"Expected Virtual Services using expected Gateways\"\n} else = {\"result\": + false, \"msg\": \"Expected Virtual Services not using expected Gateways\"}\n\ngw_uses_vs(gw) + {\n expected_vs := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n + \ count(expected_vs - actual_vs) == 0\n}\ngw_uses_vs(gw) {\n expected_vs + := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n count(expected_vs) + == 0\n count(actual_vs) == 0\n}\n\n# Expected admin gateway details\nexpected_gw2vs + := {\n \"istio-admin-gateway/admin-gateway\": {\n \"keycloak-admin-admin-access-with-optional-client-certificate\",\n + \ \"neuvector-admin-neuvector-8443-neuvector-service-webui\", \"grafana-admin-grafana-80-grafana\",\n + \ },\n \"istio-passthrough-gateway/passthrough-gateway\": [],\n \"istio-tenant-gateway/tenant-gateway\": + {\n \"keycloak-tenant-remove-private-paths-from-public-gateway\",\n \"keycloak-tenant-public-auth-access-with-optional-client-certificate\",\n + \ \"keycloak-tenant-emulate-gitlab-authorize-endpoint\", \"keycloak-tenant-emulate-gitlab-user-endpoint\",\n + \ \"keycloak-tenant-emulate-gitlab-token-endpoint\",\n },\n}\n\n# Helper + to find Gateways\ngateways = {sprintf(\"%s/%s\", [gw.metadata.namespace, gw.metadata.name]) + |\n gw := input.gateways[_]\n}\n\n# Helper to find VirtualServices\nvirtual_services + = {vs.metadata.name |\n vs := input.virtualServices[_]\n}\n\n# Helper to list + VirtualServices using each Gateway\ngateway_virtual_services := {gw: {vs.metadata.name + |\n vs := input.virtualServices[_]\n gw_name := vs.spec.gateways[_]\n gw_name + == gw\n} |\n gw := gateways[_]\n}\n" + type: opa + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: jwt-authz + namespaces: + - istio-system + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Authorization Policies do not require authentication" + + # Evaluation for Istio Authorization Policies + validate { + result_auth_policy.result + } + + msg = result_auth_policy.msg + + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" + + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" + } else = {"result": false, "msg": msg} { + msg := "Authorization Policy does not require authentication" + } + type: opa + title: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicies + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_authPolicies + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Istio RBAC not enforced" + + # Evaluation for Istio Authorization Policies + validate { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" { + validate + } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) + type: opa + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + - description: | + lula-version: "" + metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: namespaces + resource-rule: + group: "" + name: "" + namespaces: [] + resource: namespaces + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempted_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.every + import future.keywords.in + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + type: opa + title: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: adminGateway + resource-rule: + group: networking.istio.io + name: admin-gateway + namespaces: + - istio-admin-gateway + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + # Default policy result + default validate = false + default admin_gw_exists = false + default admin_vs_match = false + default msg = "Not evaluated" + + validate { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := "Admin gateway exists." + } else = {"result": false, "msg": msg} { + msg := "Admin gateway does not exist." + } + + result_admin_vs_match = {"result": true, "msg": msg}{ + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + type: opa + title: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + - description: | + lula-version: "" + metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: requestAuthentication + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: requestauthentications + version: v1beta1 + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both RequestAuthentication and AuthorizationPolicy are configured + validate { + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result + } + + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) + + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) + } + + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." + } else = {"result": false, "msg": msg} { + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) + } + + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } + + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } + + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } + type: opa + title: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb + - description: | + lula-version: "" + metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + provider: + opa-spec: + rego: | + package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + type: opa + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + + validate { + has_proxyv2_sidecar.result + } + msg = has_proxyv2_sidecar.msg + + # Check for proxyv2 container in pod spec + no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] + + has_proxyv2_sidecar = {"result": true, "msg": msg} { + count(no_proxyv2) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) + } + + contains_proxyv2(pod) { + images := pod.spec.containers[_].image + contains(images, "/proxyv2:") + } + + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": true, "msg": msg } { + input.istioConfig.enablePrometheusMerge + msg := "Metrics logging supported" + } else = { "result": false, "msg": msg } { + msg := "Metrics logging not supported" + } + type: opa + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 components: - - uuid: e7e62a4f-8ae7-4fb0-812c-60ea6ae26374 - type: software - title: Istio Controlplane - description: | - Istio Service Mesh - purpose: Istio Service Mesh - responsible-roles: - - role-id: provider - party-uuids: - - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - control-implementations: - - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c - source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - description: Controls implemented by Istio and authservice that are inherited by applications + - control-implementations: + - description: Controls implemented by Istio and authservice that are inherited by applications implemented-requirements: - - uuid: 17b76910-1395-48a2-9441-edbb7c1f04ec - control-id: ac-3 - description: >- - # Control Description - Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - - # Control Implementation - Istio implements with global configuration. - - # How Istio Helps - Istio helps implement access enforcement in two ways: limiting service-to-service access (see AC-4 below), - and acting as an enforcement point for end user authentication and authorization (AC-3, this section). - - Service to Service Access: Istio provides authenticatable runtime identities for all applications in the mesh in the form of X.509 certificates. - Those certificates are used for encryption in transit as well as authentication of the service's identity. - This authenticated principal can be used for access control of service to service communication via Istio's AuthorizationPolicy. - We cover this in detail in AC-4, Information Flow Enforcement, below. - - End User Authentication and Authorization: Istio facilitates end user authentication and authorization in two ways: - 1. Istio has native support for JWT authentication and authorization based on JWT claims. - It can be configured to extract a JWT from each request's headers, validate them against issuers and with specific keys, and limit access based on any of the JWT's fields. - 2. Istio supports extracting metadata from each request and forwarding it to an external authentication and authorization server. - Istio will enforce the verdict returned by this server, and can attach additional metadata returned by the server (e.g., an internal JWT in place of an external API key). - - remarks: This control is fully implemented by this tool. - - - uuid: b4383b6b-bcdf-41db-a323-873de77ba46b - control-id: ac-4 - description: >- - # Control Description - Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. - - # Control Implementation - Istio implements with mission team configuration. - - # How does Istio help? - Istio encrypts all in-mesh communication at runtime using the service's identity. - This provides TLS for all applications in the mesh. If you're using the Tetrate Istio Distribution, then this TLS is FIPS verified. mTLS is configured through the PeerAuthentication resource, and should be set to STRICT to enforce mTLS between all components of the information system. - Istio's AuthorizationPolicy controls service-to-service communication within the mesh. - Combined with Istio ingress and egress gateways, as well as a few installation settings, Istio can manage all traffic into and out of your deployment. - In addition to AuthorizationPolicies controlling traffic in the mesh, Istio ingress gateways terminate HTTPS on behalf of applications in the mesh (AC-4 (4) - not required by moderate but valuable nonetheless). - By managing how traffic flows out of applications using VirtualServices or ServiceEntries, all traffic leaving your infrastructure can be channeled through an egress gateway. - Egress gateways can audit and limit how traffic flows to external services outside of the information system under control. - - remarks: This control is fully implemented by this tool. - - - uuid: 19bd393a-25fb-4ef1-9633-5fc510247d69 - control-id: ac-4.4 - description: >- - # Control Description - Prevent encrypted information from bypassing [Assignment: intrusion detection mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. - - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - - remarks: This control is fully implemented by this tool. - - - uuid: 2e0879f1-381d-445d-b201-8ba3a1194147 - control-id: ac-4.21 - description: >- - # Control Description - Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. - - # Control Implementation - Istio implements with mission team configuration. - - # How does Istio help? - When Istio is configured as above for AC-4 limiting access to services within the information system and controlling communication ingress and egress to and from the information system it provides logical separation of information flows. - Istio policies can provide this separation at the finest grain possible. For example, for HTTP traffic, Istio provides the ability to limit communication per verb and path, as well as based on header values or end-user credentials stored at headers, in addition to controlling traffic with the traditional network five-tuple. - Istio enforces the policy at the application instance itself. - - remarks: This control is fully met by this tool. - - - uuid: 7e8f7b8e-e95a-479b-96dd-7ff0bf957a84 - control-id: ac-6.3 - description: >- - # Control Description - Authorize network access to [Assignment: [all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. - - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need sysadmin access. - - remarks: This control is fully implemented by this tool. - - - uuid: 36e1ad45-4c25-42b0-b06b-889734fde442 - control-id: ac-6.9 - description: >- - # Control Description - Log the execution of privileged functions. - - # Control Implementation - Istio implements with global configuration. - - # How does Istio help? - Istio produces logs for all traffic in the information system see AU-3 below for more information on what information is logged and how to configure additional information to be logged with each access. - As long as the privileged functions are exposed as network endpoints in the information system, Istio will log their use like it logs all other network traffic. - Logging privileged use outside of the information system like using kubectl to access the cluster directly is outside of the scope of Istio's runtime logging. - - remarks: This control is fully implemented by this tool. - - - uuid: 25609c9a-a482-49e3-ba76-2cee88a5932a - control-id: ac-14 - description: >- - # Control Description - "a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and - b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." - - # Control Implementation - Istio implements with mission team configuration. - - # How does Istio help? - Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. - This is configured using RequestAuthentication and AuthorizationPolicy resources, described at length in AC-4 above. - Using this, Istio's authorization policy becomes documentation of services that do not require authentication. - - remarks: This control is fully implemented by this tool. - - - uuid: 908b6b76-978d-4089-a422-3112656c8452 - control-id: ac-17.3 - description: >- - # Control Description - Route remote accesses through authorized and managed network access control points. - - # Control Implementation - Istio routes remote access through correct configuration and managed network access control points. - - remarks: This control is fully implemented by this tool. - - - uuid: 524006e4-67d7-4124-8679-58392ab20cbb - control-id: au-2 - description: >- - # Control Description - "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; - b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; - c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; - d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and - e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - - # Control Implementation - Istio provides access logs for all HTTP network requests, including mission applications. - - remarks: This control is fully implemented by this tool - - - uuid: a8e9fcc9-f900-4467-9287-b288341c9575 - control-id: au-3 - description: >- - # Control Description - "Ensure that audit records contain information that establishes the following: - a. What type of event occurred; - b. When the event occurred; - c. Where the event occurred; - d. Source of the event; - e. Outcome of the event; and - f. Identity of any individuals, subjects, or objects/entities associated with the event." - - # Control Implementation - Istio implements with global configuration. - - # How does Istio help? - Istio generates access logs for all traffic in the mesh (ingress, internal, and egress) that is a superset of the data in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). - For HTTP traffic, this includes timestamp, source and destination IPs, request verb, response code, and more. - You can get a full overview of the data that is provided [in the Istio documentation](https://istio.io/latest/docs/tasks/observability/logs/access-log/). - The format of these logs can be configured per deployment or globally at install time to conform with requirements of existing log analysis tools or other organizational needs. - By default, Envoy sidecars in the mesh emit these logs as text to standard out. However, Envoy can be configured to forward this log data over gRPC to a server that aggregates (and potentially acts on) them. - This is called the [Access Log Service (ALS)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto). - These can be augmented by application-specific audit logging, but for many services (and HTTP services especially), the mesh's logs are sufficient to reconstruct an understanding of events to perform an audit. - - remarks: This control is fully implemented by this tool. - - - uuid: 1db223f2-4b59-424a-9bb5-d7a6a2f381e8 - control-id: au-3.1 - description: >- - # Control Description - Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. - + - control-id: ac-4 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio help? - Istio’s access logs can be configured to produce additional information as needed by the organization. - - remarks: This control is fully implemented by this tool. - - - uuid: 4739a734-5ad6-4898-afb7-00561ee84736 - control-id: au-9 - description: >- - # Control Description - "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and - b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - If you’re using Istio to produce audit information (see AU-3, AU-3 (1)), then the logs that Istio produces are subject to AU-9 controls. - Protecting the logs that Istio produces is outside of the scope of Istio itself, but integrating your log ingestion and protection system with the logs that Istio produces, you can easily satisfy this requirement. - Kubernetes RBAC should be configured to allow only specific users access to the log files Envoy produces, ideally no users should have direct access and instead only access logs via the log ingestion system (like Splunk). - - remarks: This control is fully implemented by this tool. - - - uuid: 395a4976-bf4a-4193-b928-05a0700e03fb - control-id: au-9.2 - description: >- - # Control Description - Store audit records [Assignment: oat least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - See AU-9 above, but in short: ensure that Istio’s logging configuration aligns with your larger log collection pipeline. The log collection pipeline itself should implement the AU-9 controls required by the organization. - - remarks: This control is fully implemented by this tool. - - - uuid: b06017d9-c9ab-462d-9861-99b9849f4ee4 - control-id: au-12 - description: >- - # Control Description - "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: all information system and network components where audit capability is deployed/available]; - b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and - c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - - # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. These events are a subset of all events defined by most organizations in AU-2 a. as worthy of audit. - See AU-3 for details of the information that can be generated, and AU-3 (1) for information on customizing it. - If the only events to be logged per AU-2 a. are network events, then Istio satisfies AU-12 fully for the information system. - - remarks: This control is fully implemented by this tool. - - - uuid: bf8b66b2-8909-4935-98ba-189bf3ffde03 - control-id: cm-5 - description: >- - # Control Description - Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - Istio is configured with Kubernetes Custom Resources. As such it can be configured as code, and managed by your existing CM-5 conformant code management processes. - Kubernetes RBAC should be used to control who can change which configuration at runtime. - UDS Core implements CM-5 controls by implementing infrastructure as code practices, configuring Kubernetes RBAC to prevent humans from authoring configuration and allowing only continuous delivery systems (Flux, by default) to author runtime configuration. Since all configuration is managed in this CM-5 conformant way, Istio’s configuration is controlled in a CM-5 conformant way. - - remarks: This control is fully implemented by this tool. - - - uuid: 3ee327e1-2cce-4908-a78d-99e65ce2333a - control-id: cm-6 - description: >- - # Control Description - "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: United States Government Configuration Baseline (USGCB)]; - b. Implement the configuration settings; - c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and - d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - - "CM-6 (a) Requirement 1: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings or establishes its own configuration settings if USGCB is not available. - CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). - CM-6 (a) Guidance: Information on the USGCB can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." - - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - This document provides the guidance for configuring Istio, both globally as well as for mission teams. Additional best practices should be followed, including: - - NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture - - NIST SP 800-204B: Attribute-based Access Control for Microservices-based Applications using a Service Mesh - Tetrate helps maintain and periodically audits UDS Core’s Istio configurations to ensure they implement best practice defaults. - - remarks: This control is fully implemented by this tool. - - - uuid: 0ab5781b-2f6b-4c71-83ef-e00f10c7ed93 - control-id: cm-8.1 - description: >- - # Control Description - Update the inventory of system components as part of component installations, removals, and system updates. - - # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio’s service inventory is updated continuously from the Kubernetes API server (the information system’s source of truth for what applications are running). Therefore, the inventory is updated when components of the information system are installed or removed. As a result, Istio implements CM-8 (1) for the information system. - - remarks: This control is fully implemented by this tool. - - - uuid: 8d72738e-99ae-40e8-9fc0-bdfc51d24121 - control-id: cm-8.2 - description: >- - # Control Description - Update the inventory of system components as part of component installations, removals, and system updates. - + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' + rel: lula + text: Check ingress traffic is encrypted + remarks: '# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.' + uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a + - control-id: ac-4.4 + description: |- # Control Implementation - Provides an inventory of all workloads (including mission apps) in the service mesh, viewable in Kiali. The inventory is automatically and continuously updated. - - remarks: This control is fully implemented by this tool. - - - uuid: 3d88af30-61e0-47ed-a495-74ca61ce99a7 - control-id: ia-2 - description: >- - # Control Description - Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. - + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' + rel: lula + text: Check ingress traffic is encrypted + remarks: '# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method.' + uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + - control-id: ac-4.21 + description: |- # Control Implementation - Istio implements with mission team configuration. - - # How does Istio Help? - Istio can be used to implement authentication of end-user credentials for applications in the mesh. This is typically configured via Istio’s external authorization service or by validating JWTs on each request (see AC-3). - If components in the information system are protected by Istio configured to validate end-user credentials, then Istio satisfies the authentication clause IA-2: “[the information system] authenticates organizational users (or processes acting on behalf or organizational users).” - Assigning user identities themselves, and ensuring their uniqueness, is out of scope of Istio. (Istio does assign identities to applications or processes running in the information system – see AC-4.) - - remarks: This control is fully implemented by this tool. - - - uuid: 4b28dcb2-f7fb-4944-9661-1182ccf197b2 - control-id: ia-4 - description: >- - # Control Description - "Manage system identifiers by: - a. Receiving authorization from [Assignment: oat a minimum, the ISSO (or similar role within the organization)] to assign an individual, group, role, service, or device identifier; - b. Selecting an identifier that identifies an individual, group, role, service, or device; - c. Assigning the identifier to the intended individual, group, role, service, or device; and - d. Preventing reuse of identifiers for [Assignment: at least two (2) years]." - + Istio is configured to use ingress and egress gateways to provide logical flow separation. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#0da39859-a91a-4ca6-bd8b-9b117689188f' + rel: lula + text: Check namespaces are istio injected + - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: 'Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].' + uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d + - control-id: ac-6.3 + description: |- # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - Istio assigned identities to runtime entities based on their Kubernetes service account. Service accounts are unique per (namespace, service account name) pair and are assigned to all pods in the cluster. - Pods should opt in to using a specific service account, but if they do not then Kubernetes provides a default service account per namespace. - - The identities Istio assigned are: - a. Authorized for the specific application by checking against the Kubernetes API server (the system of record for runtime identities). - b. Each service receives an identity from Kubernetes at runtime, whether it is assigned explicitly or not. - c. Sent only to correct workloads because Istio authenticates runtime proofs (mainly, the pod’s service account token) in addition to authorizing the identity by checking with the Kubernetes API server. - d. Service accounts in Kubernetes are unique. However, Kubernetes-level controls (out of the scope of Istio) need to be implemented to ensure that identities are not re-used. - e. The Kubernetes service account lifecycle is out of scope of Istio. A Kubernetes-level control is need to satisfy this requirement. - - remarks: This control is fully implemented by this tool. - - - uuid: 501ef187-1344-40bf-a697-127ae1d65a41 - control-id: ia-7 - description: >- - # Control Description - Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. - + Configured with an "admin" gateway to restrict access to applications that only need administrative access. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + remarks: 'Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.' + uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 + - control-id: ac-6.9 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit for all applications in the mesh, and can also provide TLS termination at ingress and TLS origination at egress. Tetrate Istio Distribution (TID) is the only FIPS 140-2 Verified Istio distribution that exists. It is available from the Iron Bank. - When using the TID FIPS builds, all communication between components of the information system is encrypted using FIPS 140-2 verified software. - - remarks: This control is fully implemented by this tool. - - - uuid: 902e23be-f46b-416e-b407-fa579be28612 - control-id: sc-3 - description: >- - # Control Description - Isolate security functions from nonsecurity functions. - + Istio produces logs for all traffic in the information system. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' + rel: lula + text: Check that Istio is logging all traffic which could contain priviledged function calls + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: Log the execution of privileged functions. + uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 + - control-id: ac-14 + description: |- # Control Implementation - Istio breaks-down services into microservices to isolate security functions from non-security functions. - - remarks: This control is fully implemented by this tool. - - - uuid: 11732a14-62d3-43ff-b294-5b2508b8e967 - control-id: sc-4 - description: >- - # Control Description - Prevent unauthorized and unintended information transfer via shared system resources. - + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#e38c0695-10f6-40b6-b246-fa58b26ccd25' + rel: lula + text: Authorization policy implemented that enforces authentication for Keycloak + remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' + uuid: c8c03abd-244d-4813-a966-3feece1bad6a + - control-id: au-2 + description: |- # Control Implementation - Istio can enforce that outbound traffic goes through an Egress Gateway. When combined with a Network Policy, you can enforce all traffic, or some subset, goes through the egress gateway to prevent unauthorized and unintended information transfer via shared system resources. - - remarks: This control is fully implemented by this tool. - - - uuid: 8258a234-68c6-4b0b-b527-b58e5b39ecda - control-id: sc-5 - description: >- - # Control Description - "a. [Selection: Protect against] the effects of the following types of denial-of-service events: [Assignment: at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack]; and - b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." - + Istio logs all Istio event logs within the system's mesh network. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' + rel: lula + text: Check that Istio is logging all traffic which could contain audit events + remarks: 'a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency].' + uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb + - control-id: au-3 + description: |- # Control Implementation - Istio monitors the egress traffic and enforces all the security policies. Monitoring the egress traffic, enables you to analyze, possibly offline, and detect an attack. - - - uuid: 8fcf76d0-a612-4f1a-8c07-2dfe03d7b03a - control-id: sc-7 - description: >- - # Control Description - "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; - b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and - c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - + Istio logs all Istio event logs within the system's mesh network. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#f346b797-be35-40a8-a93a-585db6fd56ec' + rel: lula + text: Check that Istio is configured to provide tracing data + remarks: 'Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.' + uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + - control-id: au-3.1 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio alone can not completely satisfy the SC-7 requirement, because Istio sits at Layer 4 and above, in other words it sits atop the IP network you provide it. However, Istio can aid in implementing boundary protection in your stack: - a. Istio provides monitoring (AU-12) and control of traffic ingress into and egressing out of the cluster, as well as internally for all communication between components. If all information system components are running in the cluster, this satisfies SC-7 a. - b. Istio operates at layer 4 and above - it cannot implement sub-networks at the IP layer. However, Istio can be used for logical separation of components at runtime (see AC-4 (21)). - Istio’s separation should be augmented with network-level separation, e.g. via a CNI plugin, to help implement a defense in depth strategy. - c. The only ingress into the cluster is via Istio gateways (AC-3), egress is controlled by Istio gateways (AC-4). If all information system components are running in the cluster, this satisfies the needs of SC-7 c. - Further, access policy can be applied at both points, as well as at every application instance via Istio’s sidecar. This gives the organization the opportunity to implement more fine-grained controls than is needed by SC-7. - - remarks: This control is fully implemented by this tool. - - - uuid: cbc3fcca-7628-4f70-ac40-8bea413ae4dc - control-id: sc-7.4 - description: >- - # Control Description - "(a) Implement a managed interface for each external telecommunication service; - (b) Establish a traffic flow policy for each managed interface; - (c) Protect the confidentiality and integrity of the information being transmitted across each interface; - (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; - (e) Review exceptions to the traffic flow policy [Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and remove exceptions that are no longer supported by an explicit mission or business need; - (f) Prevent unauthorized exchange of control plane traffic with external networks; - (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and - (h) Filter unauthorized control plane traffic from external networks." - + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#70d99754-2918-400c-ac9a-319f874fff90' + rel: lula + text: Check that Istio is configured to provide metrics data + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#f345c359-3208-46fb-9348-959bd628301e' + rel: lula + text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape + remarks: 'Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]' + uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 + - control-id: au-12 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Like SC-7, Istio works in tandem with a few other components of the infrastructure to satisfy SC-7 (4). - For example, it’s common to use an identity-aware proxy (like UDS Core’s CNAP), or even a cloud provider load balancer (like an ELB) as the initial interface for an external service, immediately passing the requests on to Istio’s ingress. - For all of the information system components in the cluster: - a. Istio provides an interface its ingress and egress gateways for external network traffic. Istio allows configuring how that interface is exposed, including ports and protocols as well as certificates that are served. See AC-4. - b. Istio provides fine-grained layer 7 policy on each request to control how traffic flows through that ingress. It enforces this policy at ingress gateways to control the external traffic ingress into your information system. - Istio also enforces them at egress gateways to control how components of your information system communicate with external systems. See AC-4. - c. Istio’s ingress gateways serve TLS (or mTLS) to external systems, and Istio provides mTLS between applications of the information system in the mesh. See AC-4. - d. Istio must be explicitly configured to allow exceptions, either in AuthorizationPolicy documents controlling runtime access or in resource annotations exempting traffic from Istio’s sidecar. - These can be used as supporting documents for SC-7 (4) d., but will need to be augmented with organizational documentation citing specific mission needs and durations. - e. This is an organizational activity out of the scope of Istio. - - remarks: This control is fully implemented by this tool. - - - uuid: e8c72e81-4e58-42cb-bcd4-714df65e2225 - control-id: sc-7.5 - description: >- - # Control Description - Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: any systems]]. - + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#90738c86-6315-450a-ac69-cc50eb4859cc' + rel: lula + text: Check that Istio is logging all traffic which could contain audit events + remarks: 'a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.' + uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 + - control-id: cm-5 + description: |- # Control Implementation - Istio implements with mission team configuration. - - # How does Istio Help? - At ingress and egress gateways, Istio denies all traffic that does not have explicit traffic routing policies in the form of a VirtualService attached to the gateways. - Inside of the mesh, and to control egress out to external services, you can author AuthorizationPolicies to limit access. - Those policies must be written in the “allow with positive matching” style. - Together, Istio implements the SC-7 (5) control on behalf of applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 6ef57828-3fda-49a6-8b18-e4926ade2e05 - control-id: sc-7.8 - description: >- - # Control Description - Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. - + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28' + rel: lula + text: Check that Istio is enforcing RBAC + - href: '#9b361d7b-4e07-40db-8b86-3854ed499a4b' + rel: lula + text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] + remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be + - control-id: sc-3 + description: |- # Control Implementation - Istio’s traffic management model relies on the Envoy proxies that are deployed along with the services. - All traffic that the mesh services send and receive (data plane traffic) is proxied through Envoy, making it easy to direct and control traffic around the mesh without making any changes to the services. - - remarks: This control is fully implemented by this tool. - - - uuid: e288c006-3a9d-44d7-91c9-61a4260bc148 - control-id: sc-7.10 - description: >- - # Control Description - "(a) Prevent the exfiltration of information; and - (b) Conduct exfiltration tests [Assignment: organization-defined frequency]." - Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol - formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, - monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence - to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with - cross-domain solutions and system guards that enforce information flow requirements. - + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#c6c9daf1-4196-406d-8679-312c0512ab2e' + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: Isolate security functions from nonsecurity functions. + uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 + - control-id: sc-4 + description: |- # Control Implementation - Istio can set an alert to detect attempted data exfiltration by a service in the cluster. In this mode, Prometheus can tell you both the source and (attempted) destination workload for the blocked request. - The Istio System manages the ingress and egress network traffic permitted within your OPA-integrated Istio service mesh. You can specify egress traffic is only allowed to a predefined collection of endpoints to minimize the risk of data exfiltration or to implement microservice API authorization. - - remarks: This control is fully implemented by this tool. - - - uuid: 5aadb273-8674-4220-b905-3828b57499cb - control-id: sc-7.20 - description: >- - # Control Description - Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components. - + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#7455f86d-b79c-4226-9ce3-f3fb7d9348c8' + rel: lula + text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] + - href: '#ecdb90c7-971a-4442-8f29-a8b0f6076bc9' + rel: lula + text: Egress Gateway exists and is configured [PLACEHOLDER] + remarks: Prevent unauthorized and unintended information transfer via shared system resources. + uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c + - control-id: sc-7.4 + description: |- # Control Implementation - Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate. - These localities are specified using arbitrary labels that designate a hierarchy of localities in {region}/{zone}/{sub-zone} form. - If the goal of the operator is not to distribute load across zones and regions but rather to restrict the region of failover to meet other operational requirements an operator can set a ‘failover’ policy instead of a ‘distribute’ policy. - - remarks: This control is fully implemented by this tool. - - - uuid: 35490063-9fc5-4ea7-ae6e-4ef25fbf2d5a - control-id: sc-7.21 - description: >- - # Control Description - Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. - + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#570e2dc7-e6c2-4ad5-8ea3-f07974f59747' + rel: lula + text: Resources in namespaces can securely communicate with Istio control plane via network policies + - href: '#3e217577-930e-4469-a999-1a5704b5cecb' + rel: lula + text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to prevent unauthorized exchange of control plane traffic. + - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: '(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks.' + uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 + - control-id: sc-7.8 + description: |- # Control Implementation - Multi-mesh deployments facilitate division of a system into subsystems with different security and compliance requirements, and facilitate the boundary protection. - You put each subsystem into a separate service mesh, preferably on a separate network. You connect the Istio meshes using gateways. The gateways monitor and control cross-mesh traffic at the boundary of each mesh. - Istio isolation boundaries can run multiple TSB-managed Istio environments within a Kubernetes cluster, or spanning several clusters. - These Istio environments are isolated from each other in terms of service discovery and config distribution. - - remarks: This control is fully implemented by this tool. - - - uuid: d07f799b-d95c-461e-ae03-4f174ada99bb - control-id: sc-7.25 - description: >- - # Control Description - Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. - + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ecdb90c7-971a-4442-8f29-a8b0f6076bc9' + rel: lula + text: Egress Gateway exists and is configured [PLACEHOLDER] + - href: '#19faf69a-de74-4b78-a628-64a9f244ae13' + rel: lula + text: Check that external traffic is managed [PLACEHOLDER] + remarks: 'Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.' + uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 + - control-id: sc-7.20 + description: |- # Control Implementation - All outbound traffic from an Istio-enabled pod is redirected to its sidecar proxy by default, accessibility of URLs outside of the cluster depends on the configuration of the proxy. - By default, Istio configures the Envoy proxy to pass through requests for unknown services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable. - Egress gateways can limit how traffic flows to external services outside of the information system under control. - Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. - - remarks: This control is fully implemented by this tool. - - - uuid: fbdaaeea-0ac4-4bbc-8b75-5b6b7da031e5 - control-id: sc-8 - description: >- - # Control Description - Protect the [Selection confidentiality AND integrity] of transmitted information. - + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.' + uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 + - control-id: sc-7.21 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 3a204429-6f70-481c-8092-657cc7e79456 - control-id: sc-8.1 - description: >- - # Control Description - Implement cryptographic mechanisms to [Selection prevent unauthorized disclosure of information AND detect changes to information] during transmission. - + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].' + uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 + - control-id: sc-8 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - See SC-8 for full details. In short, Istio provides encryption in transit (mutual TLS) for all applications in the mesh. When you’re using TID’s FIPS verified build of Istio, then this encryption also satisfies FIPS 140-2 requirements. - - remarks: This control is fully implemented by this tool. - - - uuid: b044588e-77b1-4e5d-a1bb-b6b0a789c5b0 - control-id: sc-8.2 - description: >- - # Control Description - Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. - + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.' + uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 + - control-id: sc-8.1 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 1e4bf509-37d9-4e06-b6ac-11108e760f4c - control-id: sc-10 - description: >- - # Control Description - Terminate the network connection associated with a communications session at the end of the session or after [Assignment: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions.] - + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: 'Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.' + uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C + - control-id: sc-8.2 + description: |- # Control Implementation - A timeout for HTTP requests can be specified using a timeout field in a route rule. - - remarks: This control is fully implemented by this tool. - - - uuid: 042b6b8a-759e-472b-b70b-c4351b53803a - control-id: sc-13 - description: >- - # Control Description - "a. Determine the [Assignment: organization-defined cryptographic uses]; and - b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: FIPS-validated or NSA-approved cryptography]." - + Istio implements with global configuration. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: '#3e217577-930e-4469-a999-1a5704b5cecb' + rel: lula + text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to ensure confidentiality of information sent/received + remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' + uuid: c158b75a-cefc-4794-b124-f1e56ff5646d + - control-id: sc-10 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - As outlined in the section on SC-8, Istio provides encryption in transit for all applications in the mesh. The Tetrate Istio Distribution’s FIPS Verified build is the only FIPS verified build of Istio and Envoy available, and satisfies requirements for FIPS 140-2 as well as the requirement to use the best available software for the job. - - remarks: This control is fully implemented by this tool. - - - uuid: 97cd68fc-1519-4fbc-bca2-c76c16fcc7e1 - control-id: sc-23 - description: >- - # Control Description - Protect the authenticity of communications sessions. - + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#663f5e92-6db4-4042-8b5a-eba3ebe5a622' + rel: lula + text: Istio terminates communication sessions after inactivity [PLACEHOLDER] + remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' + uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c + - control-id: sc-13 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 18df5a35-f209-47d1-84f5-346c22530a5f - control-id: sc-39 - description: >- - # Control Description - Maintain a separate execution domain for each executing system process. - + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: '#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed' + rel: lula + text: Istio is encrypting ingress traffic + - href: '#8be1601e-5870-4573-ab4f-c1c199944815' + rel: lula + text: Istio is providing TLS origination at egress [PLACEHOLDER] + - href: '#73434890-2751-4894-b7b2-7e583b4a8977' + rel: lula + text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] + remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' + uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 + - control-id: sc-23 + description: |- # Control Implementation - Istio’s authorization features provide mesh-, namespace-, and workload-wide access control for your workloads in the mesh. - Istio supports trust domain migration for authorization policy. This means if an Istio mesh needs to change its trust domain, the authorization policy doesn’t need to be changed manually. - - remarks: This control is fully implemented by this tool. - - - uuid: 1a778726-73cb-4335-a13d-8ca2bdb6f7d9 - control-id: si-4.22 - description: >- - # Control Description - "(a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and - (b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected." - + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#ca49ac97-487a-446a-a0b7-92b20e2c83cb' + rel: lula + text: Check that Istio is enforcing mtls STRICT + remarks: 'Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.' + uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 + - control-id: sc-39 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. Can be configured for specific network traffic such as not authorized or approved by a system process or user. - Network event alerts can be configured by organizations need. - - remarks: This control is fully implemented by this tool. - - back-matter: - resources: - - uuid: 11d6961f-7ea3-463e-a765-8e0eddf08c4c - title: Defense Unicorns UDS Core - rlinks: - - href: https://github.com/defenseunicorns/uds-core + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + links: + - href: '#67456ae8-4505-4c93-b341-d977d90cb125' + rel: lula + text: Check that Istio is healthy + - href: '#1761ac07-80dd-47d2-947e-09f67943b986' + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: Maintain a separate execution domain for each executing system process. + uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + description: | + Istio Service Mesh + purpose: Istio Service Mesh + responsible-roles: + - party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + role-id: provider + title: Istio Controlplane + type: software + uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 + metadata: + last-modified: 2024-06-19T04:24:37.102736858Z + oscal-version: 1.1.2 + parties: + - links: + - href: https://uds.defenseunicorns.com/ + rel: website + name: Unicorn Delivery Service + type: organization + uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + title: Istio Controlplane + version: "20240614" + uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 From ee8bc289c9c4794e4be8f75c648829d27285f95e Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 28 Jun 2024 05:00:43 +0000 Subject: [PATCH 03/68] added install lula github action --- .github/actions/setup/action.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index f859e4e52..f47cadcec 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -32,6 +32,12 @@ runs: # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver run: brew install defenseunicorns/tap/uds@0.11.2 + - name: Install Lula + uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c + with: + # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced + version: v0.4.0 + - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} env: From fa05cd41ee0df463baa6a58ca216ce9042d2f649 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 28 Jun 2024 05:53:27 +0000 Subject: [PATCH 04/68] still working on where/how to oscal lint --- .github/workflows/pull-request-conditionals.yaml | 2 ++ tasks.yaml | 4 ++++ tasks/lint.yaml | 8 ++++++++ 3 files changed, 14 insertions(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 8086c883d..3b137fe13 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -39,6 +39,8 @@ jobs: run: brew install defenseunicorns/tap/uds@0.11.2 - name: Run Formatting Checks run: uds run lint-check --no-progress + - name: Setup Lula + uses: .github/actions/setup # This job checks if there are changes in specific paths source packages. check-paths: diff --git a/tasks.yaml b/tasks.yaml index d6976988a..980322fdc 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -95,3 +95,7 @@ tasks: - name: lint-fix actions: - task: lint:fix + + - name: lint-oscal + actions: + - task: lint:oscal diff --git a/tasks/lint.yaml b/tasks/lint.yaml index d5b732137..474fc4281 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,3 +1,6 @@ +includes: + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/main/tasks/lint.yaml + tasks: - name: fix description: "Fix formatting issues in the repo" @@ -17,3 +20,8 @@ tasks: cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install yamllint - description: yaml lint cmd: yamllint . -c .yamllint --no-warnings + + - name: oscal + actions: + - description: Lula Lint OSCAL + - task: remote:oscal From 315f2713493912bb7472dce74087a887cf8645c8 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 28 Jun 2024 06:34:25 +0000 Subject: [PATCH 05/68] still wip for lint --- .github/actions/lint-oscal/action.yaml | 10 +++++++ .github/filters.yaml | 2 ++ .github/workflows/lint-oscal.yaml | 28 +++++++++++++++++++ .../workflows/pull-request-conditionals.yaml | 24 ++++++++++++++-- 4 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 .github/actions/lint-oscal/action.yaml create mode 100644 .github/workflows/lint-oscal.yaml diff --git a/.github/actions/lint-oscal/action.yaml b/.github/actions/lint-oscal/action.yaml new file mode 100644 index 000000000..f57fe854a --- /dev/null +++ b/.github/actions/lint-oscal/action.yaml @@ -0,0 +1,10 @@ +# action.yml +name: "lint-oscal" +description: "Lula Lint OSCAL" + +runs: + using: "composite" + steps: + - name: lint-oscal + run: | + uds run lint-oscal --set OSCALFILES=${{ inputs.OSCALFILES }} diff --git a/.github/filters.yaml b/.github/filters.yaml index 0e97ddef8..bd786945b 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -25,3 +25,5 @@ tempo: - "src/tempo/**" velero: - "src/velero/**" +oscal: + - "**/*oscal*.yaml" diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml new file mode 100644 index 000000000..ebe3def47 --- /dev/null +++ b/.github/workflows/lint-oscal.yaml @@ -0,0 +1,28 @@ +name: Lint OSCAL Files + +on: + push: + paths: + - '**/*oscal*.yaml' + +permissions: + contents: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Identify changed OSCAL files + id: find_changed_files + run: | + CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) + echo "Changed OSCAL files: $CHANGED_FILES" + echo "::set-output name=oscal_files::$CHANGED_FILES" + + - name: Run lint-oscal + uses: .github/actions/lint-oscal/action.yaml + with: + OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 3b137fe13..10859878b 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -39,8 +39,6 @@ jobs: run: brew install defenseunicorns/tap/uds@0.11.2 - name: Run Formatting Checks run: uds run lint-check --no-progress - - name: Setup Lula - uses: .github/actions/setup # This job checks if there are changes in specific paths source packages. check-paths: @@ -61,7 +59,27 @@ jobs: with: filters: .github/filters.yaml - # This job triggers a separate workflow for each changed source package, if any. + run-lint-oscal: + needs: check-paths + if: needs.check-paths.outputs.oscal_changed == 'true' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Identify changed OSCAL files + id: find_changed_files + run: | + CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) + echo "Changed OSCAL files: $CHANGED_FILES" + echo "::set-output name=oscal_files::$CHANGED_FILES" + + - name: Run lint-oscal + uses: ./.github/actions/lint-oscal/action.yaml + with: + OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} + +# This job triggers a separate workflow for each changed source package, if any. run-package-test: needs: check-paths name: Schedule From 765c7273732ca6e29447f6a12e4a005a4cb6053a Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 03:07:53 +0000 Subject: [PATCH 06/68] feat(oscal): import all available oscal - fix workflows --- .github/actions/setup/action.yaml | 2 +- .github/workflows/lint-oscal.yaml | 2 +- .../workflows/pull-request-conditionals.yaml | 32 +++++++++---------- compliance/oscal-component.yaml | 10 ++++-- 4 files changed, 26 insertions(+), 20 deletions(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index f47cadcec..502c7116b 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -36,7 +36,7 @@ runs: uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c with: # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.4.0 + version: v0.4.1 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index ebe3def47..2c4aa751a 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -6,7 +6,7 @@ on: - '**/*oscal*.yaml' permissions: - contents: read + contents: read jobs: lint: diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 10859878b..92a9939df 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -60,24 +60,24 @@ jobs: filters: .github/filters.yaml run-lint-oscal: - needs: check-paths - if: needs.check-paths.outputs.oscal_changed == 'true' - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + needs: check-paths + if: needs.check-paths.outputs.oscal_changed == 'true' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Identify changed OSCAL files - id: find_changed_files - run: | - CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) - echo "Changed OSCAL files: $CHANGED_FILES" - echo "::set-output name=oscal_files::$CHANGED_FILES" + - name: Identify changed OSCAL files + id: find_changed_files + run: | + CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) + echo "Changed OSCAL files: $CHANGED_FILES" + echo "::set-output name=oscal_files::$CHANGED_FILES" - - name: Run lint-oscal - uses: ./.github/actions/lint-oscal/action.yaml - with: - OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} + - name: Run lint-oscal + uses: ./.github/actions/lint-oscal/action.yaml + with: + OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml index a5aa0b804..20e835f57 100644 --- a/compliance/oscal-component.yaml +++ b/compliance/oscal-component.yaml @@ -14,7 +14,13 @@ component-definition: rel: website import-component-definitions: - - href: 'file:../src/istio/oscal-component.yaml' + - href: 'file://../src/grafana/oscal-component.yaml' + - href: 'file://../src/istio/oscal-component.yaml' + - href: 'file://../src/loki/oscal-component.yaml' + - href: 'file://../src/neuvector/oscal-component.yaml' + - href: 'file://../src/prometheus-stack/oscal-component.yaml' + - href: 'file://../src/promtail/oscal-component.yaml' + - href: 'file://../src/velero/oscal-component.yaml' capabilities: - uuid: 857dcaf8-9080-4cf0-8029-8a03fcdde2df @@ -28,6 +34,6 @@ component-definition: back-matter: resources: - rlinks: - - href: https://github.com/defenseunicorns/uds-coore/ + - href: https://github.com/defenseunicorns/uds-core/ title: UDS Core uuid: 8fe4806d-4aef-4cf0-b9ed-d95d224e97bc From bd41e3ade80adfb46683833fe330e1ae0d3b0ba3 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 18:36:06 +0000 Subject: [PATCH 07/68] chore(oscal): tagged lint import / fixed path to action --- .github/workflows/lint-oscal.yaml | 2 +- tasks/lint.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 2c4aa751a..33a434abc 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -23,6 +23,6 @@ jobs: echo "::set-output name=oscal_files::$CHANGED_FILES" - name: Run lint-oscal - uses: .github/actions/lint-oscal/action.yaml + uses: ./.github/actions/lint-oscal/action.yaml with: OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 474fc4281..bc4493166 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,5 +1,5 @@ includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/main/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.7.0/tasks/lint.yaml tasks: - name: fix From 2704b4c2a9fd0f1c3ba0ed51adfae6eb340a5fed Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 18:42:38 +0000 Subject: [PATCH 08/68] chore(oscal): fix action path --- .github/workflows/lint-oscal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 33a434abc..04a55f7c9 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -23,6 +23,6 @@ jobs: echo "::set-output name=oscal_files::$CHANGED_FILES" - name: Run lint-oscal - uses: ./.github/actions/lint-oscal/action.yaml + uses: ./.github/actions/lint-oscal with: OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} From e9631e0a1f8d27b8b7f5cbf687dd1076d5e6471a Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 18:44:55 +0000 Subject: [PATCH 09/68] chore(oscal): add shell property --- .github/workflows/lint-oscal.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 04a55f7c9..b27ffc4b3 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -21,6 +21,7 @@ jobs: CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) echo "Changed OSCAL files: $CHANGED_FILES" echo "::set-output name=oscal_files::$CHANGED_FILES" + shell: bash - name: Run lint-oscal uses: ./.github/actions/lint-oscal From 49b8b8a6e39f7b5da7cc2cd85d981ec6f1d034c2 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 18:48:12 +0000 Subject: [PATCH 10/68] chore(oscal): add shell property to action --- .github/actions/lint-oscal/action.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/lint-oscal/action.yaml b/.github/actions/lint-oscal/action.yaml index f57fe854a..502c3cb7b 100644 --- a/.github/actions/lint-oscal/action.yaml +++ b/.github/actions/lint-oscal/action.yaml @@ -8,3 +8,4 @@ runs: - name: lint-oscal run: | uds run lint-oscal --set OSCALFILES=${{ inputs.OSCALFILES }} + shell: bash From 550a76c8cfb0bc05cb6173b7bb4817325d267b82 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 19:18:34 +0000 Subject: [PATCH 11/68] chore(oscal): updating lint workflow/action --- .github/actions/lint-oscal/action.yaml | 3 +-- .github/workflows/lint-oscal.yaml | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/actions/lint-oscal/action.yaml b/.github/actions/lint-oscal/action.yaml index 502c3cb7b..880e3dc46 100644 --- a/.github/actions/lint-oscal/action.yaml +++ b/.github/actions/lint-oscal/action.yaml @@ -6,6 +6,5 @@ runs: using: "composite" steps: - name: lint-oscal - run: | - uds run lint-oscal --set OSCALFILES=${{ inputs.OSCALFILES }} + run: uds run lint-oscal --set OSCALFILES=${{ inputs.OSCALFILES }} shell: bash diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index b27ffc4b3..f98d9bda2 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -18,9 +18,9 @@ jobs: - name: Identify changed OSCAL files id: find_changed_files run: | - CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) + CHANGED_FILES=$(git diff --name-only main HEAD | grep 'oscal.*\.yaml$' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) echo "Changed OSCAL files: $CHANGED_FILES" - echo "::set-output name=oscal_files::$CHANGED_FILES" + echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" shell: bash - name: Run lint-oscal From b99023ce15c08b5233f9b3cb3de967860aaf1888 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 19:25:47 +0000 Subject: [PATCH 12/68] chore(oscal): add fetch depth to checkout --- .github/workflows/lint-oscal.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index f98d9bda2..d1f5d850a 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 - name: Identify changed OSCAL files id: find_changed_files From 12326d9fd8cd6cade44e4f28fba626837e24b668 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 19:46:52 +0000 Subject: [PATCH 13/68] chore(oscal): update run-lint-oscal job --- .github/workflows/pull-request-conditionals.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 92a9939df..ec042492a 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -61,21 +61,25 @@ jobs: run-lint-oscal: needs: check-paths - if: needs.check-paths.outputs.oscal_changed == 'true' + if: needs.check-paths.outputs.oscal == 'true' runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 - name: Identify changed OSCAL files id: find_changed_files run: | - CHANGED_FILES=$(git diff --name-only HEAD^ HEAD | grep 'oscal.*\.yaml$' || true) + CHANGED_FILES=$(git diff --name-only main HEAD | grep 'oscal.*\.yaml$' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) echo "Changed OSCAL files: $CHANGED_FILES" - echo "::set-output name=oscal_files::$CHANGED_FILES" + echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + shell: bash - name: Run lint-oscal - uses: ./.github/actions/lint-oscal/action.yaml + if: ${{ steps.find_changed_files.outputs.oscal_files != '' }} + uses: ./.github/actions/lint-oscal with: OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} From 2edb4c2bdde94b8b4c5320fb29a5fb7aa9facdc6 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 19:54:40 +0000 Subject: [PATCH 14/68] chore(oscal): update step conditional --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index ec042492a..a7fe95cc4 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -61,7 +61,7 @@ jobs: run-lint-oscal: needs: check-paths - if: needs.check-paths.outputs.oscal == 'true' + if: steps.check-paths.outputs.oscal == 'true' runs-on: ubuntu-latest steps: - name: Checkout code From 97751dc096af9cdddbc1770398c94d51af48926d Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 19:57:25 +0000 Subject: [PATCH 15/68] chore(oscal): update step conditional with template brackets --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index a7fe95cc4..76013c408 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -61,7 +61,7 @@ jobs: run-lint-oscal: needs: check-paths - if: steps.check-paths.outputs.oscal == 'true' + if: ${{ needs.check-paths.outputs.oscal == 'true' }} runs-on: ubuntu-latest steps: - name: Checkout code From a27725d95e85c309ad302cedd1e5a0488a22f012 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 20:09:18 +0000 Subject: [PATCH 16/68] chore(oscal): testing conditional outputs --- .github/workflows/pull-request-conditionals.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 76013c408..66a68035b 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -59,6 +59,9 @@ jobs: with: filters: .github/filters.yaml + - name: test outputs + run: echo "${{ steps.path-filter.outputs.oscal }}" + run-lint-oscal: needs: check-paths if: ${{ needs.check-paths.outputs.oscal == 'true' }} From 6f9326d8183f4f3bf2183997e52ee363176af6df Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 20:12:49 +0000 Subject: [PATCH 17/68] chore(oscal): test alternate test step --- .github/workflows/pull-request-conditionals.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 66a68035b..8b7c45317 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -59,14 +59,14 @@ jobs: with: filters: .github/filters.yaml - - name: test outputs - run: echo "${{ steps.path-filter.outputs.oscal }}" - run-lint-oscal: needs: check-paths - if: ${{ needs.check-paths.outputs.oscal == 'true' }} + # if: ${{ needs.check-paths.outputs.oscal == 'true' }} runs-on: ubuntu-latest steps: + - name: test outputs + run: echo "${{ needs.check-paths.outputs.oscal }}" + - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From 145d1de6c9b514c11e9e0c71f41f4a9bfa3174a7 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 20:24:23 +0000 Subject: [PATCH 18/68] chore(oscal): fix conditional job --- .github/workflows/pull-request-conditionals.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 8b7c45317..5a7160b12 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -47,6 +47,7 @@ jobs: name: Select Jobs outputs: packages: ${{ steps.path-filter.outputs.changes }} + oscal: ${{ steps.path-filter.outputs.oscal }} steps: - name: Checkout the code @@ -61,7 +62,7 @@ jobs: run-lint-oscal: needs: check-paths - # if: ${{ needs.check-paths.outputs.oscal == 'true' }} + if: ${{ needs.check-paths.outputs.oscal == 'true' }} runs-on: ubuntu-latest steps: - name: test outputs From 90c561a6baea2f5fa68910deac0e60fcd0e4f0d7 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 20:45:46 +0000 Subject: [PATCH 19/68] chore(oscal): default to paths-filter for vars --- .github/filters.yaml | 2 +- .../workflows/pull-request-conditionals.yaml | 19 +++---------------- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/.github/filters.yaml b/.github/filters.yaml index bd786945b..622b4177d 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -26,4 +26,4 @@ tempo: velero: - "src/velero/**" oscal: - - "**/*oscal*.yaml" + - added|modified: "**/*oscal*.yaml" diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 5a7160b12..e43d9ae51 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -48,6 +48,7 @@ jobs: outputs: packages: ${{ steps.path-filter.outputs.changes }} oscal: ${{ steps.path-filter.outputs.oscal }} + oscal_files: ${{ steps.path-filter.outputs.oscal_files }} steps: - name: Checkout the code @@ -66,26 +67,12 @@ jobs: runs-on: ubuntu-latest steps: - name: test outputs - run: echo "${{ needs.check-paths.outputs.oscal }}" - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: Identify changed OSCAL files - id: find_changed_files - run: | - CHANGED_FILES=$(git diff --name-only main HEAD | grep 'oscal.*\.yaml$' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) - echo "Changed OSCAL files: $CHANGED_FILES" - echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" - shell: bash + run: echo "${{ needs.check-paths.outputs.oscal_files }}" - name: Run lint-oscal - if: ${{ steps.find_changed_files.outputs.oscal_files != '' }} uses: ./.github/actions/lint-oscal with: - OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} + OSCALFILES: ${{ needs.check-paths.outputs.oscal_files }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: From 059ca50473888c2ceae9140a8674942a7228a0b9 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 20:49:15 +0000 Subject: [PATCH 20/68] chore(oscal): default to paths-filter for vars with list files --- .github/workflows/pull-request-conditionals.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index e43d9ae51..d26c36af9 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -60,6 +60,7 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml + list-files: shell run-lint-oscal: needs: check-paths From 50fed3df1e7ad1e0342bbd3d7db27205577b74ca Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 20:51:11 +0000 Subject: [PATCH 21/68] chore(oscal): default to paths-filter csv --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index d26c36af9..1cfdc8cfd 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -60,7 +60,7 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - list-files: shell + list-files: csv run-lint-oscal: needs: check-paths From f8f6cab6ced38fad5835db02e681a8fa249d7da3 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 21:06:53 +0000 Subject: [PATCH 22/68] chore(oscal): filter path-filters results --- .github/workflows/pull-request-conditionals.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 1cfdc8cfd..c00a6b247 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -60,7 +60,7 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - list-files: csv + list-files: shell run-lint-oscal: needs: check-paths @@ -70,10 +70,21 @@ jobs: - name: test outputs run: echo "${{ needs.check-paths.outputs.oscal_files }}" + - name: Identify changed OSCAL files + id: find_changed_files + run: | + CHANGED_FILES=$(echo "${{ needs.check-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) + echo "Changed OSCAL files: $CHANGED_FILES" + echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + shell: bash + + - name: Checkout the code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run lint-oscal uses: ./.github/actions/lint-oscal with: - OSCALFILES: ${{ needs.check-paths.outputs.oscal_files }} + OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: From 8cc845b0dec33f0c3ffa6ac7ab31a6f9ccf9e80b Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 21:20:55 +0000 Subject: [PATCH 23/68] chore(oscal): install uds in job for linting --- .../workflows/pull-request-conditionals.yaml | 24 ++++++++++++------- tasks/lint.yaml | 3 ++- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index c00a6b247..51ee8da52 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -67,9 +67,7 @@ jobs: if: ${{ needs.check-paths.outputs.oscal == 'true' }} runs-on: ubuntu-latest steps: - - name: test outputs - run: echo "${{ needs.check-paths.outputs.oscal_files }}" - + # filter the files to remove not oscal files (such as those titles oscal-* under ./.github) - name: Identify changed OSCAL files id: find_changed_files run: | @@ -77,14 +75,24 @@ jobs: echo "Changed OSCAL files: $CHANGED_FILES" echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" shell: bash - + # checkout for access to the oscal files targeted for linting - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Run lint-oscal - uses: ./.github/actions/lint-oscal + # setup uds-cli + - name: Use Node.js latest + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: - OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} + node-version: 20 + - name: Set up Homebrew + uses: Homebrew/actions/setup-homebrew@master + - name: Install UDS CLI + shell: bash + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + run: brew install defenseunicorns/tap/uds@0.11.2 + # lint the oscal files + - name: lint-oscal + run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} + shell: bash # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/tasks/lint.yaml b/tasks/lint.yaml index bc4493166..6b11928cb 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -24,4 +24,5 @@ tasks: - name: oscal actions: - description: Lula Lint OSCAL - - task: remote:oscal + task: remote:oscal + From e099dda3990e64245648289866ddba1d025622a3 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 21:23:15 +0000 Subject: [PATCH 24/68] chore(oscal): fix task linting --- tasks/lint.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 6b11928cb..82f6a9ccb 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -25,4 +25,3 @@ tasks: actions: - description: Lula Lint OSCAL task: remote:oscal - From 114cac27cf789edafd65816eed027378257d6515 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 21:28:20 +0000 Subject: [PATCH 25/68] chore(oscal): install lula --- .github/workflows/pull-request-conditionals.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 51ee8da52..aeafdd421 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -89,6 +89,12 @@ jobs: shell: bash # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver run: brew install defenseunicorns/tap/uds@0.11.2 + # will be pinning this when a tag is released + - name: Install Lula + uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c + with: + # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced + version: v0.4.1 # lint the oscal files - name: lint-oscal run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} From 2847a15d3a5db000563b35a5ffe54e1d9d74abe3 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 21:44:09 +0000 Subject: [PATCH 26/68] chore(oscal): additional path-filters check for oscal files --- .github/filters.yaml | 2 -- .../workflows/pull-request-conditionals.yaml | 27 ++++++++++++++++--- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/.github/filters.yaml b/.github/filters.yaml index 622b4177d..0e97ddef8 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -25,5 +25,3 @@ tempo: - "src/tempo/**" velero: - "src/velero/**" -oscal: - - added|modified: "**/*oscal*.yaml" diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index aeafdd421..75197bfe0 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -40,6 +40,7 @@ jobs: - name: Run Formatting Checks run: uds run lint-check --no-progress + # This job checks if there are changes in specific paths source packages. check-paths: needs: lint-check @@ -47,6 +48,24 @@ jobs: name: Select Jobs outputs: packages: ${{ steps.path-filter.outputs.changes }} + + steps: + - name: Checkout the code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Uses a custom action to filter paths for source packages. + - name: Check src paths + id: path-filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 + with: + filters: .github/filters.yaml + list-files: shell + + check-oscal-paths: + needs: lint-check + runs-on: ubuntu-latest + name: OSCAL Change Detection + outputs: oscal: ${{ steps.path-filter.outputs.oscal }} oscal_files: ${{ steps.path-filter.outputs.oscal_files }} @@ -59,19 +78,21 @@ jobs: id: path-filter uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: - filters: .github/filters.yaml + filters: | + oscal: + - added|modified: "**/*oscal*.yaml" list-files: shell run-lint-oscal: needs: check-paths - if: ${{ needs.check-paths.outputs.oscal == 'true' }} + if: ${{ needs.check-oscal-paths.outputs.oscal == 'true' }} runs-on: ubuntu-latest steps: # filter the files to remove not oscal files (such as those titles oscal-* under ./.github) - name: Identify changed OSCAL files id: find_changed_files run: | - CHANGED_FILES=$(echo "${{ needs.check-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) + CHANGED_FILES=$(echo "${{ needs.check-oscal-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) echo "Changed OSCAL files: $CHANGED_FILES" echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" shell: bash From 13f8cb6599edc349df564e9548651008931d6e94 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 21:48:12 +0000 Subject: [PATCH 27/68] chore(oscal): update conditional needs for job --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 75197bfe0..d160b482d 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -84,7 +84,7 @@ jobs: list-files: shell run-lint-oscal: - needs: check-paths + needs: check-oscal-paths if: ${{ needs.check-oscal-paths.outputs.oscal == 'true' }} runs-on: ubuntu-latest steps: From 678460c9d743dde4b609b7783a5f6c98b8592b31 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 22:00:46 +0000 Subject: [PATCH 28/68] chore(oscal): begin integrating validate to single-package --- tasks/test.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/test.yaml b/tasks/test.yaml index 7c66726d4..ea97df0b6 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -2,6 +2,7 @@ includes: - create: ./create.yaml - setup: ./setup.yaml - deploy: ./deploy.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.7.0/tasks/compliance.yaml tasks: - name: single-package @@ -14,6 +15,11 @@ tasks: - description: "Validate the package" cmd: uds run -f src/${UDS_PKG}/tasks.yaml validate --no-progress + - task: compliance:validate + with: + oscalfile: ./compliance/oscal-component.yaml + assessment_results: ./compliance/oscal-assessment-results.yaml + - name: validate-packages description: "Validated all packages" # loop through each src/* package and run the validate.yaml task From 2fc9c7bcef5ea8521b93929477d56d0bdee1a684 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Sun, 30 Jun 2024 22:11:32 +0000 Subject: [PATCH 29/68] chore(oscal): update oscal for validation --- .github/actions/save-logs/action.yaml | 1 + compliance/oscal-component.yaml | 14 +++++++------- tasks/test.yaml | 11 ++++++----- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 58e9bda84..418e48200 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -44,3 +44,4 @@ runs: /tmp/debug-*.log /tmp/uds-containerd-logs /tmp/k3d-uds-*.log + /tmp/oscal-assessment-results.yaml diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml index 20e835f57..ecb88933e 100644 --- a/compliance/oscal-component.yaml +++ b/compliance/oscal-component.yaml @@ -14,13 +14,13 @@ component-definition: rel: website import-component-definitions: - - href: 'file://../src/grafana/oscal-component.yaml' - - href: 'file://../src/istio/oscal-component.yaml' - - href: 'file://../src/loki/oscal-component.yaml' - - href: 'file://../src/neuvector/oscal-component.yaml' - - href: 'file://../src/prometheus-stack/oscal-component.yaml' - - href: 'file://../src/promtail/oscal-component.yaml' - - href: 'file://../src/velero/oscal-component.yaml' + - href: 'file://./../src/grafana/oscal-component.yaml' + - href: 'file://./../src/istio/oscal-component.yaml' + - href: 'file://./../src/loki/oscal-component.yaml' + - href: 'file://./../src/neuvector/oscal-component.yaml' + - href: 'file://./../src/prometheus-stack/oscal-component.yaml' + - href: 'file://./../src/promtail/oscal-component.yaml' + - href: 'file://./../src/velero/oscal-component.yaml' capabilities: - uuid: 857dcaf8-9080-4cf0-8029-8a03fcdde2df diff --git a/tasks/test.yaml b/tasks/test.yaml index ea97df0b6..f553127e8 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -15,11 +15,6 @@ tasks: - description: "Validate the package" cmd: uds run -f src/${UDS_PKG}/tasks.yaml validate --no-progress - - task: compliance:validate - with: - oscalfile: ./compliance/oscal-component.yaml - assessment_results: ./compliance/oscal-assessment-results.yaml - - name: validate-packages description: "Validated all packages" # loop through each src/* package and run the validate.yaml task @@ -37,6 +32,12 @@ tasks: - task: create:k3d-standard-bundle - task: deploy:k3d-standard-bundle - task: validate-packages + - task: compliance:validate + with: + oscalfile: ./compliance/oscal-component.yaml + assessment_results: ./compliance/oscal-assessment-results.yaml + - description: copy assessment file to log location + cmd: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml - name: uds-core-upgrade description: "Test an upgrade from the latest released UDS Core package to current branch" From fcec7990011a94eafa02faa02f36597184734b58 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 1 Jul 2024 03:06:53 +0000 Subject: [PATCH 30/68] chore(oscal): instrument compliance gate for required adherence --- compliance/oscal-assessment-results.yaml | 1275 ++++++++++++++++++++++ tasks/test.yaml | 3 + 2 files changed, 1278 insertions(+) create mode 100644 compliance/oscal-assessment-results.yaml diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml new file mode 100644 index 000000000..5a2d57801 --- /dev/null +++ b/compliance/oscal-assessment-results.yaml @@ -0,0 +1,1275 @@ +assessment-results: + import-ap: + href: "" + metadata: + last-modified: 2024-06-30T22:27:28.032093229Z + oscal-version: 1.1.2 + published: 2024-06-30T22:27:28.032093229Z + remarks: Assessment Results generated from Lula + title: '[System Name] Security Assessment Results (SAR)' + version: 0.0.1 + results: + - description: Assessment results for performing Validations with Lula version v0.4.1 + findings: + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' + uuid: 530f15c4-f2af-48b4-8ffe-bbd93c2ac02c + - description: |- + # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-4 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' + uuid: 21cf73d7-c46c-4e05-9be3-44b78f7e7b2f + - description: |- + # Control Implementation + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 508d4a07-79aa-4265-b605-7a6cb49f4564 + - observation-uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + target: + status: + state: not-satisfied + target-id: sc-4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' + uuid: 47164bc1-4927-4071-bb1c-96601149488b + - description: |- + # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' + uuid: b6ed044d-1e5d-401d-aa2f-58ccfa1c370c + - description: |- + # Control Implementation + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 795a243f-2559-4284-ad45-b3e41e184b8a + target: + status: + state: satisfied + target-id: au-12 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' + uuid: 0c575663-bf90-419f-99c0-a3d4801df02d + - description: |- + # Control description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7.1 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' + uuid: 8d2ee169-ead9-40d5-8d1c-cb7fb5887c0a + - description: |- + # Control Implementation + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + - observation-uuid: ff864080-f43e-4e2d-89a3-74c31666ccfa + target: + status: + state: not-satisfied + target-id: sc-7.8 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' + uuid: 92b0e321-c7fc-4d9b-8e34-5685a1f73102 + - description: |- + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + target: + status: + state: not-satisfied + target-id: au-4 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' + uuid: ac06539e-42a7-4d5b-af3d-89e1a42fdd8f + - description: |- + # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." + # Control Implementation Loki implements RBAC to define system authorization and separation of duties. + target: + status: + state: not-satisfied + target-id: ac-5 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' + uuid: b7867063-1723-45d1-8d98-ad84dc7ef4af + - description: |- + # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' + uuid: a399ae4f-ed31-4208-9991-81177aa29c6c + - description: |- + # Control Implementation + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + target: + status: + state: not-satisfied + target-id: sc-3 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' + uuid: 1eb6882e-580e-47ac-9483-80e1bebbb02d + - description: |- + # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' + uuid: 437e0a7f-0469-41bc-9d84-b824bf2d77c4 + - description: |- + # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' + uuid: d818e8f4-e1bf-4942-85ab-c77f25fe6b6e + - description: |- + # Control Description Define the breadth and depth of vulnerability scanning coverage. + # Control Implementation NeuVector container scanning configurations depth can be modified. + target: + status: + state: not-satisfied + target-id: ra-5.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' + uuid: 716ae053-abe6-44e0-bd41-762c3a98a2dc + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' + uuid: d19371d4-0ebb-49fc-8dce-41b80aab95f4 + - description: Velero can be configured to restore only certain components of a back-up when necessary. + target: + status: + state: not-satisfied + target-id: cp-9.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' + uuid: c5282d69-7df0-4edf-b2a6-a491ebfaaa4a + - description: |- + # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' + uuid: 0904e35b-0673-4ae1-853f-5df22a9e21b7 + - description: |- + # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + # Control Implementation NeuVector is configured securely and only access to required ports are available. + target: + status: + state: not-satisfied + target-id: cm-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' + uuid: 545bea9e-6b3e-4665-b2b4-6164eb0fcecb + - description: |- + # Control Implementation + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: a6c63d2c-79b2-48d2-9ebd-badb8c1e23cb + target: + status: + state: not-satisfied + target-id: sc-10 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' + uuid: cee5490b-9149-4f00-b7f1-64b20cbc8f0a + - description: |- + # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + target: + status: + state: not-satisfied + target-id: au-6.5 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' + uuid: c4144a96-7b23-435e-8052-3ec79da0a9aa + - description: |- + # Control Implementation + Istio implements with global configuration. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 + target: + status: + state: satisfied + target-id: sc-8.2 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' + uuid: 46959113-939a-4d3c-9995-89a818c0f05f + - description: |- + # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' + uuid: 1d8817a2-21bb-4122-ae58-e552b0879b68 + - description: |- + # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' + uuid: 1e7eaa29-97cb-454a-bea7-2142ef44343f + - description: |- + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-9.2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' + uuid: bdfd832a-b4a2-4b2e-af0a-ebf39ad51a18 + - description: |- + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. + target: + status: + state: not-satisfied + target-id: au-12.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' + uuid: 080c0868-fa0f-4ce2-a8bc-ff03197651fb + - description: |- + # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' + uuid: e760b83a-b3e4-4286-9a94-3167c3f6368b + - description: |- + # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' + uuid: d8eb2332-91df-477a-be2c-fa56a93f1c20 + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + target: + status: + state: not-satisfied + target-id: cp-10.4 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' + uuid: 4bd2c151-b8f5-40b5-819f-89727701f6f7 + - description: |- + # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + target: + status: + state: not-satisfied + target-id: ac-6.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' + uuid: 58646676-b28b-45dd-9b90-ddd3c348f5b2 + - description: |- + # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. + target: + status: + state: not-satisfied + target-id: sc-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' + uuid: 907e7159-6e90-4025-b3d6-dbcf123cbb33 + - description: |- + # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. + target: + status: + state: not-satisfied + target-id: ra-5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' + uuid: 187ae20d-8d47-4eaa-bb64-e529672c8936 + - description: |- + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6.10 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' + uuid: d8591c7f-7c3c-48d8-b7c8-6ac161621cdc + - description: |- + # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." + # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-11 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' + uuid: c62884fd-59e8-4836-ba02-095415dd8af8 + - description: |- + # Control Description + Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious + user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. + + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-2.2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' + uuid: d79e0fae-943f-4afe-8269-807cf92aae0e + - description: |- + # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' + uuid: 097c80d2-4971-4188-9de9-54a509ad3cdc + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments. + target: + status: + state: not-satisfied + target-id: cp-9.3 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' + uuid: 4a91b5b2-810b-493d-9bff-98bec053065f + - description: |- + "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup." + target: + status: + state: not-satisfied + target-id: cp-9 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' + uuid: 09c6df43-c339-464d-a5f3-4711511ba7a2 + - description: |- + # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' + uuid: ee8400e9-79e8-4447-9717-97e1197356dd + - description: |- + # Control Implementation + Istio is configured to use ingress and egress gateways to provide logical flow separation. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 4a5882b3-28a7-450d-9917-aacfa39106eb + - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + target: + status: + state: not-satisfied + target-id: ac-4.21 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' + uuid: 2b3617e2-9cff-438a-b029-cc5912742d55 + - description: |- + # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' + uuid: c36595c9-4cd9-4175-9aa5-b316739a4f10 + - description: |- + # Control Implementation + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + target: + status: + state: satisfied + target-id: ac-4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' + uuid: bce00e12-51f3-4a65-874c-63f0270f4bd7 + - description: |- + # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' + uuid: 42a427cb-acc2-4ded-8444-2a36ffc71b5e + - description: |- + # Control Description + Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). + + # Control Implementation + Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f7270c2f-5355-4186-afc0-f56a7e7e2e17 + target: + status: + state: not-satisfied + target-id: au-3 + type: objective-id + title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' + uuid: 13145f93-94b3-4a06-abe5-c88e547604f3 + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' + uuid: b893b49e-64d6-4062-bdab-02404c9adb9a + - description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-8.1 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' + uuid: 415a3412-96ad-482c-a9c8-dd67d8a5c8f5 + - description: |- + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Loki provides an API for retrieving and filtering logs. + target: + status: + state: not-satisfied + target-id: au7.1 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' + uuid: eed4d866-735f-4688-ad58-c7ab93248697 + - description: |- + # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. + target: + status: + state: not-satisfied + target-id: au-11 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' + uuid: 6ef793a1-525f-4cb5-90e9-d6b2eaa20ba7 + - description: |- + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + target: + status: + state: not-satisfied + target-id: au-6.6 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' + uuid: 2b6f5a3b-28e0-4bbf-bd92-f0dbad82e873 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-6.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' + uuid: 7386dec2-3c3e-4194-aae4-71f68428e468 + - description: |- + # Control Implementation + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-7.20 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' + uuid: e31a17ff-ad3a-4835-8883-c15a290b0b60 + - description: |- + # Control Implementation + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-7.21 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' + uuid: 5d9a771f-b974-434d-8ede-252d1c9f7343 + - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. + target: + status: + state: not-satisfied + target-id: cp-9.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' + uuid: 03c2c9d4-da54-4b4c-aaa5-fdbc483ec5ac + - description: |- + # Control Implementation + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 7ebd56cf-fcd1-49ab-9e49-4cb08c4bb0a3 + - observation-uuid: 6a59d34a-e37f-4dda-8e13-3999bed1c5fa + target: + status: + state: not-satisfied + target-id: cm-5 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' + uuid: f54983d0-3e83-4d74-ac13-d96a9c14309c + - description: |- + # Control Implementation + Istio produces logs for all traffic in the information system. + related-observations: + - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - observation-uuid: 9a0794ac-4b32-4154-9694-974c4f26ddf9 + target: + status: + state: not-satisfied + target-id: ac-6.9 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' + uuid: 30a4343a-25e7-40f2-968e-832894732967 + - description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: not-satisfied + target-id: sc-8 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' + uuid: c5567414-902a-4439-8272-3cce25d6d8d3 + - description: |- + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9.4 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' + uuid: 22e63487-b471-4b44-9983-6673268a6360 + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-6.3 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' + uuid: 22749401-71be-4c49-b512-7b1047ef71bb + - description: |- + # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ra-5.5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' + uuid: 548197f1-46e3-4ad2-bb0e-41d8cdeff4b3 + - description: |- + # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. + # Control Implementation NeuVector container scanning vulnerability database is updated frequently. + target: + status: + state: not-satisfied + target-id: ra-5.2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' + uuid: 84b79bb2-2bb2-4ac5-9a37-9a8eea22ac5d + - description: |- + # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + related-observations: + - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - observation-uuid: fb6ec7c8-cafa-4cb9-9ee3-a7ca43af0c00 + target: + status: + state: not-satisfied + target-id: au-8 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' + uuid: a8cb7268-12d0-4322-ac3e-f727c73f4e7f + - description: |- + # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-2.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' + uuid: dac85ad9-0e0e-44c3-bf85-09bbb03d3349 + - description: |- + # Control Implementation + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: abd5f912-d86f-4952-bf47-3bb43cd630ab + - observation-uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 + - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + target: + status: + state: not-satisfied + target-id: sc-7.4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' + uuid: f60b1dd1-f387-4aff-88b9-5fb0c9ac02ec + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + target: + status: + state: not-satisfied + target-id: cp-9.5 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' + uuid: ab6bdb32-3872-4131-9148-5ce885d2e90a + - description: |- + # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + target: + status: + state: not-satisfied + target-id: au-6.3 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' + uuid: fceb1b23-d4c2-48ac-9015-e3d6c51b643b + - description: |- + # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. + target: + status: + state: not-satisfied + target-id: cm-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' + uuid: 32761afe-74dc-4698-a758-9bf9028b102d + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. + target: + status: + state: not-satisfied + target-id: cp-7 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' + uuid: 7ab5474d-9104-48e9-8b0b-61d5e80c85dc + - description: |- + # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 3d01431e-03c0-4698-88f9-4113954ecf1f + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: fe77669c-58f2-450d-a51d-9ca4af2b1b62 + target: + status: + state: not-satisfied + target-id: au-3.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' + uuid: 78b88a9d-0ead-4f50-acd1-34fffb4887c9 + - description: |- + # Control Implementation + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + - observation-uuid: 805a92da-edf3-404d-bae1-3dbe204f2292 + - observation-uuid: 3d2fdd35-4f50-459a-beda-c087a4e8c436 + target: + status: + state: not-satisfied + target-id: sc-13 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' + uuid: 3913dd6a-a176-4366-a456-64eebedfddaa + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' + uuid: e8ebaa45-f132-40f7-97c3-ac0260de8657 + - description: |- + # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." + # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' + uuid: 6a5c1d9e-08b7-4cec-a5b2-5e1d449dfb42 + - description: |- + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. + related-observations: + - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - observation-uuid: 1a53a90a-57e0-4872-bfdd-e638cd92a3ba + target: + status: + state: not-satisfied + target-id: au-2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' + uuid: 4e443b5a-87b2-4b91-ba98-c6c83d9bf9a2 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-10 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' + uuid: 8b8d6ca5-b795-4ad3-b798-e8558a3c0bad + - description: |- + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6.1 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' + uuid: 888b091f-a818-4177-9283-0eb5b74dcd26 + - description: |- + # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' + uuid: bbfc2b16-0d6f-48cd-82b0-3609974bfbdc + - description: |- + # Control Implementation + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + target: + status: + state: satisfied + target-id: sc-23 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' + uuid: e66bb22e-9afe-4215-bdda-1327f015ed00 + - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. + target: + status: + state: not-satisfied + target-id: cp-9.8 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' + uuid: f0acd50b-ce08-4179-b7e5-c7b2850c37e0 + - description: |- + # Control Implementation + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-39 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' + uuid: 009e00d9-2fd5-43d3-9b9c-feeaa9350b91 + - description: |- + # Control Implementation + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + target: + status: + state: satisfied + target-id: ac-4.4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' + uuid: dff58c6a-29db-4e7e-b46d-715764fa737a + - description: |- + # Control Implementation + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: e0d47802-5d77-4cbc-af92-f84a9ea11b8f + target: + status: + state: satisfied + target-id: ac-14 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' + uuid: f5a77d77-029b-4b50-bd37-e09902be020d + observations: + - collected: 2024-06-30T22:27:27.695366242Z + description: | + [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil + uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + - collected: 2024-06-30T22:27:27.695414341Z + description: | + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil + uuid: 3d2fdd35-4f50-459a-beda-c087a4e8c436 + - collected: 2024-06-30T22:27:27.695457522Z + description: | + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil + uuid: fb6ec7c8-cafa-4cb9-9ee3-a7ca43af0c00 + - collected: 2024-06-30T22:27:27.712083114Z + description: | + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + istiohealth.deployment_message: All deployment conditions are true. + istiohealth.hpa_message: HPA has sufficient replicas. + uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - collected: 2024-06-30T22:27:27.712135712Z + description: | + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil + uuid: 6a59d34a-e37f-4dda-8e13-3999bed1c5fa + - collected: 2024-06-30T22:27:27.821536311Z + description: | + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have Istio sidecar proxy. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - collected: 2024-06-30T22:27:27.821606552Z + description: | + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil + uuid: 9a0794ac-4b32-4154-9694-974c4f26ddf9 + - collected: 2024-06-30T22:27:27.827790559Z + description: | + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - collected: 2024-06-30T22:27:27.839654751Z + description: | + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Expected Virtual Services not using expected Gateways + validate.msg_actual: Gateways configured: {"istio-admin-gateway/admin-gateway", "istio-passthrough-gateway/passthrough-gateway", "istio-tenant-gateway/tenant-gateway"}. VirtualServices using Gateways: {"istio-admin-gateway/admin-gateway": {"grafana-admin-grafana-80-grafana", "keycloak-admin-admin-access-with-optional-client-certificate", "neuvector-admin-neuvector-8443-neuvector-service-webui"}, "istio-passthrough-gateway/passthrough-gateway": set(), "istio-tenant-gateway/tenant-gateway": {"keycloak-tenant-public-auth-access-with-optional-client-certificate", "keycloak-tenant-remove-private-paths-from-public-gateway"}} + validate.msg_expected: Expected VirtualServices using Gateways: {"istio-admin-gateway/admin-gateway": {"grafana-admin-grafana-80-grafana", "keycloak-admin-admin-access-with-optional-client-certificate", "neuvector-admin-neuvector-8443-neuvector-service-webui"}, "istio-passthrough-gateway/passthrough-gateway": [], "istio-tenant-gateway/tenant-gateway": {"keycloak-tenant-emulate-gitlab-authorize-endpoint", "keycloak-tenant-emulate-gitlab-token-endpoint", "keycloak-tenant-emulate-gitlab-user-endpoint", "keycloak-tenant-public-auth-access-with-optional-client-certificate", "keycloak-tenant-remove-private-paths-from-public-gateway"}} + uuid: 20529117-f400-4d22-b60a-f168a19f097c + - collected: 2024-06-30T22:27:27.839700617Z + description: | + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil + uuid: a6c63d2c-79b2-48d2-9ebd-badb8c1e23cb + - collected: 2024-06-30T22:27:27.847217778Z + description: | + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Tracing logging not supported. + uuid: f7270c2f-5355-4186-afc0-f56a7e7e2e17 + - collected: 2024-06-30T22:27:27.854811286Z + description: | + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio is logging all traffic + uuid: 795a243f-2559-4284-ad45-b3e41e184b8a + - collected: 2024-06-30T22:27:27.863207892Z + description: | + [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. + uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 + - collected: 2024-06-30T22:27:27.870971856Z + description: | + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Metrics logging supported + uuid: 3d01431e-03c0-4698-88f9-4113954ecf1f + - collected: 2024-06-30T22:27:27.969063343Z + description: | + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have correct prometheus annotations. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: fe77669c-58f2-450d-a51d-9ca4af2b1b62 + - collected: 2024-06-30T22:27:27.969127302Z + description: | + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil + uuid: ff864080-f43e-4e2d-89a3-74c31666ccfa + - collected: 2024-06-30T22:27:27.975975858Z + description: | + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway + uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + - collected: 2024-06-30T22:27:27.980306727Z + description: | + [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Authorization Policy requires authentication for keycloak + uuid: e0d47802-5d77-4cbc-af92-f84a9ea11b8f + - collected: 2024-06-30T22:27:27.980345319Z + description: | + [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil + uuid: 508d4a07-79aa-4265-b605-7a6cb49f4564 + - collected: 2024-06-30T22:27:27.980365106Z + description: | + [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil + uuid: 1a53a90a-57e0-4872-bfdd-e638cd92a3ba + - collected: 2024-06-30T22:27:27.98038338Z + description: | + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil + uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - collected: 2024-06-30T22:27:27.985138045Z + description: | + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio RBAC enforced + validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway + uuid: 7ebd56cf-fcd1-49ab-9e49-4cb08c4bb0a3 + - collected: 2024-06-30T22:27:27.985176246Z + description: | + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil + uuid: 805a92da-edf3-404d-bae1-3dbe204f2292 + - collected: 2024-06-30T22:27:28.008478858Z + description: | + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. + validate.msg_incorrect: No incorrect istiod NetworkPolicies found. + uuid: abd5f912-d86f-4952-bf47-3bb43cd630ab + - collected: 2024-06-30T22:27:28.016548441Z + description: | + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 4a5882b3-28a7-450d-9917-aacfa39106eb + - collected: 2024-06-30T22:27:28.02612714Z + description: | + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. + uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + props: + - name: threshold + ns: https://docs.lula.dev/ns + value: "true" + reviewed-controls: + control-selections: + - description: Controls Assessed by Lula + include-controls: + - control-id: cp-7.1 + - control-id: si-4 + - control-id: sc-4 + - control-id: si-5 + - control-id: au-12 + - control-id: au-7.1 + - control-id: sc-7.8 + - control-id: au-4 + - control-id: ac-5 + - control-id: au-5.2 + - control-id: sc-3 + - control-id: au-6 + - control-id: ac-2.1 + - control-id: ra-5.3 + - control-id: cp-7.2 + - control-id: cp-9.2 + - control-id: au-9 + - control-id: cm-7 + - control-id: sc-10 + - control-id: au-6.5 + - control-id: sc-8.2 + - control-id: ca-7 + - control-id: sa-11 + - control-id: au-9.2 + - control-id: au-12.1 + - control-id: ac-6.1 + - control-id: ac-6 + - control-id: cp-10.4 + - control-id: ac-6.3 + - control-id: sc-7 + - control-id: ra-5 + - control-id: ac-6.10 + - control-id: si-11 + - control-id: ca-2.2 + - control-id: ac-3 + - control-id: cp-9.3 + - control-id: cp-9 + - control-id: sa-11.1 + - control-id: ac-4.21 + - control-id: ac-2 + - control-id: ac-4 + - control-id: au-5.1 + - control-id: au-3 + - control-id: cp-6 + - control-id: sc-8.1 + - control-id: au7.1 + - control-id: au-11 + - control-id: au-6.6 + - control-id: cp-6.2 + - control-id: sc-7.20 + - control-id: sc-7.21 + - control-id: cp-9.1 + - control-id: cm-5 + - control-id: ac-6.9 + - control-id: sc-8 + - control-id: au-9.4 + - control-id: cp-6.3 + - control-id: ra-5.5 + - control-id: ra-5.2 + - control-id: au-8 + - control-id: si-2.3 + - control-id: sc-7.4 + - control-id: cp-9.5 + - control-id: au-6.3 + - control-id: cm-6 + - control-id: cp-7 + - control-id: au-3.1 + - control-id: sc-13 + - control-id: cp-6.1 + - control-id: si-6 + - control-id: au-2 + - control-id: cp-10 + - control-id: au-6.1 + - control-id: au-7 + - control-id: sc-23 + - control-id: cp-9.8 + - control-id: sc-39 + - control-id: ac-4.4 + - control-id: ac-14 + description: Controls validated + remarks: Validation performed may indicate full or partial satisfaction + start: 2024-06-30T22:27:28.032093229Z + title: Lula Validation Result + uuid: 8af0e1bc-5014-44ef-9ef8-9d1f6f653824 + uuid: 9be178a0-2337-40ec-b760-bef3c1df5589 diff --git a/tasks/test.yaml b/tasks/test.yaml index f553127e8..5031c3708 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -36,6 +36,9 @@ tasks: with: oscalfile: ./compliance/oscal-component.yaml assessment_results: ./compliance/oscal-assessment-results.yaml + - task: compliance:evaluate + with: + assessment_results: ./compliance/oscal-assessment-results.yaml - description: copy assessment file to log location cmd: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml From 762028ca45a11de163159dc2df7e8180c77caccb Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Mon, 1 Jul 2024 14:30:51 +0000 Subject: [PATCH 31/68] think I moved oscal lint to a different workflow --- .github/workflows/lint-oscal.yaml | 54 ++++++++++++++--- .../workflows/pull-request-conditionals.yaml | 60 ------------------- 2 files changed, 46 insertions(+), 68 deletions(-) diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index d1f5d850a..6668a4535 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -9,23 +9,61 @@ permissions: contents: read jobs: - lint: + + check-oscal-paths: runs-on: ubuntu-latest + name: OSCAL Change Detection + outputs: + oscal: ${{ steps.path-filter.outputs.oscal }} + oscal_files: ${{ steps.path-filter.outputs.oscal_files }} steps: - - name: Checkout + - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Uses a custom action to filter paths for source packages. + - name: Check src paths + id: path-filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: - fetch-depth: 0 + filters: | + oscal: + - added|modified: "**/*oscal*.yaml" + list-files: shell + lint-oscal: + needs: check-oscal-paths + if: ${{ needs.check-oscal-paths.outputs.oscal == 'true' }} + runs-on: ubuntu-latest + steps: + # filter the files to remove not oscal files (such as those titles oscal-* under ./.github) - name: Identify changed OSCAL files id: find_changed_files run: | - CHANGED_FILES=$(git diff --name-only main HEAD | grep 'oscal.*\.yaml$' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) + CHANGED_FILES=$(echo "${{ needs.check-oscal-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) echo "Changed OSCAL files: $CHANGED_FILES" echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" shell: bash - - - name: Run lint-oscal - uses: ./.github/actions/lint-oscal + # checkout for access to the oscal files targeted for linting + - name: Checkout the code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # setup uds-cli + - name: Use Node.js latest + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: 20 + - name: Set up Homebrew + uses: Homebrew/actions/setup-homebrew@master + - name: Install UDS CLI + shell: bash + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + run: brew install defenseunicorns/tap/uds@0.11.2 + # will be pinning this when a tag is released + - name: Install Lula + uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c with: - OSCALFILES: ${{ steps.find_changed_files.outputs.oscal_files }} + # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced + version: v0.4.1 + # lint the oscal files + - name: lint-oscal + run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} + shell: bash diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index d160b482d..6b41c1edf 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -61,66 +61,6 @@ jobs: filters: .github/filters.yaml list-files: shell - check-oscal-paths: - needs: lint-check - runs-on: ubuntu-latest - name: OSCAL Change Detection - outputs: - oscal: ${{ steps.path-filter.outputs.oscal }} - oscal_files: ${{ steps.path-filter.outputs.oscal_files }} - - steps: - - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - # Uses a custom action to filter paths for source packages. - - name: Check src paths - id: path-filter - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - with: - filters: | - oscal: - - added|modified: "**/*oscal*.yaml" - list-files: shell - - run-lint-oscal: - needs: check-oscal-paths - if: ${{ needs.check-oscal-paths.outputs.oscal == 'true' }} - runs-on: ubuntu-latest - steps: - # filter the files to remove not oscal files (such as those titles oscal-* under ./.github) - - name: Identify changed OSCAL files - id: find_changed_files - run: | - CHANGED_FILES=$(echo "${{ needs.check-oscal-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) - echo "Changed OSCAL files: $CHANGED_FILES" - echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" - shell: bash - # checkout for access to the oscal files targeted for linting - - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - # setup uds-cli - - name: Use Node.js latest - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: 20 - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - - name: Install UDS CLI - shell: bash - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.11.2 - # will be pinning this when a tag is released - - name: Install Lula - uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c - with: - # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.4.1 - # lint the oscal files - - name: lint-oscal - run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} - shell: bash - # This job triggers a separate workflow for each changed source package, if any. run-package-test: needs: check-paths From baf3d4079bea2fad299b550c58cc2d39bb696e51 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Mon, 1 Jul 2024 14:38:29 +0000 Subject: [PATCH 32/68] moved command into workflow --- .github/actions/lint-oscal/action.yaml | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 .github/actions/lint-oscal/action.yaml diff --git a/.github/actions/lint-oscal/action.yaml b/.github/actions/lint-oscal/action.yaml deleted file mode 100644 index 880e3dc46..000000000 --- a/.github/actions/lint-oscal/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# action.yml -name: "lint-oscal" -description: "Lula Lint OSCAL" - -runs: - using: "composite" - steps: - - name: lint-oscal - run: uds run lint-oscal --set OSCALFILES=${{ inputs.OSCALFILES }} - shell: bash From 1f9039820d95e38f50f7a508fff8acfffc64e4dc Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 1 Jul 2024 20:42:49 +0000 Subject: [PATCH 33/68] chore(oscal): revert changes to pull request conditionals workflow --- .github/workflows/pull-request-conditionals.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 6b41c1edf..eee72a35f 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -40,7 +40,6 @@ jobs: - name: Run Formatting Checks run: uds run lint-check --no-progress - # This job checks if there are changes in specific paths source packages. check-paths: needs: lint-check @@ -59,7 +58,6 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - list-files: shell # This job triggers a separate workflow for each changed source package, if any. run-package-test: From 5faca4bb24820f4eb7ba5bcb6c635a9fac399cb2 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 1 Jul 2024 20:43:56 +0000 Subject: [PATCH 34/68] chore(oscal): fix comment block to revert changes --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index eee72a35f..8086c883d 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -59,7 +59,7 @@ jobs: with: filters: .github/filters.yaml -# This job triggers a separate workflow for each changed source package, if any. + # This job triggers a separate workflow for each changed source package, if any. run-package-test: needs: check-paths name: Schedule From cf240d3c089879f9537ab1b149765b255a19f289 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 3 Jul 2024 19:50:50 +0000 Subject: [PATCH 35/68] chore(oscsal): update workflows to separate tasks --- .github/workflows/lint-oscal.yaml | 25 ++++++------------------- .github/workflows/test.yaml | 8 ++++++++ tasks.yaml | 8 ++++++++ tasks/test.yaml | 26 +++++++++++++++++--------- 4 files changed, 39 insertions(+), 28 deletions(-) diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 6668a4535..4f1501e1b 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -1,7 +1,9 @@ name: Lint OSCAL Files on: - push: + pull_request: + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] paths: - '**/*oscal*.yaml' @@ -46,24 +48,9 @@ jobs: # checkout for access to the oscal files targeted for linting - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - # setup uds-cli - - name: Use Node.js latest - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: 20 - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - - name: Install UDS CLI - shell: bash - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.11.2 - # will be pinning this when a tag is released - - name: Install Lula - uses: defenseunicorns/lula-action/setup@095636b7880051e11b05f10a582fdd911526161c - with: - # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.4.1 + - name: Environment setup + uses: ./.github/actions/setup # lint the oscal files - name: lint-oscal - run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} + run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} --no-progress shell: bash diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 1f4007991..63da84078 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -62,6 +62,14 @@ jobs: if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-uds-core --set FLAVOR=${{ inputs.flavor }} --no-progress + - name: Validate UDS Core Compliance + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} + run: uds run test-compliance-validate --no-progress + + - name: Evaluate UDS Core Compliance + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} + run: uds run test-compliance-evaluate --no-progress + - name: Test UDS Core Upgrade if: ${{ inputs.package == 'all' && inputs.test_type == 'upgrade' }} run: uds run test-uds-core-upgrade --set FLAVOR=${{ inputs.flavor }} --no-progress diff --git a/tasks.yaml b/tasks.yaml index 980322fdc..5a55339ac 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -88,6 +88,14 @@ tasks: actions: - task: test:uds-core-upgrade + - name: test-compliance-validate + actions: + - tasks: test:compliance-validate + + - name: test-compliance-evaluate + actions: + - tasks: test:compliance-evaluate + - name: lint-check actions: - task: lint:check diff --git a/tasks/test.yaml b/tasks/test.yaml index 5031c3708..067c207cc 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -32,15 +32,6 @@ tasks: - task: create:k3d-standard-bundle - task: deploy:k3d-standard-bundle - task: validate-packages - - task: compliance:validate - with: - oscalfile: ./compliance/oscal-component.yaml - assessment_results: ./compliance/oscal-assessment-results.yaml - - task: compliance:evaluate - with: - assessment_results: ./compliance/oscal-assessment-results.yaml - - description: copy assessment file to log location - cmd: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml - name: uds-core-upgrade description: "Test an upgrade from the latest released UDS Core package to current branch" @@ -50,3 +41,20 @@ tasks: - task: create:standard-package - task: deploy:standard-package - task: validate-packages + + - name: validate-compliance + description: "validate against the required compliance" + actions: + - task: compliance:validate + with: + oscalfile: ./compliance/oscal-component.yaml + assessment_results: ./compliance/oscal-assessment-results.yaml + + - name: evaluate-compliance + description: "evaluate against the required compliance" + actions: + - task: compliance:evaluate + with: + assessment_results: ./compliance/oscal-assessment-results.yaml + - description: copy assessment file to log location + cmd: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml From f0b1d577e7e597ff241ffa7020ce6e8eda633409 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 3 Jul 2024 20:50:00 +0000 Subject: [PATCH 36/68] chore(oscal): update workflows and composed oscal --- src/istio/oscal-component.yaml | 970 +++++++++++++++++---------------- tasks/test.yaml | 4 +- 2 files changed, 509 insertions(+), 465 deletions(-) diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index bce79cc33..b9faecd76 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -4,30 +4,107 @@ component-definition: - rlinks: - href: https://github.com/istio/istio/ title: Istio Operator - uuid: 60826461-d279-468c-9e4b-614fac44a306 + uuid: 60826461-D279-468C-9E4B-614FAC44A306 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: istioMeshConfig + name: networkPolicies resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + provider: + opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + type: opa + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + lula-version: "" + metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + provider: + opa-spec: + rego: | + package validate + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. + type: opa + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: jwt-authz namespaces: - istio-system - resource: configmaps - version: v1 + resource: authorizationpolicies + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 provider: opa-spec: output: @@ -39,25 +116,30 @@ component-definition: # Default policy result default validate = false - default msg = "Logging not enabled or configured" + default msg = "Authorization Policies do not require authentication" - # Check if Istio's Mesh Configuration has logging enabled + # Evaluation for Istio Authorization Policies validate { - logging_enabled.result + result_auth_policy.result } - msg = logging_enabled.msg + msg = result_auth_policy.msg - logging_enabled = {"result": true, "msg": msg} { - # Check for access log file output to stdout - input.istioMeshConfig.accessLogFile == "/dev/stdout" - msg := "Istio is logging all traffic" + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" + + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" } else = {"result": false, "msg": msg} { - msg := "Istio is not logging all traffic" + msg := "Authorization Policy does not require authentication" } type: opa - title: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + title: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 - description: | domain: kubernetes-spec: @@ -116,90 +198,81 @@ component-definition: create-resources: null resources: - description: "" - name: pods + name: authorizationPolicies resource-rule: - group: "" + group: security.istio.io name: "" namespaces: [] - resource: pods - version: v1 + resource: authorizationpolicies + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 provider: opa-spec: output: observations: - validate.msg - - validate.exempt_namespaces_msg + - validate.msg_authPolicies validation: validate.validate rego: | package validate - import future.keywords.in # Default policy result default validate = false - default msg = "Not evaluated" + default msg = "Istio RBAC not enforced" - # Check for required Istio and Prometheus annotations + # Evaluation for Istio Authorization Policies validate { - has_prometheus_annotation.result - } - msg = has_prometheus_annotation.msg - - # Check for prometheus annotations in pod spec - no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - - has_prometheus_annotation = {"result": true, "msg": msg} { - count(no_annotation) == 0 - msg := "All pods have correct prometheus annotations." - } else = {"result": false, "msg": msg} { - msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + count(all_auth_policies) > 0 } - contains_annotation(pod) { - annotations := pod.metadata.annotations - annotations["prometheus.io/scrape"] == "true" - annotations["prometheus.io/path"] != "" - annotations["prometheus.io/port"] == "15020" - } + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - # Exemptions - exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces + msg = "Istio RBAC enforced" { + validate } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) type: opa - title: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - description: | lula-version: "" metadata: - name: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - title: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: peerAuths + name: requestAuthentication resource-rule: group: security.istio.io name: "" namespaces: [] - resource: peerauthentications + resource: requestauthentications + version: v1beta1 + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies version: v1beta1 type: kubernetes lula-version: "" metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb provider: opa-spec: output: @@ -209,41 +282,146 @@ component-definition: rego: | package validate - import future.keywords.every - # Default policy result - default validate = false - default all_strict = false - default msg = "Not evaluated" + default validate := false + default msg := "Not evaluated" + # Validate both RequestAuthentication and AuthorizationPolicy are configured validate { - result_all_strict.result + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result } - msg = concat(" ", [result_all_strict.msg]) + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) + } + + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) } - type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io + + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } + + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } + + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } + type: opa + title: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + + validate { + has_proxyv2_sidecar.result + } + msg = has_proxyv2_sidecar.msg + + # Check for proxyv2 container in pod spec + no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] + + has_proxyv2_sidecar = {"result": true, "msg": msg} { + count(no_proxyv2) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) + } + + contains_proxyv2(pod) { + images := pod.spec.containers[_].image + contains(images, "/proxyv2:") + } + + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io name: "" namespaces: [] resource: gateways @@ -320,96 +498,166 @@ component-definition: create-resources: null resources: - description: "" - name: networkPolicies + name: gateways resource-rule: - group: networking.k8s.io + group: networking.istio.io name: "" namespaces: [] - resource: networkpolicies - version: v1 + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 provider: opa-spec: output: observations: - - validate.msg_correct - - validate.msg_incorrect + - validate.msg + - validate.msg_actual + - validate.msg_expected validation: validate.validate rego: | package validate - # Default policy result - default validate = false - default msg_correct = "Not evaluated" - default msg_incorrect = "Not evaluated" + import future.keywords.every + import future.keywords.in - # Expected values - expected_istiod_port := 15012 - expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + # default values + default validate = false + default msg = "Not evaluated" - # Validate NetworkPolicy for Istiod in required namespaces validate { - count(required_namespaces - correct_istiod_namespaces) == 0 + check_expected_gw2vs.result } + msg := check_expected_gw2vs.msg + msg_actual := sprintf("Gateways configured: %v. VirtualServices using Gateways: %v", [gateways, gateway_virtual_services]) + msg_expected := sprintf("Expected VirtualServices using Gateways: %v", [expected_gw2vs]) - msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) - msg_incorrect = msg { - missing_namespace := required_namespaces - correct_istiod_namespaces - count(missing_namespace) > 0 - msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) - } else = "No incorrect istiod NetworkPolicies found." + check_expected_gw2vs = {"result": true, "msg": msg} { + every gw in gateways { + gw_uses_vs(gw) + } + msg := "Expected Virtual Services using expected Gateways" + } else = {"result": false, "msg": "Expected Virtual Services not using expected Gateways"} - # Helper to find correct NetworkPolicies - correct_istiod_policies = {policy | - policy := input.networkPolicies[_] - policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" - policy.spec.egress[_].ports[_].port == expected_istiod_port - policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + gw_uses_vs(gw) { + expected_vs := expected_gw2vs[gw] + actual_vs := gateway_virtual_services[gw] + count(expected_vs - actual_vs) == 0 + } + gw_uses_vs(gw) { + expected_vs := expected_gw2vs[gw] + actual_vs := gateway_virtual_services[gw] + count(expected_vs) == 0 + count(actual_vs) == 0 } - # Helper to extract namespaces of correct NetworkPolicies - correct_istiod_namespaces = {policy.metadata.namespace | - policy := correct_istiod_policies[_] + # Expected admin gateway details + expected_gw2vs := { + "istio-admin-gateway/admin-gateway": { + "keycloak-admin-admin-access-with-optional-client-certificate", + "neuvector-admin-neuvector-8443-neuvector-service-webui", "grafana-admin-grafana-80-grafana", + }, + "istio-passthrough-gateway/passthrough-gateway": [], + "istio-tenant-gateway/tenant-gateway": { + "keycloak-tenant-remove-private-paths-from-public-gateway", + "keycloak-tenant-public-auth-access-with-optional-client-certificate", + "keycloak-tenant-emulate-gitlab-authorize-endpoint", "keycloak-tenant-emulate-gitlab-user-endpoint", + "keycloak-tenant-emulate-gitlab-token-endpoint", + }, + } + + # Helper to find Gateways + gateways = {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | + gw := input.gateways[_] + } + + # Helper to find VirtualServices + virtual_services = {vs.metadata.name | + vs := input.virtualServices[_] + } + + # Helper to list VirtualServices using each Gateway + gateway_virtual_services := {gw: {vs.metadata.name | + vs := input.virtualServices[_] + gw_name := vs.spec.gateways[_] + gw_name == gw + } | + gw := gateways[_] } type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioMeshConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes lula-version: "" metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc provider: opa-spec: + output: + observations: + - validate.msg + validation: validate.validate rego: | package validate - validate := false - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - description: | lula-version: "" metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - provider: - opa-spec: - rego: | - package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - description: | domain: kubernetes-spec: @@ -479,186 +727,8 @@ component-definition: msg := "HPA does not have sufficient replicas." } type: opa - title: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - - description: | - lula-version: "" - metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - - description: "" - name: virtualServices - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: virtualservices - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_actual - - validate.msg_expected - validation: validate.validate - rego: "package validate\n\nimport future.keywords.every\nimport future.keywords.in\n\n# - default values\ndefault validate = false\ndefault msg = \"Not evaluated\"\n\nvalidate - {\n check_expected_gw2vs.result\n}\nmsg := check_expected_gw2vs.msg\nmsg_actual - := sprintf(\"Gateways configured: %v. VirtualServices using Gateways: %v\", - [gateways, gateway_virtual_services])\nmsg_expected := sprintf(\"Expected VirtualServices - using Gateways: %v\", [expected_gw2vs])\n\ncheck_expected_gw2vs = {\"result\": - true, \"msg\": msg} {\n every gw in gateways {\n gw_uses_vs(gw) \n }\n - \ msg := \"Expected Virtual Services using expected Gateways\"\n} else = {\"result\": - false, \"msg\": \"Expected Virtual Services not using expected Gateways\"}\n\ngw_uses_vs(gw) - {\n expected_vs := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n - \ count(expected_vs - actual_vs) == 0\n}\ngw_uses_vs(gw) {\n expected_vs - := expected_gw2vs[gw]\n actual_vs := gateway_virtual_services[gw]\n count(expected_vs) - == 0\n count(actual_vs) == 0\n}\n\n# Expected admin gateway details\nexpected_gw2vs - := {\n \"istio-admin-gateway/admin-gateway\": {\n \"keycloak-admin-admin-access-with-optional-client-certificate\",\n - \ \"neuvector-admin-neuvector-8443-neuvector-service-webui\", \"grafana-admin-grafana-80-grafana\",\n - \ },\n \"istio-passthrough-gateway/passthrough-gateway\": [],\n \"istio-tenant-gateway/tenant-gateway\": - {\n \"keycloak-tenant-remove-private-paths-from-public-gateway\",\n \"keycloak-tenant-public-auth-access-with-optional-client-certificate\",\n - \ \"keycloak-tenant-emulate-gitlab-authorize-endpoint\", \"keycloak-tenant-emulate-gitlab-user-endpoint\",\n - \ \"keycloak-tenant-emulate-gitlab-token-endpoint\",\n },\n}\n\n# Helper - to find Gateways\ngateways = {sprintf(\"%s/%s\", [gw.metadata.namespace, gw.metadata.name]) - |\n gw := input.gateways[_]\n}\n\n# Helper to find VirtualServices\nvirtual_services - = {vs.metadata.name |\n vs := input.virtualServices[_]\n}\n\n# Helper to list - VirtualServices using each Gateway\ngateway_virtual_services := {gw: {vs.metadata.name - |\n vs := input.virtualServices[_]\n gw_name := vs.spec.gateways[_]\n gw_name - == gw\n} |\n gw := gateways[_]\n}\n" - type: opa - title: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: jwt-authz - namespaces: - - istio-system - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Authorization Policies do not require authentication" - - # Evaluation for Istio Authorization Policies - validate { - result_auth_policy.result - } - - msg = result_auth_policy.msg - - result_auth_policy = {"result": true, "msg": msg} { - # Check that authorization policy exists and require authentication - input.authorizationPolicy.kind == "AuthorizationPolicy" - - # "require authentication" is defined as having requestPrincipals defined - # and the selector.protect label is set to "keycloak" - input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null - input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" - msg := "Authorization Policy requires authentication for keycloak" - } else = {"result": false, "msg": msg} { - msg := "Authorization Policy does not require authentication" - } - type: opa - title: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicies - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_authPolicies - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Istio RBAC not enforced" - - # Evaluation for Istio Authorization Policies - validate { - count(all_auth_policies) > 0 - } - - # Get all authorization policies - all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - - msg = "Istio RBAC enforced" { - validate - } - msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) - type: opa - title: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - - description: | - lula-version: "" - metadata: - name: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - title: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - description: | domain: kubernetes-spec: @@ -803,39 +873,29 @@ component-definition: type: opa title: check-istio-admin-gateway-and-usage uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - - description: | - lula-version: "" - metadata: - name: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - title: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: requestAuthentication - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: requestauthentications - version: v1beta1 - - description: "" - name: authorizationPolicy + name: istioConfig resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 type: kubernetes lula-version: "" metadata: - name: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 provider: opa-spec: output: @@ -846,81 +906,24 @@ component-definition: package validate # Default policy result - default validate := false - default msg := "Not evaluated" + default validate = false + default msg = "Not evaluated" - # Validate both RequestAuthentication and AuthorizationPolicy are configured + # Validate Istio configuration for metrics logging support validate { - authorization_policies_exist_and_configured.result - request_authentications_exist_and_configured.result - } - - msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) - - # Check AuthorizationPolicies exist and are configured - bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicy[_] - authPolicy.kind == "AuthorizationPolicy" - authorization_policy_not_configured(authPolicy) - } - - authorization_policy_not_configured(ap) { - # Check for missing or improperly configured rules - not ap.spec.rules - } - - authorization_policies_exist_and_configured = {"result": true, "msg": msg} { - count(input.authorizationPolicy) > 0 - count(bad_auth_policies) == 0 - msg := "All AuthorizationPolicies properly configured." - } else = {"result": false, "msg": msg} { - count(input.authorizationPolicy) == 0 - msg := "No AuthorizationPolicies found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) - } - - # Check RequestAuthentications exist and are configured - bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | - ra := input.requestAuthentication[_] - ra.kind == "RequestAuthentication" - request_authentication_not_configured(ra) - } - - request_authentication_not_configured(ra) { - # Check for missing or improperly configured JWT rules - not ra.spec.jwtRules + check_metrics_enabled.result } + msg = check_metrics_enabled.msg - request_authentications_exist_and_configured = {"result": true, "msg": msg} { - count(input.requestAuthentication) > 0 - count(bad_request_authentications) == 0 - msg := "All RequestAuthentications properly configured." - } else = {"result": false, "msg": msg} { - count(input.requestAuthentication) == 0 - msg := "No RequestAuthentications found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + check_metrics_enabled = { "result": true, "msg": msg } { + input.istioConfig.enablePrometheusMerge + msg := "Metrics logging supported" + } else = { "result": false, "msg": msg } { + msg := "Metrics logging not supported" } type: opa - title: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb - - description: | - lula-version: "" - metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - provider: - opa-spec: - rego: | - package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 - description: | domain: kubernetes-spec: @@ -937,8 +940,8 @@ component-definition: type: kubernetes lula-version: "" metadata: - name: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e provider: opa-spec: output: @@ -948,66 +951,100 @@ component-definition: validation: validate.validate rego: | package validate - - import future.keywords.every import future.keywords.in # Default policy result default validate = false default msg = "Not evaluated" - exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - + # Check for required Istio and Prometheus annotations validate { - has_proxyv2_sidecar.result + has_prometheus_annotation.result } - msg = has_proxyv2_sidecar.msg + msg = has_prometheus_annotation.msg - # Check for proxyv2 container in pod spec - no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - has_proxyv2_sidecar = {"result": true, "msg": msg} { - count(no_proxyv2) == 0 - msg := "All pods have Istio sidecar proxy." + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." } else = {"result": false, "msg": msg} { - msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) } - contains_proxyv2(pod) { - images := pod.spec.containers[_].image - contains(images, "/proxyv2:") + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" } + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) is_exempt(pod) { pod.metadata.namespace in exempt_namespaces } type: opa - title: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + - description: | + lula-version: "" + metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + lula-version: "" + metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + provider: + opa-spec: + rego: | + package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + type: opa + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: istioConfig + name: peerAuths resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb provider: opa-spec: output: @@ -1017,25 +1054,32 @@ component-definition: rego: | package validate + import future.keywords.every + # Default policy result default validate = false + default all_strict = false default msg = "Not evaluated" - # Validate Istio configuration for metrics logging support validate { - check_metrics_enabled.result + result_all_strict.result } - msg = check_metrics_enabled.msg - check_metrics_enabled = { "result": true, "msg": msg } { - input.istioConfig.enablePrometheusMerge - msg := "Metrics logging supported" - } else = { "result": false, "msg": msg } { - msg := "Metrics logging not supported" + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." } type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb components: - control-implementations: - description: Controls implemented by Istio and authservice that are inherited by applications @@ -1437,7 +1481,7 @@ component-definition: type: software uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 metadata: - last-modified: 2024-06-19T04:24:37.102736858Z + last-modified: 2024-07-03T19:55:08.722498301Z oscal-version: 1.1.2 parties: - links: diff --git a/tasks/test.yaml b/tasks/test.yaml index 067c207cc..7c80d3bc4 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -42,7 +42,7 @@ tasks: - task: deploy:standard-package - task: validate-packages - - name: validate-compliance + - name: compliance-validate description: "validate against the required compliance" actions: - task: compliance:validate @@ -50,7 +50,7 @@ tasks: oscalfile: ./compliance/oscal-component.yaml assessment_results: ./compliance/oscal-assessment-results.yaml - - name: evaluate-compliance + - name: compliance-evaluate description: "evaluate against the required compliance" actions: - task: compliance:evaluate From 733d70bc09b1d6e6488724b791449d4e026cfc79 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 3 Jul 2024 22:40:56 +0000 Subject: [PATCH 37/68] fix(oscal): update task syntax --- tasks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks.yaml b/tasks.yaml index 5a55339ac..a517d5550 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -90,11 +90,11 @@ tasks: - name: test-compliance-validate actions: - - tasks: test:compliance-validate + - task: test:compliance-validate - name: test-compliance-evaluate actions: - - tasks: test:compliance-evaluate + - task: test:compliance-evaluate - name: lint-check actions: From 902e73514d6743f7d7ce39aef5e861f20bcb1f07 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 8 Jul 2024 18:03:29 +0000 Subject: [PATCH 38/68] fix(oscal): decouple file extraction for CI --- .github/workflows/test.yaml | 4 ++++ tasks/test.yaml | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 63da84078..03f71c2b5 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -70,6 +70,10 @@ jobs: if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-compliance-evaluate --no-progress + - name: Store UDS Core Compliance Assessment Results + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} + run: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml + - name: Test UDS Core Upgrade if: ${{ inputs.package == 'all' && inputs.test_type == 'upgrade' }} run: uds run test-uds-core-upgrade --set FLAVOR=${{ inputs.flavor }} --no-progress diff --git a/tasks/test.yaml b/tasks/test.yaml index 7c80d3bc4..446348e0b 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -56,5 +56,3 @@ tasks: - task: compliance:evaluate with: assessment_results: ./compliance/oscal-assessment-results.yaml - - description: copy assessment file to log location - cmd: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml From 79e76e3b9195da7dc8d18096313a0977a38d51c2 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 8 Jul 2024 23:38:48 +0000 Subject: [PATCH 39/68] fix(actions): update actions to include continue and notify --- .github/actions/notify-lula/action.yaml | 43 +++++++++++++++++++++++++ .github/workflows/test.yaml | 11 +++++++ 2 files changed, 54 insertions(+) create mode 100644 .github/actions/notify-lula/action.yaml diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml new file mode 100644 index 000000000..a8c21bfb9 --- /dev/null +++ b/.github/actions/notify-lula/action.yaml @@ -0,0 +1,43 @@ +name: Notify Lula +description: "Comment on PR to notify Lula Team" + +inputs: + state: + description: 'state of the comment update' + required: true + default: '' + flavor: + description: 'flavor of the comment update' + required: true + default: '' + +runs: + using: composite + steps: + - name: Find Comment + uses: peter-evans/find-comment@v3 + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: Compliance ${{ inputs.flavor }} Evaluation + + - name: Create comment + if: ${{ steps.fc.outputs.comment-id == '' && inputs.state == 'failure'}} + uses: peter-evans/create-or-update-comment@v4 + with: + issue-number: ${{ github.event.pull_request.number }} + body: | + Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }} + + CC: @defenseunicorns/lula-dev + + - name: Update comment + if: ${{ steps.fc.outputs.comment-id != '' }} + uses: peter-evans/create-or-update-comment@v4 + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + body: | + Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }} + + CC: @defenseunicorns/lula-dev diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 03f71c2b5..d2c1bb32f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -67,8 +67,19 @@ jobs: run: uds run test-compliance-validate --no-progress - name: Evaluate UDS Core Compliance + id: compliance-evaluation if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-compliance-evaluate --no-progress + continue-on-error: true + + # steps in this action only run when there has been a previous failure - will indicate success thereafter + # need to think about how much noise this could create - noise currently = good + - name: Notify Lula Team of Compliance Assessment Results + if: ${{ always() }} + uses: ./.github/actions/notify-lula + with: + state: ${{ steps.compliance-evaluation.conclusion }} + flavor: ${{ inputs.flavor }} - name: Store UDS Core Compliance Assessment Results if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} From 090548f7848e8bf52c369c22f3cbec5c93818ec2 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 8 Jul 2024 23:41:28 +0000 Subject: [PATCH 40/68] fix(actions): pin actions to tag commit hash --- .github/actions/notify-lula/action.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml index a8c21bfb9..d5e29c4f4 100644 --- a/.github/actions/notify-lula/action.yaml +++ b/.github/actions/notify-lula/action.yaml @@ -15,7 +15,7 @@ runs: using: composite steps: - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 id: fc with: issue-number: ${{ github.event.pull_request.number }} @@ -24,7 +24,7 @@ runs: - name: Create comment if: ${{ steps.fc.outputs.comment-id == '' && inputs.state == 'failure'}} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} body: | @@ -34,7 +34,7 @@ runs: - name: Update comment if: ${{ steps.fc.outputs.comment-id != '' }} - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ steps.fc.outputs.comment-id }} body: | From 9d9ead84a7df9c9d0a08caed1b856fdabc565829 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 02:45:55 +0000 Subject: [PATCH 41/68] fix(actions): yamllint fix --- .github/actions/notify-lula/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml index d5e29c4f4..69dd25985 100644 --- a/.github/actions/notify-lula/action.yaml +++ b/.github/actions/notify-lula/action.yaml @@ -32,7 +32,7 @@ runs: CC: @defenseunicorns/lula-dev - - name: Update comment + - name: Update comment if: ${{ steps.fc.outputs.comment-id != '' }} uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: From a00c68eb3cbc728c0b593dbd3fd42254f173f558 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 03:08:56 +0000 Subject: [PATCH 42/68] chore(oscal): update istio oscal --- src/istio/oscal-component.yaml | 1004 +++++++++++++++----------------- 1 file changed, 484 insertions(+), 520 deletions(-) diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index b9faecd76..be31938dc 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -11,135 +11,207 @@ component-definition: create-resources: null resources: - description: "" - name: networkPolicies + name: istioConfig resource-rule: - group: networking.k8s.io - name: "" - namespaces: [] - resource: networkpolicies + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps version: v1 type: kubernetes lula-version: "" metadata: - name: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 provider: opa-spec: output: observations: - - validate.msg_correct - - validate.msg_incorrect + - validate.msg validation: validate.validate rego: | package validate # Default policy result default validate = false - default msg_correct = "Not evaluated" - default msg_incorrect = "Not evaluated" - - # Expected values - expected_istiod_port := 15012 - expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + default msg = "Not evaluated" - # Validate NetworkPolicy for Istiod in required namespaces + # Validate Istio configuration for metrics logging support validate { - count(required_namespaces - correct_istiod_namespaces) == 0 - } - - msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) - msg_incorrect = msg { - missing_namespace := required_namespaces - correct_istiod_namespaces - count(missing_namespace) > 0 - msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) - } else = "No incorrect istiod NetworkPolicies found." - - # Helper to find correct NetworkPolicies - correct_istiod_policies = {policy | - policy := input.networkPolicies[_] - policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" - policy.spec.egress[_].ports[_].port == expected_istiod_port - policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + check_metrics_enabled.result } + msg = check_metrics_enabled.msg - # Helper to extract namespaces of correct NetworkPolicies - correct_istiod_namespaces = {policy.metadata.namespace | - policy := correct_istiod_policies[_] + check_metrics_enabled = { "result": false, "msg": msg } { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } { + msg := "Metrics logging supported." } type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 - description: | lula-version: "" metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed provider: opa-spec: + output: + observations: + - validate.msg + - validate.msg_exempt + validation: validate.validate rego: | package validate - validate := false + import future.keywords.every - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_gateways_allowed.result + } + msg := check_gateways_allowed.msg + msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { + count(gateways_disallowed) == 0 + } else = {"result": false, "msg": msg} { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + title: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: authorizationPolicy + name: gateways resource-rule: - group: security.istio.io - name: jwt-authz - namespaces: - - istio-system - resource: authorizationpolicies + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways version: v1beta1 type: kubernetes lula-version: "" metadata: - name: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 provider: opa-spec: output: observations: - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways validation: validate.validate rego: | package validate + import rego.v1 - # Default policy result - default validate = false - default msg = "Authorization Policies do not require authentication" + # default values + default validate := false + default msg := "Not evaluated" - # Evaluation for Istio Authorization Policies - validate { - result_auth_policy.result + validate if { + check_expected_gw.result + check_all_gw_found.result } - msg = result_auth_policy.msg + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } - result_auth_policy = {"result": true, "msg": msg} { - # Check that authorization policy exists and require authentication - input.authorizationPolicy.kind == "AuthorizationPolicy" + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } - # "require authentication" is defined as having requestPrincipals defined - # and the selector.protect label is set to "keycloak" - input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null - input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" - msg := "Authorization Policy requires authentication for keycloak" - } else = {"result": false, "msg": msg} { - msg := "Authorization Policy does not require authentication" + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) } type: opa - title: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - description: | domain: kubernetes-spec: @@ -198,48 +270,65 @@ component-definition: create-resources: null resources: - description: "" - name: authorizationPolicies + name: pods resource-rule: - group: security.istio.io + group: "" name: "" namespaces: [] - resource: authorizationpolicies - version: v1beta1 + resource: pods + version: v1 type: kubernetes lula-version: "" metadata: - name: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e provider: opa-spec: output: observations: - validate.msg - - validate.msg_authPolicies + - validate.exempt_namespaces_msg validation: validate.validate rego: | package validate + import future.keywords.in # Default policy result default validate = false - default msg = "Istio RBAC not enforced" + default msg = "Not evaluated" - # Evaluation for Istio Authorization Policies + # Check for required Istio and Prometheus annotations validate { - count(all_auth_policies) > 0 + has_prometheus_annotation.result } + msg = has_prometheus_annotation.msg - # Get all authorization policies - all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - msg = "Istio RBAC enforced" { - validate + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces } - msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) type: opa - title: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e - description: | lula-version: "" metadata: @@ -248,261 +337,164 @@ component-definition: title: authorized-traffic-egress-PLACEHOLDER uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: requestAuthentication - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: requestauthentications - version: v1beta1 - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes lula-version: "" metadata: - name: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 provider: opa-spec: - output: - observations: - - validate.msg - validation: validate.validate rego: | package validate - - # Default policy result default validate := false - default msg := "Not evaluated" - - # Validate both RequestAuthentication and AuthorizationPolicy are configured - validate { - authorization_policies_exist_and_configured.result - request_authentications_exist_and_configured.result - } - - msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) - - # Check AuthorizationPolicies exist and are configured - bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicy[_] - authPolicy.kind == "AuthorizationPolicy" - authorization_policy_not_configured(authPolicy) - } - - authorization_policy_not_configured(ap) { - # Check for missing or improperly configured rules - not ap.spec.rules - } - - authorization_policies_exist_and_configured = {"result": true, "msg": msg} { - count(input.authorizationPolicy) > 0 - count(bad_auth_policies) == 0 - msg := "All AuthorizationPolicies properly configured." - } else = {"result": false, "msg": msg} { - count(input.authorizationPolicy) == 0 - msg := "No AuthorizationPolicies found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) - } - - # Check RequestAuthentications exist and are configured - bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | - ra := input.requestAuthentication[_] - ra.kind == "RequestAuthentication" - request_authentication_not_configured(ra) - } - - request_authentication_not_configured(ra) { - # Check for missing or improperly configured JWT rules - not ra.spec.jwtRules - } - - request_authentications_exist_and_configured = {"result": true, "msg": msg} { - count(input.requestAuthentication) > 0 - count(bad_request_authentications) == 0 - msg := "All RequestAuthentications properly configured." - } else = {"result": false, "msg": msg} { - count(input.requestAuthentication) == 0 - msg := "No RequestAuthentications found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) - } + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) type: opa - title: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - description: | lula-version: "" metadata: - name: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - title: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: pods + name: namespaces resource-rule: group: "" name: "" namespaces: [] - resource: pods + resource: namespaces version: v1 type: kubernetes lula-version: "" metadata: - name: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f provider: opa-spec: output: observations: - validate.msg - - validate.exempt_namespaces_msg + - validate.exempted_namespaces_msg validation: validate.validate rego: | package validate - import future.keywords.every import future.keywords.in - # Default policy result default validate = false default msg = "Not evaluated" - exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - + # Validation validate { - has_proxyv2_sidecar.result + check_non_istio_injected_namespaces.result } - msg = has_proxyv2_sidecar.msg - - # Check for proxyv2 container in pod spec - no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] + msg = check_non_istio_injected_namespaces.msg + exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) - has_proxyv2_sidecar = {"result": true, "msg": msg} { - count(no_proxyv2) == 0 - msg := "All pods have Istio sidecar proxy." - } else = {"result": false, "msg": msg} { - msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) - } + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} - contains_proxyv2(pod) { - images := pod.spec.containers[_].image - contains(images, "/proxyv2:") + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces } - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) } type: opa - title: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + title: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: gateways + name: authorizationPolicy resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways + group: security.istio.io + name: jwt-authz + namespaces: + - istio-system + resource: authorizationpolicies version: v1beta1 type: kubernetes lula-version: "" metadata: - name: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 provider: opa-spec: output: observations: - validate.msg - - validate.msg_exempt validation: validate.validate rego: | package validate - import future.keywords.every + # Default policy result default validate = false - default msg = "Not evaluated" + default msg = "Authorization Policies do not require authentication" - # Validation + # Evaluation for Istio Authorization Policies validate { - check_gateways_allowed.result - } - msg := check_gateways_allowed.msg - msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) - - # Collect gateways that do not encrypt ingress traffic - gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | - gateway := input.gateways[_]; - not allowed_gateway(gateway) - } - - check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { - count(gateways_disallowed) == 0 - } else = {"result": false, "msg": msg} { - msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) - } - - # Check allowed gateway - allowed_gateway(gateway) { - every server in gateway.spec.servers { - allowed_server(server) - } + result_auth_policy.result } - exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} - allowed_gateway(gateway) { - sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways - # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic - # Find all virtual services that use this gateway - # Check that vs has https scheme - } + msg = result_auth_policy.msg - # Check allowed server spec in gateway - allowed_server(server) { - server.port.protocol == "HTTP" - server.tls.httpsRedirect == true - } + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" - allowed_server(server) { - server.port.protocol == "HTTPS" - server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" + } else = {"result": false, "msg": msg} { + msg := "Authorization Policy does not require authentication" } type: opa - title: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + title: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: gateways + name: adminGateway resource-rule: group: networking.istio.io - name: "" - namespaces: [] + name: admin-gateway + namespaces: + - istio-admin-gateway resource: gateways version: v1beta1 - description: "" @@ -516,88 +508,63 @@ component-definition: type: kubernetes lula-version: "" metadata: - name: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e provider: opa-spec: output: observations: - validate.msg - - validate.msg_actual - - validate.msg_expected validation: validate.validate rego: | package validate - import future.keywords.every - import future.keywords.in + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) - # default values + # Default policy result default validate = false + default admin_gw_exists = false + default admin_vs_match = false default msg = "Not evaluated" validate { - check_expected_gw2vs.result + result_admin_gw_exixts.result + result_admin_vs_match.result } - msg := check_expected_gw2vs.msg - msg_actual := sprintf("Gateways configured: %v. VirtualServices using Gateways: %v", [gateways, gateway_virtual_services]) - msg_expected := sprintf("Expected VirtualServices using Gateways: %v", [expected_gw2vs]) - check_expected_gw2vs = {"result": true, "msg": msg} { - every gw in gateways { - gw_uses_vs(gw) - } - msg := "Expected Virtual Services using expected Gateways" - } else = {"result": false, "msg": "Expected Virtual Services not using expected Gateways"} + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) - gw_uses_vs(gw) { - expected_vs := expected_gw2vs[gw] - actual_vs := gateway_virtual_services[gw] - count(expected_vs - actual_vs) == 0 - } - gw_uses_vs(gw) { - expected_vs := expected_gw2vs[gw] - actual_vs := gateway_virtual_services[gw] - count(expected_vs) == 0 - count(actual_vs) == 0 + result_admin_gw_exixts = {"result": true, "msg": msg} { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := "Admin gateway exists." + } else = {"result": false, "msg": msg} { + msg := "Admin gateway does not exist." } - # Expected admin gateway details - expected_gw2vs := { - "istio-admin-gateway/admin-gateway": { - "keycloak-admin-admin-access-with-optional-client-certificate", - "neuvector-admin-neuvector-8443-neuvector-service-webui", "grafana-admin-grafana-80-grafana", - }, - "istio-passthrough-gateway/passthrough-gateway": [], - "istio-tenant-gateway/tenant-gateway": { - "keycloak-tenant-remove-private-paths-from-public-gateway", - "keycloak-tenant-public-auth-access-with-optional-client-certificate", - "keycloak-tenant-emulate-gitlab-authorize-endpoint", "keycloak-tenant-emulate-gitlab-user-endpoint", - "keycloak-tenant-emulate-gitlab-token-endpoint", - }, + result_admin_vs_match = {"result": true, "msg": msg}{ + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) } - # Helper to find Gateways - gateways = {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | - gw := input.gateways[_] - } + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} - # Helper to find VirtualServices - virtual_services = {vs.metadata.name | - vs := input.virtualServices[_] - } + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} - # Helper to list VirtualServices using each Gateway - gateway_virtual_services := {gw: {vs.metadata.name | - vs := input.virtualServices[_] - gw_name := vs.spec.gateways[_] - gw_name == gw - } | - gw := gateways[_] - } + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} type: opa - title: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + title: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - description: | domain: kubernetes-spec: @@ -654,10 +621,17 @@ component-definition: - description: | lula-version: "" metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - description: | domain: kubernetes-spec: @@ -735,89 +709,144 @@ component-definition: create-resources: null resources: - description: "" - name: namespaces + name: peerAuths resource-rule: - group: "" + group: security.istio.io name: "" namespaces: [] - resource: namespaces - version: v1 + resource: peerauthentications + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb provider: opa-spec: output: observations: - validate.msg - - validate.exempted_namespaces_msg validation: validate.validate rego: | package validate + import future.keywords.every - import future.keywords.in + # Default policy result default validate = false + default all_strict = false default msg = "Not evaluated" - # Validation validate { - check_non_istio_injected_namespaces.result + result_all_strict.result } - msg = check_non_istio_injected_namespaces.msg - exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) - # List of exempted namespaces - exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", - "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", - "uds-dev-stack", "uds-policy-exemptions", "zarf"} - - # Collect non-Istio-injected namespaces - non_istio_injected_namespaces := {ns.metadata.name | - ns := input.namespaces[_] - ns.kind == "Namespace" - not ns.metadata.labels["istio-injection"] == "enabled" - not ns.metadata.name in exempted_namespaces - } + msg = concat(" ", [result_all_strict.msg]) - # Check no non-Istio-injected namespaces - check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { - count(non_istio_injected_namespaces) == 0 - } else = { "result": false, "msg": msg } { - msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." } type: opa - title: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: adminGateway + name: networkPolicies resource-rule: - group: networking.istio.io - name: admin-gateway - namespaces: - - istio-admin-gateway - resource: gateways + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + provider: + opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + type: opa + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: requestAuthentication + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: requestauthentications version: v1beta1 - description: "" - name: virtualServices + name: authorizationPolicy resource-rule: - group: networking.istio.io + group: security.istio.io name: "" namespaces: [] - resource: virtualservices + resource: authorizationpolicies version: v1beta1 type: kubernetes lula-version: "" metadata: - name: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb provider: opa-spec: output: @@ -827,103 +856,82 @@ component-definition: rego: | package validate - # Expected admin gateway details - expected_gateway := "admin-gateway" - expected_gateway_namespace := "istio-admin-gateway" - expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) - # Default policy result - default validate = false - default admin_gw_exists = false - default admin_vs_match = false - default msg = "Not evaluated" + default validate := false + default msg := "Not evaluated" + # Validate both RequestAuthentication and AuthorizationPolicy are configured validate { - result_admin_gw_exixts.result - result_admin_vs_match.result + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result } - msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) - result_admin_gw_exixts = {"result": true, "msg": msg} { - input.adminGateway.kind == "Gateway" - input.adminGateway.metadata.name == expected_gateway - input.adminGateway.metadata.namespace == expected_gateway_namespace - msg := "Admin gateway exists." - } else = {"result": false, "msg": msg} { - msg := "Admin gateway does not exist." + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) } - result_admin_vs_match = {"result": true, "msg": msg}{ - count(admin_vs-admin_vs_using_gateway) == 0 - count(all_vs_using_gateway-admin_vs_using_gateway) == 0 - msg := "Admin virtual services are using admin gateway." + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." } else = {"result": false, "msg": msg} { - msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) } - # Count admin virtual services - admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } - # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") - admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } - # Count all VirtualServices using the admin gateway - all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } type: opa - title: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + title: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes lula-version: "" metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 provider: opa-spec: - output: - observations: - - validate.msg - validation: validate.validate rego: | package validate + validate := false - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for metrics logging support - validate { - check_metrics_enabled.result - } - msg = check_metrics_enabled.msg - - check_metrics_enabled = { "result": true, "msg": msg } { - input.istioConfig.enablePrometheusMerge - msg := "Metrics logging supported" - } else = { "result": false, "msg": msg } { - msg := "Metrics logging not supported" - } + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - description: | domain: kubernetes-spec: @@ -940,8 +948,8 @@ component-definition: type: kubernetes lula-version: "" metadata: - name: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 provider: opa-spec: output: @@ -951,135 +959,91 @@ component-definition: validation: validate.validate rego: | package validate + + import future.keywords.every import future.keywords.in # Default policy result default validate = false default msg = "Not evaluated" - # Check for required Istio and Prometheus annotations + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + validate { - has_prometheus_annotation.result + has_proxyv2_sidecar.result } - msg = has_prometheus_annotation.msg + msg = has_proxyv2_sidecar.msg - # Check for prometheus annotations in pod spec - no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + # Check for proxyv2 container in pod spec + no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] - has_prometheus_annotation = {"result": true, "msg": msg} { - count(no_annotation) == 0 - msg := "All pods have correct prometheus annotations." + has_proxyv2_sidecar = {"result": true, "msg": msg} { + count(no_proxyv2) == 0 + msg := "All pods have Istio sidecar proxy." } else = {"result": false, "msg": msg} { - msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) } - contains_annotation(pod) { - annotations := pod.metadata.annotations - annotations["prometheus.io/scrape"] == "true" - annotations["prometheus.io/path"] != "" - annotations["prometheus.io/port"] == "15020" + contains_proxyv2(pod) { + images := pod.spec.containers[_].image + contains(images, "/proxyv2:") } - # Exemptions - exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) is_exempt(pod) { pod.metadata.namespace in exempt_namespaces } type: opa - title: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - - description: | - lula-version: "" - metadata: - name: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - title: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - - description: | - lula-version: "" - metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - provider: - opa-spec: - rego: | - package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - - description: | - lula-version: "" - metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - provider: - opa-spec: - rego: | - package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: peerAuths + name: authorizationPolicies resource-rule: group: security.istio.io name: "" namespaces: [] - resource: peerauthentications + resource: authorizationpolicies version: v1beta1 type: kubernetes lula-version: "" metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 provider: opa-spec: output: observations: - validate.msg + - validate.msg_authPolicies validation: validate.validate rego: | package validate - import future.keywords.every - # Default policy result default validate = false - default all_strict = false - default msg = "Not evaluated" + default msg = "Istio RBAC not enforced" + # Evaluation for Istio Authorization Policies validate { - result_all_strict.result + count(all_auth_policies) > 0 } - msg = concat(" ", [result_all_strict.msg]) + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." - } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." + msg = "Istio RBAC enforced" { + validate } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 components: - control-implementations: - description: Controls implemented by Istio and authservice that are inherited by applications @@ -1481,7 +1445,7 @@ component-definition: type: software uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 metadata: - last-modified: 2024-07-03T19:55:08.722498301Z + last-modified: 2024-07-09T03:01:34.669670714Z oscal-version: 1.1.2 parties: - links: From e2c0a5e095a9c8d02ec3f95537f193eb114cdfad Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 03:39:03 +0000 Subject: [PATCH 43/68] chore(oscal): update to new threshold --- compliance/oscal-assessment-results.yaml | 1394 +++++++++++----------- 1 file changed, 703 insertions(+), 691 deletions(-) diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 5a2d57801..6c1a34f63 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -2,7 +2,7 @@ assessment-results: import-ap: href: "" metadata: - last-modified: 2024-06-30T22:27:28.032093229Z + last-modified: 2024-07-09T03:24:38.947997194Z oscal-version: 1.1.2 published: 2024-06-30T22:27:28.032093229Z remarks: Assessment Results generated from Lula @@ -11,159 +11,123 @@ assessment-results: results: - description: Assessment results for performing Validations with Lula version v0.4.1 findings: - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' - uuid: 530f15c4-f2af-48b4-8ffe-bbd93c2ac02c - description: |- - # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. target: status: state: not-satisfied - target-id: si-4 + target-id: ac-6.10 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' - uuid: 21cf73d7-c46c-4e05-9be3-44b78f7e7b2f + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' + uuid: 1fdec6d5-12a6-4400-bb86-65811be00806 - description: |- # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 508d4a07-79aa-4265-b605-7a6cb49f4564 - - observation-uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 target: status: - state: not-satisfied - target-id: sc-4 + state: satisfied + target-id: sc-8.1 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' - uuid: 47164bc1-4927-4071-bb1c-96601149488b - - description: |- - # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' + uuid: f10e5f70-81c4-4b00-a8c3-29e3cd97527c + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. target: status: state: not-satisfied - target-id: si-5 + target-id: cp-7 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' - uuid: b6ed044d-1e5d-401d-aa2f-58ccfa1c370c + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' + uuid: 30788898-87df-4185-ab1c-9becdee50f6c - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 795a243f-2559-4284-ad45-b3e41e184b8a + # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." + # Control Implementation Loki implements RBAC to define system authorization and separation of duties. target: status: - state: satisfied - target-id: au-12 + state: not-satisfied + target-id: ac-5 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' - uuid: 0c575663-bf90-419f-99c0-a3d4801df02d - - description: |- - # Control description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' + uuid: 98b4b967-b087-4514-af76-47fbdd301940 + - description: Velero can be configured to restore only certain components of a back-up when necessary. target: status: state: not-satisfied - target-id: au-7.1 + target-id: cp-9.2 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' - uuid: 8d2ee169-ead9-40d5-8d1c-cb7fb5887c0a + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' + uuid: 2134ba61-df24-4258-80fc-a406ee86e4df - description: |- # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c - - observation-uuid: ff864080-f43e-4e2d-89a3-74c31666ccfa + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 target: status: - state: not-satisfied - target-id: sc-7.8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' - uuid: 92b0e321-c7fc-4d9b-8e34-5685a1f73102 - - description: |- - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. - target: - status: - state: not-satisfied - target-id: au-4 + state: satisfied + target-id: sc-39 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' - uuid: ac06539e-42a7-4d5b-af3d-89e1a42fdd8f - - description: |- - # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." - # Control Implementation Loki implements RBAC to define system authorization and separation of duties. + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' + uuid: c0a6d960-0976-4e3c-b539-00c36bf8565a + - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. target: status: state: not-satisfied - target-id: ac-5 + target-id: cp-9.8 type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' - uuid: b7867063-1723-45d1-8d98-ad84dc7ef4af + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' + uuid: cc050937-d5e7-4696-8f25-9b86b62c0d07 - description: |- - # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. - # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. + # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. target: status: state: not-satisfied - target-id: au-5.2 + target-id: au-7 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' - uuid: a399ae4f-ed31-4208-9991-81177aa29c6c + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' + uuid: 958794eb-a1a5-4c29-b42c-ddfbabd544d9 - description: |- # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 - - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 target: status: - state: not-satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' - uuid: 1eb6882e-580e-47ac-9483-80e1bebbb02d - - description: |- - # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6 + state: satisfied + target-id: sc-7.20 type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' - uuid: 437e0a7f-0469-41bc-9d84-b824bf2d77c4 - - description: |- - # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' + uuid: 782db436-d52a-461f-acd0-25b215fc3c3e + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. target: status: state: not-satisfied - target-id: ac-2.1 + target-id: cp-7.1 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' - uuid: d818e8f4-e1bf-4942-85ab-c77f25fe6b6e + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' + uuid: a718a683-1df0-4cac-9b9e-f61792134683 - description: |- - # Control Description Define the breadth and depth of vulnerability scanning coverage. - # Control Implementation NeuVector container scanning configurations depth can be modified. + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 target: status: state: not-satisfied - target-id: ra-5.3 + target-id: sc-8 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' - uuid: 716ae053-abe6-44e0-bd41-762c3a98a2dc + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' + uuid: 13dfdcfd-d77b-4649-ae0f-b9ebaeaa0549 - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. target: status: @@ -171,318 +135,322 @@ assessment-results: target-id: cp-7.2 type: objective-id title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' - uuid: d19371d4-0ebb-49fc-8dce-41b80aab95f4 - - description: Velero can be configured to restore only certain components of a back-up when necessary. + uuid: 90a09f38-2e0f-496a-94a0-4fcbbd79b308 + - description: |- + # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. target: status: state: not-satisfied - target-id: cp-9.2 + target-id: si-4 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' - uuid: c5282d69-7df0-4edf-b2a6-a491ebfaaa4a + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' + uuid: 6452a578-b1b8-4a1c-9ff8-6f05821ca37d - description: |- - # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied - target-id: au-9 + target-id: au-9.2 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' - uuid: 0904e35b-0673-4ae1-853f-5df22a9e21b7 + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' + uuid: f970ff94-5aef-4521-bd62-2e71ed0e5c70 - description: |- - # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." - # Control Implementation NeuVector is configured securely and only access to required ports are available. + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. + related-observations: + - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - observation-uuid: 65c62b95-df70-4723-bf3b-46799d0536ad target: status: state: not-satisfied - target-id: cm-7 + target-id: au-2 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' - uuid: 545bea9e-6b3e-4665-b2b4-6164eb0fcecb + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' + uuid: ae5e79ac-3535-48f0-b306-fe9cd1f34736 - description: |- # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: a6c63d2c-79b2-48d2-9ebd-badb8c1e23cb + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc + - observation-uuid: 41637e36-95ee-4c89-b332-80ca2d006620 target: status: state: not-satisfied - target-id: sc-10 + target-id: cm-5 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' - uuid: cee5490b-9149-4f00-b7f1-64b20cbc8f0a + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' + uuid: 7741992f-299d-4e30-ac94-f7797f95a661 - description: |- - # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. target: status: state: not-satisfied - target-id: au-6.5 + target-id: cm-6 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' - uuid: c4144a96-7b23-435e-8052-3ec79da0a9aa + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' + uuid: 279d19b1-4297-43a9-a631-168431b3c0cd - description: |- + # Control Description + Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). + # Control Implementation - Istio implements with global configuration. + Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f - - observation-uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' - uuid: 46959113-939a-4d3c-9995-89a818c0f05f - - description: |- - # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 target: status: state: not-satisfied - target-id: ca-7 + target-id: au-3 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' - uuid: 1d8817a2-21bb-4122-ae58-e552b0879b68 + title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' + uuid: 661fde7a-25f7-4d8f-8673-d95a570001ff - description: |- - # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied - target-id: sa-11 + target-id: au-5.2 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' - uuid: 1e7eaa29-97cb-454a-bea7-2142ef44343f + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' + uuid: 4c6f58e6-d210-45a3-bede-b0b758c685de - description: |- - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Loki provides an API for retrieving and filtering logs. target: status: state: not-satisfied - target-id: au-9.2 + target-id: au7.1 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' - uuid: bdfd832a-b4a2-4b2e-af0a-ebf39ad51a18 + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' + uuid: 3c9b6412-0808-48b6-889b-54fefa4dcdb1 - description: |- - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. + # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. target: status: state: not-satisfied - target-id: au-12.1 + target-id: au-6.3 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' - uuid: 080c0868-fa0f-4ce2-a8bc-ff03197651fb + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' + uuid: 5a9912e9-c2e1-4fad-a651-9f84d351bea1 - description: |- - # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + # Control Implementation + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 + - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c + - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c target: status: - state: not-satisfied - target-id: ac-6.1 + state: satisfied + target-id: sc-7.4 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' - uuid: e760b83a-b3e4-4286-9a94-3167c3f6368b + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' + uuid: 87d6ff85-4067-442b-b2d3-c82cbddda0c3 - description: |- - # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' - uuid: d8eb2332-91df-477a-be2c-fa56a93f1c20 - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup." target: status: state: not-satisfied - target-id: cp-10.4 + target-id: cp-9 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' - uuid: 4bd2c151-b8f5-40b5-819f-89727701f6f7 + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' + uuid: 67397dd3-5693-4223-8015-5755325d5bf8 - description: |- - # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + # Control Implementation + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb + - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 target: status: state: not-satisfied - target-id: ac-6.3 + target-id: sc-4 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' - uuid: 58646676-b28b-45dd-9b90-ddd3c348f5b2 + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' + uuid: 29bf18cb-9d9a-4b5a-9708-38fb4cb63563 - description: |- - # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. + # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. target: status: state: not-satisfied - target-id: sc-7 + target-id: si-2.3 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' - uuid: 907e7159-6e90-4025-b3d6-dbcf123cbb33 - - description: |- - # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' + uuid: 5da35a6e-9526-4864-b153-dcd851e98a51 + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. target: status: state: not-satisfied - target-id: ra-5 + target-id: cp-6.3 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' - uuid: 187ae20d-8d47-4eaa-bb64-e529672c8936 + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' + uuid: c0659b8c-36b9-4d6d-8e94-48343ff6d57b - description: |- - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + # Control Implementation + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 target: status: - state: not-satisfied - target-id: ac-6.10 + state: satisfied + target-id: ac-4 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' - uuid: d8591c7f-7c3c-48d8-b7c8-6ac161621cdc - - description: |- - # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." - # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' + uuid: 86b4aa9e-cdb4-499d-b93a-8f0a76ac4c6b + - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. target: status: state: not-satisfied - target-id: si-11 + target-id: cp-9.1 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' - uuid: c62884fd-59e8-4836-ba02-095415dd8af8 + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' + uuid: 751a260d-f6c8-4ace-ad71-7aef30c0b9f0 - description: |- - # Control Description - Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious - user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. - - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + # Control Description Define the breadth and depth of vulnerability scanning coverage. + # Control Implementation NeuVector container scanning configurations depth can be modified. target: status: state: not-satisfied - target-id: ca-2.2 + target-id: ra-5.3 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' - uuid: d79e0fae-943f-4afe-8269-807cf92aae0e + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' + uuid: 10f8b813-c6f3-4265-9eb6-475cc7cbc636 - description: |- - # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. target: status: state: not-satisfied - target-id: ac-3 + target-id: au-12.1 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' - uuid: 097c80d2-4971-4188-9de9-54a509ad3cdc - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments. + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' + uuid: 832e1041-64e8-4455-8331-48025d4cdfbc + - description: |- + # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. target: status: state: not-satisfied - target-id: cp-9.3 + target-id: ra-5.5 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' - uuid: 4a91b5b2-810b-493d-9bff-98bec053065f + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' + uuid: b2e08e6b-16b3-4a00-ac9f-c8c9bdee64ce - description: |- - "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup." + # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. + # Control Implementation NeuVector container scanning vulnerability database is updated frequently. target: status: state: not-satisfied - target-id: cp-9 + target-id: ra-5.2 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' - uuid: 09c6df43-c339-464d-a5f3-4711511ba7a2 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' + uuid: 2b6daa85-9fdf-408c-9176-75a45ef22ea4 - description: |- - # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + # Control Implementation + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 31654aca-4189-447d-b5e6-4928c5acc603 target: status: - state: not-satisfied - target-id: sa-11.1 + state: satisfied + target-id: ac-14 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' - uuid: ee8400e9-79e8-4447-9717-97e1197356dd + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' + uuid: d61c76bb-7552-492f-a39e-e7da0748e84c - description: |- + # Control Description + Time stamps generated by the information system include date and time. + Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. + Organizations may define different time granularities for different system components. + Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. + # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + Records captured by the logging daemon are enriched to ensure the following are always present: + * time of the event (UTC). + * source of event (pod, namespace, container id). + Applications are responsible for providing all other information. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 4a5882b3-28a7-450d-9917-aacfa39106eb - - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 - - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - observation-uuid: fa62278d-a485-40ec-a660-51845c227040 target: status: state: not-satisfied - target-id: ac-4.21 + target-id: au-8 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' - uuid: 2b3617e2-9cff-438a-b029-cc5912742d55 + title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' + uuid: 0c87ccd3-8a4f-48a9-9be0-69034e18885f - description: |- - # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. target: status: state: not-satisfied - target-id: ac-2 + target-id: au-6 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' - uuid: c36595c9-4cd9-4175-9aa5-b316739a4f10 + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' + uuid: 086b37df-eae0-46d5-a525-ead6453af43f - description: |- # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f - - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 target: status: state: satisfied - target-id: ac-4 + target-id: sc-23 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' - uuid: bce00e12-51f3-4a65-874c-63f0270f4bd7 + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' + uuid: c39917b0-8de0-4497-808a-a186ee2d9583 - description: |- - # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. - # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. + # Control Implementation + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c target: status: - state: not-satisfied - target-id: au-5.1 + state: satisfied + target-id: sc-3 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' - uuid: 42a427cb-acc2-4ded-8444-2a36ffc71b5e + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' + uuid: 693835f8-466c-4437-9e95-1968070df3a9 - description: |- - # Control Description - Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). - - # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f7270c2f-5355-4186-afc0-f56a7e7e2e17 + # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. target: status: state: not-satisfied - target-id: au-3 + target-id: ac-2.1 type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' - uuid: 13145f93-94b3-4a06-abe5-c88e547604f3 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' + uuid: 0a50cb43-5018-4190-a89a-f8aca2005186 - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. target: status: @@ -490,516 +458,559 @@ assessment-results: target-id: cp-6 type: objective-id title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' - uuid: b893b49e-64d6-4062-bdab-02404c9adb9a + uuid: fa78499f-12e1-4ded-86a1-1ce785cd7cbd - description: |- # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c target: status: - state: satisfied - target-id: sc-8.1 + state: not-satisfied + target-id: sc-10 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' - uuid: 415a3412-96ad-482c-a9c8-dd67d8a5c8f5 + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' + uuid: 5f4f6691-affd-4acc-89f6-d3055b2f2481 - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Loki provides an API for retrieving and filtering logs. + # Control Implementation + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 + - observation-uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e target: status: state: not-satisfied - target-id: au7.1 + target-id: sc-7.8 type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' - uuid: eed4d866-735f-4688-ad58-c7ab93248697 + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' + uuid: ac90c141-2e83-4bfa-8833-dde2808592f1 - description: |- - # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. + # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. target: status: state: not-satisfied - target-id: au-11 + target-id: ac-6 type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' - uuid: 6ef793a1-525f-4cb5-90e9-d6b2eaa20ba7 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' + uuid: 425a62e9-d211-4b56-9ed3-ae145e4bda7a - description: |- - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. target: status: state: not-satisfied - target-id: au-6.6 + target-id: ca-7 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' - uuid: 2b6f5a3b-28e0-4bbf-bd92-f0dbad82e873 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' + uuid: f90d9d08-6cd9-463a-a606-c1359e00e1fe + - description: |- + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. + related-observations: + - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - observation-uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 target: status: state: not-satisfied - target-id: cp-6.2 + target-id: ac-6.9 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' - uuid: 7386dec2-3c3e-4194-aae4-71f68428e468 + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' + uuid: b5e568c2-539e-45f2-9aa6-b31dd4ddf30b - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. target: status: - state: satisfied - target-id: sc-7.20 + state: not-satisfied + target-id: au-9 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' - uuid: e31a17ff-ad3a-4835-8883-c15a290b0b60 + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' + uuid: 826cb8c0-8297-4f90-b2b2-d0bc95531db1 - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. target: - status: - state: satisfied - target-id: sc-7.21 + status: + state: not-satisfied + target-id: sa-11.1 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' - uuid: 5d9a771f-b974-434d-8ede-252d1c9f7343 - - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' + uuid: 0af42784-0963-4f76-90ef-c6d98ca5fee6 + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' target: status: state: not-satisfied - target-id: cp-9.1 + target-id: cp-10.4 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' - uuid: 03c2c9d4-da54-4b4c-aaa5-fdbc483ec5ac + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' + uuid: 4866acda-188f-40b1-8af4-ad3812060ef2 - description: |- # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + Istio is configured to use ingress and egress gateways to provide logical flow separation. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 7ebd56cf-fcd1-49ab-9e49-4cb08c4bb0a3 - - observation-uuid: 6a59d34a-e37f-4dda-8e13-3999bed1c5fa + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 4df2137a-de64-4d02-8121-1911fc9dedab + - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c target: status: state: not-satisfied - target-id: cm-5 + target-id: ac-4.21 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' - uuid: f54983d0-3e83-4d74-ac13-d96a9c14309c + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' + uuid: 5b7406b7-334a-4a50-8013-bd63b566c391 - description: |- # Control Implementation - Istio produces logs for all traffic in the information system. + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. related-observations: - - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 - - observation-uuid: 9a0794ac-4b32-4154-9694-974c4f26ddf9 + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 target: status: state: not-satisfied - target-id: ac-6.9 + target-id: au-3.1 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' - uuid: 30a4343a-25e7-40f2-968e-832894732967 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' + uuid: 612c395f-5036-444a-bfe4-2f9ab941622a + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. target: status: state: not-satisfied - target-id: sc-8 + target-id: cp-6.1 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' - uuid: c5567414-902a-4439-8272-3cce25d6d8d3 + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' + uuid: 38c5c57c-e4fa-40c0-a371-519f922ce751 - description: |- - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + # Control Implementation + Configured with an "admin" gateway to restrict access to applications that only need administrative access. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd target: status: state: not-satisfied - target-id: au-9.4 + target-id: ac-6.3 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' - uuid: 22e63487-b471-4b44-9983-6673268a6360 - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' + uuid: 02a7b8e8-c6cf-4263-ad16-65d64957169f + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' target: status: state: not-satisfied - target-id: cp-6.3 + target-id: cp-9.5 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' - uuid: 22749401-71be-4c49-b512-7b1047ef71bb + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' + uuid: de04bf59-4529-4906-a829-a078dbcf74bf - description: |- - # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." + # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. target: status: state: not-satisfied - target-id: ra-5.5 + target-id: si-6 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' - uuid: 548197f1-46e3-4ad2-bb0e-41d8cdeff4b3 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' + uuid: 6628f225-60a5-47a1-90f8-b4ea78dc72ef - description: |- - # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. - # Control Implementation NeuVector container scanning vulnerability database is updated frequently. + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. target: status: state: not-satisfied - target-id: ra-5.2 + target-id: au-6.1 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' - uuid: 84b79bb2-2bb2-4ac5-9a37-9a8eea22ac5d + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' + uuid: ec6c6e31-e5df-4836-b5e6-f114d61d1081 - description: |- - # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." - # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. - related-observations: - - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 - - observation-uuid: fb6ec7c8-cafa-4cb9-9ee3-a7ca43af0c00 + # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. target: status: state: not-satisfied - target-id: au-8 + target-id: ac-2 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' - uuid: a8cb7268-12d0-4322-ac3e-f727c73f4e7f + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' + uuid: 35b172fc-505d-441c-a498-358eb777ed24 - description: |- - # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. target: status: state: not-satisfied - target-id: si-2.3 + target-id: au-7.1 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' - uuid: dac85ad9-0e0e-44c3-bf85-09bbb03d3349 + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' + uuid: d42a6865-6869-4961-a90e-6d82eee7c561 - description: |- # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + All encrypted HTTPS connections are terminated at the Istio ingress gateway. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: abd5f912-d86f-4952-bf47-3bb43cd630ab - - observation-uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 - - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 target: status: - state: not-satisfied - target-id: sc-7.4 + state: satisfied + target-id: ac-4.4 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' - uuid: f60b1dd1-f387-4aff-88b9-5fb0c9ac02ec - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' + uuid: d24258c7-b611-4c00-b387-518682e288a5 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. target: status: state: not-satisfied - target-id: cp-9.5 + target-id: cp-10 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' - uuid: ab6bdb32-3872-4131-9148-5ce885d2e90a + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' + uuid: db12a70d-960a-4bcc-bef2-d765371bc641 - description: |- - # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + # Control Implementation + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 + target: + status: + state: satisfied + target-id: au-12 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' + uuid: f0b63c33-bdbd-43bb-9a36-4a386e4567eb + - description: |- + # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + # Control Implementation NeuVector is configured securely and only access to required ports are available. target: status: state: not-satisfied - target-id: au-6.3 + target-id: cm-7 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' - uuid: fceb1b23-d4c2-48ac-9015-e3d6c51b643b + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' + uuid: 4bcaa46e-66ab-4b3e-8414-92e28955d4d8 - description: |- - # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. + # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. target: status: state: not-satisfied - target-id: cm-6 + target-id: si-5 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' - uuid: 32761afe-74dc-4698-a758-9bf9028b102d - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' + uuid: a8b3553e-e9af-4781-83ac-400ea1d77b77 + - description: |- + # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. target: status: state: not-satisfied - target-id: cp-7 + target-id: au-11 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' - uuid: 7ab5474d-9104-48e9-8b0b-61d5e80c85dc + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' + uuid: 1133f9d6-790b-4f66-ba94-89ce6cf7ed26 - description: |- - # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. - # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: 3d01431e-03c0-4698-88f9-4113954ecf1f - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f - - observation-uuid: fe77669c-58f2-450d-a51d-9ca4af2b1b62 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. target: status: state: not-satisfied - target-id: au-3.1 + target-id: au-9.4 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' - uuid: 78b88a9d-0ead-4f50-acd1-34fffb4887c9 + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' + uuid: 28f0e109-6c62-405d-b11c-8623f6829dad - description: |- # Control Implementation Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 - - observation-uuid: 805a92da-edf3-404d-bae1-3dbe204f2292 - - observation-uuid: 3d2fdd35-4f50-459a-beda-c087a4e8c436 + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 + - observation-uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 + - observation-uuid: 31044f2f-75fd-4472-b624-1d918be32f40 target: status: state: not-satisfied target-id: sc-13 type: objective-id title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' - uuid: 3913dd6a-a176-4366-a456-64eebedfddaa - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + uuid: 3df66b7f-1dec-4ab7-b76e-56023c2881a1 + - description: |- + # Control Implementation + Istio implements with global configuration. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c + target: + status: + state: satisfied + target-id: sc-8.2 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' + uuid: 3e58bd7b-2e7d-4e85-bb8e-fc4e8b83f282 + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments. target: status: state: not-satisfied - target-id: cp-6.1 + target-id: cp-9.3 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' - uuid: e8ebaa45-f132-40f7-97c3-ac0260de8657 + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' + uuid: 76b44e70-4f34-44f1-a8ee-72cb642dedfe - description: |- - # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." - # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. + # Control Description + Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious + user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. + + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. target: status: state: not-satisfied - target-id: si-6 + target-id: ca-2.2 type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' - uuid: 6a5c1d9e-08b7-4cec-a5b2-5e1d449dfb42 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' + uuid: c4dadea0-3628-4444-b493-85fe4f44a9a2 - description: |- - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - related-observations: - - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 - - observation-uuid: 1a53a90a-57e0-4872-bfdd-e638cd92a3ba + # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. target: status: state: not-satisfied - target-id: au-2 + target-id: ra-5 type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' - uuid: 4e443b5a-87b2-4b91-ba98-c6c83d9bf9a2 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' + uuid: 3eca257e-9609-41fd-b21f-1aaee5b3d433 + - description: |- + # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' + uuid: f0e9a25c-2440-4299-8a32-1e9274b98f87 + - description: |- + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. + target: + status: + state: not-satisfied + target-id: au-4 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' + uuid: 92598581-3f72-478e-a8f2-33aaeccd56db - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. target: status: state: not-satisfied - target-id: cp-10 + target-id: cp-6.2 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' - uuid: 8b8d6ca5-b795-4ad3-b798-e8558a3c0bad + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' + uuid: fde3d548-4c98-451e-8ad1-08ebf918ec1f - description: |- - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. target: status: state: not-satisfied - target-id: au-6.1 + target-id: au-6.6 type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' - uuid: 888b091f-a818-4177-9283-0eb5b74dcd26 + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' + uuid: 8d2a5829-ee96-4a38-b3b9-a7931b551b02 - description: |- - # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." + # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. target: status: state: not-satisfied - target-id: au-7 + target-id: si-11 type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' - uuid: bbfc2b16-0d6f-48cd-82b0-3609974bfbdc + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' + uuid: e82d6f63-db19-460b-bf7d-3c46dcf1e38c - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. target: status: - state: satisfied - target-id: sc-23 + state: not-satisfied + target-id: sa-11 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' - uuid: e66bb22e-9afe-4215-bdda-1327f015ed00 - - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' + uuid: ac49e0de-7653-4be5-8005-331927322ec2 + - description: |- + # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. target: status: state: not-satisfied - target-id: cp-9.8 + target-id: ac-3 type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' - uuid: f0acd50b-ce08-4179-b7e5-c7b2850c37e0 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' + uuid: 574305f1-0e70-4cc7-85c3-fcfa94943753 - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. target: status: - state: satisfied - target-id: sc-39 + state: not-satisfied + target-id: sc-7 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' - uuid: 009e00d9-2fd5-43d3-9b9c-feeaa9350b91 + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' + uuid: bbea5abc-37ef-461c-a912-7118ea5618ca - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f - - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. target: status: - state: satisfied - target-id: ac-4.4 + state: not-satisfied + target-id: ac-6.1 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' - uuid: dff58c6a-29db-4e7e-b46d-715764fa737a + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' + uuid: e0522516-4f01-4319-963c-b61ffc714e5d + - description: |- + # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + target: + status: + state: not-satisfied + target-id: au-6.5 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' + uuid: 66c039ce-0453-481a-a754-0c8ca7e5a4c0 - description: |- # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. related-observations: - - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - observation-uuid: e0d47802-5d77-4cbc-af92-f84a9ea11b8f + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 target: status: state: satisfied - target-id: ac-14 + target-id: sc-7.21 type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' - uuid: f5a77d77-029b-4b50-bd37-e09902be020d + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' + uuid: 5d59c939-fb61-4aea-8ef2-39ff71fd6756 observations: - - collected: 2024-06-30T22:27:27.695366242Z + - collected: 2024-07-09T03:24:38.473729311Z description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil - uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c - - collected: 2024-06-30T22:27:27.695414341Z + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil + uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - collected: 2024-07-09T03:24:38.489004016Z description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil - uuid: 3d2fdd35-4f50-459a-beda-c087a4e8c436 - - collected: 2024-06-30T22:27:27.695457522Z + validate.msg: Only allowed gateways found. All gateway types found. + validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway + validate.msg_allowed_gateways: admin, passthrough, tenant + uuid: 2639ccbf-1a94-440e-b820-90e957f6987c + - collected: 2024-07-09T03:24:38.489063617Z description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil - uuid: fb6ec7c8-cafa-4cb9-9ee3-a7ca43af0c00 - - collected: 2024-06-30T22:27:27.712083114Z + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil + uuid: 65c62b95-df70-4723-bf3b-46799d0536ad + - collected: 2024-07-09T03:24:38.489091198Z description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 - - collected: 2024-06-30T22:27:27.712135712Z + Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil + uuid: 41637e36-95ee-4c89-b332-80ca2d006620 + - collected: 2024-07-09T03:24:38.48912419Z description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil - uuid: 6a59d34a-e37f-4dda-8e13-3999bed1c5fa - - collected: 2024-06-30T22:27:27.821536311Z + Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil + uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 + - collected: 2024-07-09T03:24:38.497116991Z description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All pods have Istio sidecar proxy. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f - - collected: 2024-06-30T22:27:27.821606552Z + validate.msg: Metrics logging supported. + uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c + - collected: 2024-07-09T03:24:38.594646609Z description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil - uuid: 9a0794ac-4b32-4154-9694-974c4f26ddf9 - - collected: 2024-06-30T22:27:27.827790559Z + validate.msg: All pods have correct prometheus annotations. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 + - collected: 2024-07-09T03:24:38.594709567Z description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 - - collected: 2024-06-30T22:27:27.839654751Z + Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil + uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 + - collected: 2024-07-09T03:24:38.594743009Z description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - validate.msg: Expected Virtual Services not using expected Gateways - validate.msg_actual: Gateways configured: {"istio-admin-gateway/admin-gateway", "istio-passthrough-gateway/passthrough-gateway", "istio-tenant-gateway/tenant-gateway"}. VirtualServices using Gateways: {"istio-admin-gateway/admin-gateway": {"grafana-admin-grafana-80-grafana", "keycloak-admin-admin-access-with-optional-client-certificate", "neuvector-admin-neuvector-8443-neuvector-service-webui"}, "istio-passthrough-gateway/passthrough-gateway": set(), "istio-tenant-gateway/tenant-gateway": {"keycloak-tenant-public-auth-access-with-optional-client-certificate", "keycloak-tenant-remove-private-paths-from-public-gateway"}} - validate.msg_expected: Expected VirtualServices using Gateways: {"istio-admin-gateway/admin-gateway": {"grafana-admin-grafana-80-grafana", "keycloak-admin-admin-access-with-optional-client-certificate", "neuvector-admin-neuvector-8443-neuvector-service-webui"}, "istio-passthrough-gateway/passthrough-gateway": [], "istio-tenant-gateway/tenant-gateway": {"keycloak-tenant-emulate-gitlab-authorize-endpoint", "keycloak-tenant-emulate-gitlab-token-endpoint", "keycloak-tenant-emulate-gitlab-user-endpoint", "keycloak-tenant-public-auth-access-with-optional-client-certificate", "keycloak-tenant-remove-private-paths-from-public-gateway"}} - uuid: 20529117-f400-4d22-b60a-f168a19f097c - - collected: 2024-06-30T22:27:27.839700617Z + Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil + uuid: 31044f2f-75fd-4472-b624-1d918be32f40 + - collected: 2024-07-09T03:24:38.594778174Z description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil - uuid: a6c63d2c-79b2-48d2-9ebd-badb8c1e23cb - - collected: 2024-06-30T22:27:27.847217778Z + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil + uuid: fa62278d-a485-40ec-a660-51845c227040 + - collected: 2024-07-09T03:24:38.602916174Z description: | [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support methods: @@ -1009,177 +1020,178 @@ assessment-results: Result: not-satisfied remarks: | validate.msg: Tracing logging not supported. - uuid: f7270c2f-5355-4186-afc0-f56a7e7e2e17 - - collected: 2024-06-30T22:27:27.854811286Z + uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 + - collected: 2024-07-09T03:24:38.611569524Z description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Istio is logging all traffic - uuid: 795a243f-2559-4284-ad45-b3e41e184b8a - - collected: 2024-06-30T22:27:27.863207892Z + istiohealth.deployment_message: All deployment conditions are true. + istiohealth.hpa_message: HPA has sufficient replicas. + uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - collected: 2024-07-09T03:24:38.611623214Z description: | - [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. - uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 - - collected: 2024-06-30T22:27:27.870971856Z + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil + uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 + - collected: 2024-07-09T03:24:38.621193684Z description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Metrics logging supported - uuid: 3d01431e-03c0-4698-88f9-4113954ecf1f - - collected: 2024-06-30T22:27:27.969063343Z + validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. + uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + - collected: 2024-07-09T03:24:38.719799848Z description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All pods have correct prometheus annotations. + validate.msg: All pods have Istio sidecar proxy. validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: fe77669c-58f2-450d-a51d-9ca4af2b1b62 - - collected: 2024-06-30T22:27:27.969127302Z + uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - collected: 2024-07-09T03:24:38.729154607Z description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil - uuid: ff864080-f43e-4e2d-89a3-74c31666ccfa - - collected: 2024-06-30T22:27:27.975975858Z + validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 4df2137a-de64-4d02-8121-1911fc9dedab + - collected: 2024-07-09T03:24:38.751849467Z description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 - - collected: 2024-06-30T22:27:27.980306727Z + validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. + validate.msg_incorrect: No incorrect istiod NetworkPolicies found. + uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 + - collected: 2024-07-09T03:24:38.751895453Z description: | - [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Authorization Policy requires authentication for keycloak - uuid: e0d47802-5d77-4cbc-af92-f84a9ea11b8f - - collected: 2024-06-30T22:27:27.980345319Z + Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil + uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c + - collected: 2024-07-09T03:24:38.75191546Z description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil - uuid: 508d4a07-79aa-4265-b605-7a6cb49f4564 - - collected: 2024-06-30T22:27:27.980365106Z + Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil + uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e + - collected: 2024-07-09T03:24:38.757825399Z description: | - [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil - uuid: 1a53a90a-57e0-4872-bfdd-e638cd92a3ba - - collected: 2024-06-30T22:27:27.98038338Z + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - collected: 2024-07-09T03:24:38.766341924Z description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil - uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 - - collected: 2024-06-30T22:27:27.985138045Z + validate.msg: Istio is logging all traffic + uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 + - collected: 2024-07-09T03:24:38.772656748Z description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway - uuid: 7ebd56cf-fcd1-49ab-9e49-4cb08c4bb0a3 - - collected: 2024-06-30T22:27:27.985176246Z + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway + uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 + - collected: 2024-07-09T03:24:38.776561899Z description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil - uuid: 805a92da-edf3-404d-bae1-3dbe204f2292 - - collected: 2024-06-30T22:27:28.008478858Z + validate.msg: Authorization Policy requires authentication for keycloak + uuid: 31654aca-4189-447d-b5e6-4928c5acc603 + - collected: 2024-07-09T03:24:38.781059357Z description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: abd5f912-d86f-4952-bf47-3bb43cd630ab - - collected: 2024-06-30T22:27:28.016548441Z + validate.msg: Istio RBAC enforced + validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway + uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc + - collected: 2024-07-09T03:24:38.791675282Z description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: 4a5882b3-28a7-450d-9917-aacfa39106eb - - collected: 2024-06-30T22:27:28.02612714Z + validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. + uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c + - collected: 2024-07-09T03:24:38.79173886Z description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil + uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb props: - name: threshold ns: https://docs.lula.dev/ns @@ -1188,88 +1200,88 @@ assessment-results: control-selections: - description: Controls Assessed by Lula include-controls: - - control-id: cp-7.1 - - control-id: si-4 - - control-id: sc-4 - - control-id: si-5 - - control-id: au-12 - - control-id: au-7.1 - - control-id: sc-7.8 - - control-id: au-4 + - control-id: ac-6.10 + - control-id: sc-8.1 + - control-id: cp-7 - control-id: ac-5 - - control-id: au-5.2 - - control-id: sc-3 - - control-id: au-6 - - control-id: ac-2.1 - - control-id: ra-5.3 - - control-id: cp-7.2 - control-id: cp-9.2 - - control-id: au-9 - - control-id: cm-7 - - control-id: sc-10 - - control-id: au-6.5 - - control-id: sc-8.2 - - control-id: ca-7 - - control-id: sa-11 + - control-id: sc-39 + - control-id: cp-9.8 + - control-id: au-7 + - control-id: sc-7.20 + - control-id: cp-7.1 + - control-id: sc-8 + - control-id: cp-7.2 + - control-id: si-4 - control-id: au-9.2 - - control-id: au-12.1 - - control-id: ac-6.1 - - control-id: ac-6 - - control-id: cp-10.4 - - control-id: ac-6.3 - - control-id: sc-7 - - control-id: ra-5 - - control-id: ac-6.10 - - control-id: si-11 - - control-id: ca-2.2 - - control-id: ac-3 - - control-id: cp-9.3 - - control-id: cp-9 - - control-id: sa-11.1 - - control-id: ac-4.21 - - control-id: ac-2 - - control-id: ac-4 - - control-id: au-5.1 + - control-id: au-2 + - control-id: cm-5 + - control-id: cm-6 - control-id: au-3 - - control-id: cp-6 - - control-id: sc-8.1 + - control-id: au-5.2 - control-id: au7.1 - - control-id: au-11 - - control-id: au-6.6 - - control-id: cp-6.2 - - control-id: sc-7.20 - - control-id: sc-7.21 - - control-id: cp-9.1 - - control-id: cm-5 - - control-id: ac-6.9 - - control-id: sc-8 - - control-id: au-9.4 + - control-id: au-6.3 + - control-id: sc-7.4 + - control-id: cp-9 + - control-id: sc-4 + - control-id: si-2.3 - control-id: cp-6.3 + - control-id: ac-4 + - control-id: cp-9.1 + - control-id: ra-5.3 + - control-id: au-12.1 - control-id: ra-5.5 - control-id: ra-5.2 + - control-id: ac-14 - control-id: au-8 - - control-id: si-2.3 - - control-id: sc-7.4 - - control-id: cp-9.5 - - control-id: au-6.3 - - control-id: cm-6 - - control-id: cp-7 + - control-id: au-6 + - control-id: sc-23 + - control-id: sc-3 + - control-id: ac-2.1 + - control-id: cp-6 + - control-id: sc-10 + - control-id: sc-7.8 + - control-id: ac-6 + - control-id: ca-7 + - control-id: ac-6.9 + - control-id: au-9 + - control-id: sa-11.1 + - control-id: cp-10.4 + - control-id: ac-4.21 - control-id: au-3.1 - - control-id: sc-13 - control-id: cp-6.1 + - control-id: ac-6.3 + - control-id: cp-9.5 - control-id: si-6 - - control-id: au-2 - - control-id: cp-10 - control-id: au-6.1 - - control-id: au-7 - - control-id: sc-23 - - control-id: cp-9.8 - - control-id: sc-39 + - control-id: ac-2 + - control-id: au-7.1 - control-id: ac-4.4 - - control-id: ac-14 + - control-id: cp-10 + - control-id: au-12 + - control-id: cm-7 + - control-id: si-5 + - control-id: au-11 + - control-id: au-9.4 + - control-id: sc-13 + - control-id: sc-8.2 + - control-id: cp-9.3 + - control-id: ca-2.2 + - control-id: ra-5 + - control-id: au-5.1 + - control-id: au-4 + - control-id: cp-6.2 + - control-id: au-6.6 + - control-id: si-11 + - control-id: sa-11 + - control-id: ac-3 + - control-id: sc-7 + - control-id: ac-6.1 + - control-id: au-6.5 + - control-id: sc-7.21 description: Controls validated remarks: Validation performed may indicate full or partial satisfaction - start: 2024-06-30T22:27:28.032093229Z + start: 2024-07-09T03:24:38.798446786Z title: Lula Validation Result - uuid: 8af0e1bc-5014-44ef-9ef8-9d1f6f653824 - uuid: 9be178a0-2337-40ec-b760-bef3c1df5589 + uuid: 5a0a9538-e734-48a5-a327-02e6aa6891b0 + uuid: 5e0a4e5a-3b0e-473c-9165-719942ca3f5b From a00e1c6cd1f40854adb736022f78ce88deb04cef Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 12:32:58 +0000 Subject: [PATCH 44/68] fix(oscal): purposefully fail assessment to drive new workflow actions --- compliance/oscal-assessment-results.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 6c1a34f63..88ac644de 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -16,7 +16,7 @@ assessment-results: # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. target: status: - state: not-satisfied + state: satisfied target-id: ac-6.10 type: objective-id title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' From 52d252022db234780e76161933889e36936add80 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 13:19:34 +0000 Subject: [PATCH 45/68] fix(actions): use outcome over conclusion --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d2c1bb32f..f492634e5 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -78,7 +78,7 @@ jobs: if: ${{ always() }} uses: ./.github/actions/notify-lula with: - state: ${{ steps.compliance-evaluation.conclusion }} + state: ${{ steps.compliance-evaluation.outcome }} flavor: ${{ inputs.flavor }} - name: Store UDS Core Compliance Assessment Results From 8345c8858b75523ce55dbe63c5b766fd0d59144a Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 14:09:19 +0000 Subject: [PATCH 46/68] fix(actions): adjust permissions and add token --- .github/actions/notify-lula/action.yaml | 8 ++++++++ .github/workflows/test.yaml | 2 ++ 2 files changed, 10 insertions(+) diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml index 69dd25985..c3e978a0d 100644 --- a/.github/actions/notify-lula/action.yaml +++ b/.github/actions/notify-lula/action.yaml @@ -1,6 +1,7 @@ name: Notify Lula description: "Comment on PR to notify Lula Team" + inputs: state: description: 'state of the comment update' @@ -10,6 +11,9 @@ inputs: description: 'flavor of the comment update' required: true default: '' + ghToken: + description: 'GITHUB_TOKEN' + required: true runs: using: composite @@ -21,12 +25,14 @@ runs: issue-number: ${{ github.event.pull_request.number }} comment-author: 'github-actions[bot]' body-includes: Compliance ${{ inputs.flavor }} Evaluation + token: ${{ inputs.ghToken }} - name: Create comment if: ${{ steps.fc.outputs.comment-id == '' && inputs.state == 'failure'}} uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} + token: ${{ inputs.ghToken }} body: | Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }} @@ -37,6 +43,8 @@ runs: uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ steps.fc.outputs.comment-id }} + token: ${{ inputs.ghToken }} + edit-mode: replace body: | Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f492634e5..42c3c9cbd 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -34,6 +34,7 @@ on: permissions: contents: read + pull-requests: write jobs: test: @@ -80,6 +81,7 @@ jobs: with: state: ${{ steps.compliance-evaluation.outcome }} flavor: ${{ inputs.flavor }} + ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Store UDS Core Compliance Assessment Results if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} From 0604cbc8355e40e4ff79e02b8a87feaf520d3fea Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 14:48:40 +0000 Subject: [PATCH 47/68] fix(actions): update permissions --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index fe3680478..f613989d9 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -10,7 +10,7 @@ on: permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. - pull-requests: read # Allows reading pull request metadata. + pull-requests: write # Allows reading pull request metadata. # Default settings for all run commands in the workflow jobs. defaults: From 2d50d1f95620759c3a64d29e3b8466294e379419 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 16:41:09 +0000 Subject: [PATCH 48/68] fix(actions): testing separate job for evaluation --- .github/workflows/compliance.yaml | 52 +++++++++++++++++++ .../workflows/pull-request-conditionals.yaml | 13 +++++ .github/workflows/test.yaml | 26 +++------- 3 files changed, 71 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/compliance.yaml diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml new file mode 100644 index 000000000..d687d41ed --- /dev/null +++ b/.github/workflows/compliance.yaml @@ -0,0 +1,52 @@ +name: Compliance Evaluation + +on: + # Manual trigger + workflow_dispatch: + inputs: + flavor: + type: string + description: "Flavor of the source package to test" + required: true + # Triggered by pull-request-conditionals.yaml + workflow_call: + inputs: + flavor: + type: string + description: "Flavor of the source package to test" + required: true + +permissions: + contents: read + pull-requests: write + +jobs: + evaluate: + runs-on: ubuntu-latest + name: Evaluate + # env: + # UDS_PKG: ${{ inputs.package }} + steps: + # Used to execute the uds run command + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Download assessment + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.flavor }}-assessment-results + + - name: Evaluate Compliance + id: compliance-evaluation + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} + run: uds run test-compliance-evaluate --no-progress + + # steps in this action only run when there has been a previous failure - will indicate success thereafter + # need to think about how much noise this could create - noise currently = good + - name: Notify Lula Team of Compliance Assessment Results + if: ${{ always() }} + uses: ./.github/actions/notify-lula + with: + state: ${{ steps.compliance-evaluation.outcome }} + flavor: ${{ inputs.flavor }} + ghToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index f613989d9..46585a1d8 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -81,3 +81,16 @@ jobs: flavor: ${{ matrix.flavor }} test_type: ${{ matrix.test_type }} secrets: inherit # Inherits all secrets from the parent workflow. + + evaluate-package-compliance: + needs: run-package-test + name: Compliance Evaluation + # Allow this job to fail + continue-on-error: true + strategy: + matrix: + flavor: [upstream, registry1] + uses: ./.github/workflows/compliance.yaml + with: + flavor: ${{ matrix.flavor }} + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 42c3c9cbd..849e15b73 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -34,7 +34,6 @@ on: permissions: contents: read - pull-requests: write jobs: test: @@ -66,26 +65,13 @@ jobs: - name: Validate UDS Core Compliance if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-compliance-validate --no-progress - - - name: Evaluate UDS Core Compliance - id: compliance-evaluation - if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - run: uds run test-compliance-evaluate --no-progress - continue-on-error: true - - # steps in this action only run when there has been a previous failure - will indicate success thereafter - # need to think about how much noise this could create - noise currently = good - - name: Notify Lula Team of Compliance Assessment Results - if: ${{ always() }} - uses: ./.github/actions/notify-lula + + - name: Upload Assessment + if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: - state: ${{ steps.compliance-evaluation.outcome }} - flavor: ${{ inputs.flavor }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - - - name: Store UDS Core Compliance Assessment Results - if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - run: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml + name: ${{ inputs.flavor }}-assessment-results + path: ./compliance/oscal-assessment-results.yaml - name: Test UDS Core Upgrade if: ${{ inputs.package == 'all' && inputs.test_type == 'upgrade' }} From f87e866efbf19dc5573a7e0e40a6738784e23b58 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 17:16:25 +0000 Subject: [PATCH 49/68] fix(actions): move continue on error --- .github/workflows/compliance.yaml | 1 + .github/workflows/pull-request-conditionals.yaml | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index d687d41ed..ecb317bf1 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -24,6 +24,7 @@ jobs: evaluate: runs-on: ubuntu-latest name: Evaluate + continue-on-error: true # env: # UDS_PKG: ${{ inputs.package }} steps: diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 46585a1d8..27db7e07b 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -85,8 +85,6 @@ jobs: evaluate-package-compliance: needs: run-package-test name: Compliance Evaluation - # Allow this job to fail - continue-on-error: true strategy: matrix: flavor: [upstream, registry1] From 4273d86fc9c2d0b3c6dcb5d55dde00ba35107247 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 17:20:10 +0000 Subject: [PATCH 50/68] fix(lint): yamllint fixes --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 849e15b73..cddd5a44e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -65,7 +65,7 @@ jobs: - name: Validate UDS Core Compliance if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-compliance-validate --no-progress - + - name: Upload Assessment if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 From 812a44f4c9eb665c6f6dfacfc9a7ce1838e81b7a Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 17:42:52 +0000 Subject: [PATCH 51/68] fix(actions): remove conditional from evaluate --- .github/workflows/compliance.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index ecb317bf1..111b3ff36 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -39,7 +39,6 @@ jobs: - name: Evaluate Compliance id: compliance-evaluation - if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-compliance-evaluate --no-progress # steps in this action only run when there has been a previous failure - will indicate success thereafter From fe29f3893451d223aa714cd432f69de302071462 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 18:46:03 +0000 Subject: [PATCH 52/68] fix(actions): setup environment properly --- .github/workflows/compliance.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 111b3ff36..0f12a9e68 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -32,12 +32,15 @@ jobs: - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Environment setup + uses: ./.github/actions/setup + - name: Download assessment uses: actions/download-artifact@v4 with: name: ${{ inputs.flavor }}-assessment-results - - name: Evaluate Compliance + - name: Evaluate compliance id: compliance-evaluation run: uds run test-compliance-evaluate --no-progress From 1daec536ea7e6ff5332c81915499cbe98e483a69 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 19:12:26 +0000 Subject: [PATCH 53/68] fix(actions): path use in download action --- .github/workflows/compliance.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 0f12a9e68..fc787a711 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -39,6 +39,7 @@ jobs: uses: actions/download-artifact@v4 with: name: ${{ inputs.flavor }}-assessment-results + path: ./compliance/oscal-assessment-results.yaml - name: Evaluate compliance id: compliance-evaluation @@ -53,3 +54,9 @@ jobs: state: ${{ steps.compliance-evaluation.outcome }} flavor: ${{ inputs.flavor }} ghToken: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload Evaluated Assessment + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + with: + name: ${{ inputs.flavor }}-assessment-results + path: ./compliance/oscal-assessment-results.yaml From 6c01e0cf59941525f0779293556df106fede8b76 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 19:54:01 +0000 Subject: [PATCH 54/68] fix(actions): correct step conditional --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index cddd5a44e..296bca5dd 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -67,7 +67,7 @@ jobs: run: uds run test-compliance-validate --no-progress - name: Upload Assessment - if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: ${{ inputs.flavor }}-assessment-results From aca97e4f36327f2bc0d5f778aff0c144e8119381 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 20:35:44 +0000 Subject: [PATCH 55/68] fix(actions): pin upload to v4.2.0 due to bug --- .github/workflows/compliance.yaml | 2 +- .github/workflows/test.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index fc787a711..72cd1927c 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -56,7 +56,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 296bca5dd..8b0386d67 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -68,7 +68,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml From 6f0ac13caa0fbd820fa5137f07c9ea2492bb586b Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 21:24:39 +0000 Subject: [PATCH 56/68] fix(oscal): test upload/download at v4.0.0 --- .github/workflows/compliance.yaml | 4 ++-- .github/workflows/test.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 72cd1927c..f0216e6eb 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -36,7 +36,7 @@ jobs: uses: ./.github/actions/setup - name: Download assessment - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.0.0 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml @@ -56,7 +56,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + uses: actions/upload-artifact@v4.0.0 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 8b0386d67..da022cda2 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -68,7 +68,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + uses: actions/upload-artifact@v4.0.0 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml From a169ae2de84ec575563d7f405bacfd13fc3e7604 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 22:01:23 +0000 Subject: [PATCH 57/68] fix(actions): test using known good versions --- .github/workflows/compliance.yaml | 4 ++-- .github/workflows/test.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index f0216e6eb..149d31149 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -36,7 +36,7 @@ jobs: uses: ./.github/actions/setup - name: Download assessment - uses: actions/download-artifact@v4.0.0 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml @@ -56,7 +56,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@v4.0.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index da022cda2..0633199b4 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -68,7 +68,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@v4.0.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml From 1018fb56b1a65da9e52c4bcaea3fbf968240f6c6 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 22:24:58 +0000 Subject: [PATCH 58/68] fix(actions): testing v4 tag upload/download --- .github/workflows/compliance.yaml | 4 ++-- .github/workflows/test.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 149d31149..918f85a94 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -36,7 +36,7 @@ jobs: uses: ./.github/actions/setup - name: Download assessment - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@v4 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml @@ -56,7 +56,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@v4 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 0633199b4..6dbae2b27 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -68,7 +68,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@v4 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml From 98f1ffeabbf8016ac8d09d80404ceb403b0b06a5 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 9 Jul 2024 22:58:02 +0000 Subject: [PATCH 59/68] fix(actions): test removing overlapping file --- .github/workflows/compliance.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 918f85a94..9ba5f6311 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -35,6 +35,10 @@ jobs: - name: Environment setup uses: ./.github/actions/setup + - name: remove overlapping file + run: rm ./compliance/oscal-assessment-results.yaml + shell: bash + - name: Download assessment uses: actions/download-artifact@v4 with: From 815c2c3c777e357464963365d4596ef5e89c949c Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 10 Jul 2024 12:52:01 +0000 Subject: [PATCH 60/68] fix(actions): debug download artifact action --- .github/workflows/compliance.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 9ba5f6311..877124f02 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -35,6 +35,10 @@ jobs: - name: Environment setup uses: ./.github/actions/setup + - name: review compliance directory + run: ls -al ./compliance/ + shell: bash + - name: remove overlapping file run: rm ./compliance/oscal-assessment-results.yaml shell: bash @@ -43,7 +47,11 @@ jobs: uses: actions/download-artifact@v4 with: name: ${{ inputs.flavor }}-assessment-results - path: ./compliance/oscal-assessment-results.yaml + path: ./compliance + + - name: review compliance directory again + run: ls -al ./compliance/ + shell: bash - name: Evaluate compliance id: compliance-evaluation From 64a71282738864d7d6cee2daa0efa7108514b627 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 10 Jul 2024 13:01:27 +0000 Subject: [PATCH 61/68] fix(actions): latest actions and debugging --- .github/workflows/compliance.yaml | 7 ++++--- .github/workflows/test.yaml | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 877124f02..bde42c35e 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -44,11 +44,11 @@ jobs: shell: bash - name: Download assessment - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance - + - name: review compliance directory again run: ls -al ./compliance/ shell: bash @@ -68,7 +68,8 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml + overwrite: true diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 6dbae2b27..296bca5dd 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -68,7 +68,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml From 237f38c0962db29acf0f23287f46c8f23b86b06d Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 10 Jul 2024 13:47:48 +0000 Subject: [PATCH 62/68] fix(oscal): revert to known good state --- compliance/oscal-assessment-results.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 88ac644de..6c1a34f63 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -16,7 +16,7 @@ assessment-results: # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. target: status: - state: satisfied + state: not-satisfied target-id: ac-6.10 type: objective-id title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' From 2d094c56b1d6a75ec409d1250dfdf980d64a432b Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Wed, 10 Jul 2024 14:58:54 +0000 Subject: [PATCH 63/68] fix(actions): cleanup for review --- .github/actions/save-logs/action.yaml | 1 - .github/workflows/pull-request-conditionals.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 9008e9772..21887dbb3 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -44,4 +44,3 @@ runs: /tmp/debug-*.log /tmp/uds-containerd-logs /tmp/k3d-uds-*.log - /tmp/oscal-assessment-results.yaml diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 27db7e07b..12dff3c2f 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -10,7 +10,7 @@ on: permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. - pull-requests: write # Allows reading pull request metadata. + pull-requests: write # Allows writing pull request comments. # Default settings for all run commands in the workflow jobs. defaults: From edd02f20a158c80c42671c23470f34ff824092ce Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 12 Jul 2024 17:33:44 +0000 Subject: [PATCH 64/68] fix(oscal): update validations to meet established threshold after changes --- src/istio/oscal-component.yaml | 785 +++++++++++++++------------------ 1 file changed, 357 insertions(+), 428 deletions(-) diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index be31938dc..f98d2ba28 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -11,23 +11,18 @@ component-definition: create-resources: null resources: - description: "" - name: istioConfig + name: peerAuths resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb provider: opa-spec: output: @@ -37,32 +32,32 @@ component-definition: rego: | package validate + import future.keywords.every + # Default policy result default validate = false + default all_strict = false default msg = "Not evaluated" - # Validate Istio configuration for metrics logging support validate { - check_metrics_enabled.result + result_all_strict.result } - msg = check_metrics_enabled.msg - check_metrics_enabled = { "result": false, "msg": msg } { - input.istioConfig.enablePrometheusMerge == false - msg := "Metrics logging not supported." - } else = { "result": true, "msg": msg } { - msg := "Metrics logging supported." + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." } type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - - description: | - lula-version: "" - metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - description: | domain: kubernetes-spec: @@ -148,70 +143,131 @@ component-definition: create-resources: null resources: - description: "" - name: gateways + name: istioMeshConfig resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } + type: opa + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: keycloak-block-admin-access-from-public-gateway + namespaces: + - keycloak + resource: authorizationpolicies version: v1beta1 type: kubernetes lula-version: "" metadata: - name: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + name: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 provider: opa-spec: output: observations: - validate.msg - - validate.msg_existing_gateways - - validate.msg_allowed_gateways validation: validate.validate rego: | package validate import rego.v1 - # default values + # Default policy result default validate := false default msg := "Not evaluated" + # Validate both AuthorizationPolicy restricts access to Keycloak admin validate if { - check_expected_gw.result - check_all_gw_found.result + check_auth_policy_for_keycloak_admin_access.result } - msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) - msg_existing_gateways := concat(", ", gateways) - msg_allowed_gateways := concat(", ", allowed) - - # Check if only allowed gateways are in the system - allowed := {"admin", "tenant", "passthrough"} - gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} - allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} - actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + msg = check_auth_policy_for_keycloak_admin_access.msg - check_expected_gw = {"result": true, "msg": msg} if { - gateways == allowed_gateways - msg := "Only allowed gateways found." + check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { + input.authorizationPolicy.kind == "AuthorizationPolicy" + valid_auth_policy(input.authorizationPolicy) + msg := "AuthorizationPolicy restricts access to Keycloak admin." } else = {"result": false, "msg": msg} if { - msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + msg := "AuthorizationPolicy does not restrict access to Keycloak admin." } - gw_in_list(gw, allowed) if { - contains(gw.metadata.name, allowed[_]) + # Define the rule for denying access + expected_keycloak_admin_denial_rule := { + "from": [ + { + "source": { + "notNamespaces": ["istio-admin-gateway"] + } + } + ], + "to": [ + { + "operation": { + "paths": ["/admin*", "/realms/master*"] + } + } + ] } - # Check if the entire set contains all required gateways - check_all_gw_found = {"result": true, "msg": msg} if { - actual_allowed == allowed - msg := "All gateway types found." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + # Validate that the authorization policy contains the expected first rule + valid_auth_policy(ap) if { + ap.spec.action == "DENY" + rules := ap.spec.rules + + # Ensure the expected rule is present in the input policy + some i + rules[i] == expected_keycloak_admin_denial_rule } type: opa - title: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + title: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - description: | domain: kubernetes-spec: @@ -332,41 +388,98 @@ component-definition: - description: | lula-version: "" metadata: - name: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - title: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - description: | lula-version: "" metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: networkPolicies + resource-rule: + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 provider: opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate rego: | package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - description: | lula-version: "" metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 provider: opa-spec: rego: | package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - description: | domain: kubernetes-spec: @@ -435,54 +548,140 @@ component-definition: create-resources: null resources: - description: "" - name: authorizationPolicy + name: gateways resource-rule: - group: security.istio.io - name: jwt-authz - namespaces: - - istio-system - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" metadata: - name: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 provider: opa-spec: output: observations: - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways + validation: validate.validate + rego: | + package validate + import rego.v1 + + # default values + default validate := false + default msg := "Not evaluated" + + validate if { + check_expected_gw.result + check_all_gw_found.result + } + + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } + + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } + + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + } + type: opa + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicies + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_authPolicies validation: validate.validate rego: | package validate # Default policy result default validate = false - default msg = "Authorization Policies do not require authentication" + default msg = "Istio RBAC not enforced" # Evaluation for Istio Authorization Policies validate { - result_auth_policy.result + count(all_auth_policies) > 0 } - msg = result_auth_policy.msg - - result_auth_policy = {"result": true, "msg": msg} { - # Check that authorization policy exists and require authentication - input.authorizationPolicy.kind == "AuthorizationPolicy" + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - # "require authentication" is defined as having requestPrincipals defined - # and the selector.protect label is set to "keycloak" - input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null - input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" - msg := "Authorization Policy requires authentication for keycloak" - } else = {"result": false, "msg": msg} { - msg := "Authorization Policy does not require authentication" + msg = "Istio RBAC enforced" { + validate } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) type: opa - title: istio-authorization-policies-require-authentication - uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + - description: | + lula-version: "" + metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - description: | domain: kubernetes-spec: @@ -565,66 +764,6 @@ component-definition: type: opa title: check-istio-admin-gateway-and-usage uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioMeshConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Logging not enabled or configured" - - # Check if Istio's Mesh Configuration has logging enabled - validate { - logging_enabled.result - } - - msg = logging_enabled.msg - - logging_enabled = {"result": true, "msg": msg} { - # Check for access log file output to stdout - input.istioMeshConfig.accessLogFile == "/dev/stdout" - msg := "Istio is logging all traffic" - } else = {"result": false, "msg": msg} { - msg := "Istio is not logging all traffic" - } - type: opa - title: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - - description: | - lula-version: "" - metadata: - name: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - title: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - description: | lula-version: "" metadata: @@ -703,235 +842,6 @@ component-definition: type: opa title: istio-health-check uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: peerAuths - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: peerauthentications - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - import future.keywords.every - - # Default policy result - default validate = false - default all_strict = false - default msg = "Not evaluated" - - validate { - result_all_strict.result - } - - msg = concat(" ", [result_all_strict.msg]) - - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." - } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." - } - type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: networkPolicies - resource-rule: - group: networking.k8s.io - name: "" - namespaces: [] - resource: networkpolicies - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - provider: - opa-spec: - output: - observations: - - validate.msg_correct - - validate.msg_incorrect - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg_correct = "Not evaluated" - default msg_incorrect = "Not evaluated" - - # Expected values - expected_istiod_port := 15012 - expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} - - # Validate NetworkPolicy for Istiod in required namespaces - validate { - count(required_namespaces - correct_istiod_namespaces) == 0 - } - - msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) - msg_incorrect = msg { - missing_namespace := required_namespaces - correct_istiod_namespaces - count(missing_namespace) > 0 - msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) - } else = "No incorrect istiod NetworkPolicies found." - - # Helper to find correct NetworkPolicies - correct_istiod_policies = {policy | - policy := input.networkPolicies[_] - policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" - policy.spec.egress[_].ports[_].port == expected_istiod_port - policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol - } - - # Helper to extract namespaces of correct NetworkPolicies - correct_istiod_namespaces = {policy.metadata.namespace | - policy := correct_istiod_policies[_] - } - type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: requestAuthentication - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: requestauthentications - version: v1beta1 - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate := false - default msg := "Not evaluated" - - # Validate both RequestAuthentication and AuthorizationPolicy are configured - validate { - authorization_policies_exist_and_configured.result - request_authentications_exist_and_configured.result - } - - msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) - - # Check AuthorizationPolicies exist and are configured - bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicy[_] - authPolicy.kind == "AuthorizationPolicy" - authorization_policy_not_configured(authPolicy) - } - - authorization_policy_not_configured(ap) { - # Check for missing or improperly configured rules - not ap.spec.rules - } - - authorization_policies_exist_and_configured = {"result": true, "msg": msg} { - count(input.authorizationPolicy) > 0 - count(bad_auth_policies) == 0 - msg := "All AuthorizationPolicies properly configured." - } else = {"result": false, "msg": msg} { - count(input.authorizationPolicy) == 0 - msg := "No AuthorizationPolicies found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) - } - - # Check RequestAuthentications exist and are configured - bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | - ra := input.requestAuthentication[_] - ra.kind == "RequestAuthentication" - request_authentication_not_configured(ra) - } - - request_authentication_not_configured(ra) { - # Check for missing or improperly configured JWT rules - not ra.spec.jwtRules - } - - request_authentications_exist_and_configured = {"result": true, "msg": msg} { - count(input.requestAuthentication) > 0 - count(bad_request_authentications) == 0 - msg := "All RequestAuthentications properly configured." - } else = {"result": false, "msg": msg} { - count(input.requestAuthentication) == 0 - msg := "No RequestAuthentications found." - } else = {"result": false, "msg": msg} { - msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) - } - type: opa - title: request-authenication-and-auth-policies-configured - uuid: 3e217577-930e-4469-a999-1a5704b5cecb - - description: | - lula-version: "" - metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - provider: - opa-spec: - rego: | - package validate - validate := false - - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. - type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - description: | domain: kubernetes-spec: @@ -1002,48 +912,67 @@ component-definition: create-resources: null resources: - description: "" - name: authorizationPolicies + name: istioConfig resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 type: kubernetes lula-version: "" metadata: - name: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 provider: opa-spec: output: observations: - validate.msg - - validate.msg_authPolicies validation: validate.validate rego: | package validate # Default policy result default validate = false - default msg = "Istio RBAC not enforced" + default msg = "Not evaluated" - # Evaluation for Istio Authorization Policies + # Validate Istio configuration for metrics logging support validate { - count(all_auth_policies) > 0 + check_metrics_enabled.result } + msg = check_metrics_enabled.msg - # Get all authorization policies - all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - - msg = "Istio RBAC enforced" { - validate + check_metrics_enabled = { "result": false, "msg": msg } { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } { + msg := "Metrics logging supported." } - msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) type: opa - title: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + - description: | + lula-version: "" + metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + provider: + opa-spec: + rego: | + package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + type: opa + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 components: - control-implementations: - description: Controls implemented by Istio and authservice that are inherited by applications @@ -1142,9 +1071,9 @@ component-definition: - href: '#67456ae8-4505-4c93-b341-d977d90cb125' rel: lula text: Check that Istio is healthy - - href: '#e38c0695-10f6-40b6-b246-fa58b26ccd25' + - href: '#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1' rel: lula - text: Authorization policy implemented that enforces authentication for Keycloak + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' uuid: c8c03abd-244d-4813-a966-3feece1bad6a - control-id: au-2 @@ -1264,9 +1193,9 @@ component-definition: - href: '#570e2dc7-e6c2-4ad5-8ea3-f07974f59747' rel: lula text: Resources in namespaces can securely communicate with Istio control plane via network policies - - href: '#3e217577-930e-4469-a999-1a5704b5cecb' + - href: '#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1' rel: lula - text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to prevent unauthorized exchange of control plane traffic. + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - href: '#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44' rel: lula text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. @@ -1366,9 +1295,9 @@ component-definition: - href: '#1761ac07-80dd-47d2-947e-09f67943b986' rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: '#3e217577-930e-4469-a999-1a5704b5cecb' + - href: '#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1' rel: lula - text: Validates if Istio's RequestAuthentication and AuthorizationPolicy are configured to ensure confidentiality of information sent/received + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway remarks: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' uuid: c158b75a-cefc-4794-b124-f1e56ff5646d - control-id: sc-10 @@ -1445,7 +1374,7 @@ component-definition: type: software uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 metadata: - last-modified: 2024-07-09T03:01:34.669670714Z + last-modified: 2024-07-12T17:29:23.274390023Z oscal-version: 1.1.2 parties: - links: From 0aed28401a9c1ee02755b6bd6621dce6ba9a945c Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 12 Jul 2024 21:52:16 +0000 Subject: [PATCH 65/68] fix(actions): add unicorn flavor to evaluation --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 39f229357..cd22b6ace 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -91,7 +91,7 @@ jobs: name: Compliance Evaluation strategy: matrix: - flavor: [upstream, registry1] + flavor: [upstream, registry1, unicorn] uses: ./.github/workflows/compliance.yaml with: flavor: ${{ matrix.flavor }} From 2aa285de7f67082377815b8de5b13d961d8ea0b5 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 16 Jul 2024 02:50:53 +0000 Subject: [PATCH 66/68] fix(oscal): update oscal validations for istio injection --- src/istio/oscal-component.yaml | 719 +++++++++++++++++---------------- 1 file changed, 363 insertions(+), 356 deletions(-) diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index f98d2ba28..c6bb07f23 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -11,139 +11,278 @@ component-definition: create-resources: null resources: - description: "" - name: peerAuths + name: istioMeshConfig resource-rule: - group: security.istio.io + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } + type: opa + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" name: "" namespaces: [] - resource: peerauthentications - version: v1beta1 + resource: pods + version: v1 type: kubernetes lula-version: "" metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e provider: opa-spec: output: observations: - validate.msg + - validate.exempt_namespaces_msg validation: validate.validate rego: | package validate - - import future.keywords.every + import future.keywords.in # Default policy result default validate = false - default all_strict = false default msg = "Not evaluated" + # Check for required Istio and Prometheus annotations validate { - result_all_strict.result + has_prometheus_annotation.result } + msg = has_prometheus_annotation.msg - msg = concat(" ", [result_all_strict.msg]) + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces } type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: gateways + name: pods resource-rule: - group: networking.istio.io + group: "" name: "" namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + + validate if { + has_istio_sidecar.result + } + msg = has_istio_sidecar.msg + + # Check for sidecar and init containers in pod spec + no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] + + has_istio_sidecar = {"result": true, "msg": msg} if { + count(no_sidecar) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) + } + + has_sidecar(pod) if { + status := pod.metadata.annotations["sidecar.istio.io/status"] + containers := json.unmarshal(status).containers + initContainers := json.unmarshal(status).initContainers + + has_container_name(pod.spec.containers, containers) + has_container_name(pod.spec.initContainers, initContainers) + } else = false + + has_container_name(containers, names) if { + container := containers[_] + container.name in names + } + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: adminGateway + resource-rule: + group: networking.istio.io + name: admin-gateway + namespaces: + - istio-admin-gateway resource: gateways version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e provider: opa-spec: output: observations: - validate.msg - - validate.msg_exempt validation: validate.validate rego: | package validate - import future.keywords.every + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + # Default policy result default validate = false + default admin_gw_exists = false + default admin_vs_match = false default msg = "Not evaluated" - # Validation validate { - check_gateways_allowed.result + result_admin_gw_exixts.result + result_admin_vs_match.result } - msg := check_gateways_allowed.msg - msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) - # Collect gateways that do not encrypt ingress traffic - gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | - gateway := input.gateways[_]; - not allowed_gateway(gateway) - } + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) - check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { - count(gateways_disallowed) == 0 + result_admin_gw_exixts = {"result": true, "msg": msg} { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := "Admin gateway exists." } else = {"result": false, "msg": msg} { - msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + msg := "Admin gateway does not exist." } - # Check allowed gateway - allowed_gateway(gateway) { - every server in gateway.spec.servers { - allowed_server(server) - } + result_admin_vs_match = {"result": true, "msg": msg}{ + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) } - exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} - allowed_gateway(gateway) { - sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways - # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic - # Find all virtual services that use this gateway - # Check that vs has https scheme - } + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} - # Check allowed server spec in gateway - allowed_server(server) { - server.port.protocol == "HTTP" - server.tls.httpsRedirect == true - } + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} - allowed_server(server) { - server.port.protocol == "HTTPS" - server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} - } + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} type: opa - title: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + title: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - description: | domain: kubernetes-spec: create-resources: null resources: - description: "" - name: istioMeshConfig + name: istioConfig resource-rule: field: base64: false @@ -158,8 +297,8 @@ component-definition: type: kubernetes lula-version: "" metadata: - name: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 provider: opa-spec: output: @@ -171,25 +310,61 @@ component-definition: # Default policy result default validate = false - default msg = "Logging not enabled or configured" + default msg = "Not evaluated" - # Check if Istio's Mesh Configuration has logging enabled + # Validate Istio configuration for metrics logging support validate { - logging_enabled.result + check_metrics_enabled.result } + msg = check_metrics_enabled.msg - msg = logging_enabled.msg - - logging_enabled = {"result": true, "msg": msg} { - # Check for access log file output to stdout - input.istioMeshConfig.accessLogFile == "/dev/stdout" - msg := "Istio is logging all traffic" - } else = {"result": false, "msg": msg} { - msg := "Istio is not logging all traffic" + check_metrics_enabled = { "result": false, "msg": msg } { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } { + msg := "Metrics logging supported." } type: opa - title: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + - description: | + lula-version: "" + metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + provider: + opa-spec: + rego: | + package validate + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. + type: opa + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - description: | domain: kubernetes-spec: @@ -320,78 +495,6 @@ component-definition: type: opa title: istio-tracing-logging-support uuid: f346b797-be35-40a8-a93a-585db6fd56ec - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.in - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Check for required Istio and Prometheus annotations - validate { - has_prometheus_annotation.result - } - msg = has_prometheus_annotation.msg - - # Check for prometheus annotations in pod spec - no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - - has_prometheus_annotation = {"result": true, "msg": msg} { - count(no_annotation) == 0 - msg := "All pods have correct prometheus annotations." - } else = {"result": false, "msg": msg} { - msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) - } - - contains_annotation(pod) { - annotations := pod.metadata.annotations - annotations["prometheus.io/scrape"] == "true" - annotations["prometheus.io/path"] != "" - annotations["prometheus.io/port"] == "15020" - } - - # Exemptions - exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - - description: | - lula-version: "" - metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - description: | lula-version: "" metadata: @@ -462,24 +565,68 @@ component-definition: policy := correct_istiod_policies[_] } type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: peerAuths + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + + # Default policy result + default validate = false + default all_strict = false + default msg = "Not evaluated" + + validate { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." + } + type: opa + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - description: | lula-version: "" metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - provider: - opa-spec: - rego: | - package validate - validate := false - - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. - type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - description: | domain: kubernetes-spec: @@ -663,114 +810,26 @@ component-definition: - description: | lula-version: "" metadata: - name: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - title: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - description: | lula-version: "" metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 provider: opa-spec: rego: | package validate default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: adminGateway - resource-rule: - group: networking.istio.io - name: admin-gateway - namespaces: - - istio-admin-gateway - resource: gateways - version: v1beta1 - - description: "" - name: virtualServices - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: virtualservices - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Expected admin gateway details - expected_gateway := "admin-gateway" - expected_gateway_namespace := "istio-admin-gateway" - expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) - - # Default policy result - default validate = false - default admin_gw_exists = false - default admin_vs_match = false - default msg = "Not evaluated" - - validate { - result_admin_gw_exixts.result - result_admin_vs_match.result - } - - msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) - - result_admin_gw_exixts = {"result": true, "msg": msg} { - input.adminGateway.kind == "Gateway" - input.adminGateway.metadata.name == expected_gateway - input.adminGateway.metadata.namespace == expected_gateway_namespace - msg := "Admin gateway exists." - } else = {"result": false, "msg": msg} { - msg := "Admin gateway does not exist." - } - - result_admin_vs_match = {"result": true, "msg": msg}{ - count(admin_vs-admin_vs_using_gateway) == 0 - count(all_vs_using_gateway-admin_vs_using_gateway) == 0 - msg := "Admin virtual services are using admin gateway." - } else = {"result": false, "msg": msg} { - msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) - } - - # Count admin virtual services - admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} - - # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") - admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} - - # Count all VirtualServices using the admin gateway - all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) type: opa - title: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - - description: | - lula-version: "" - metadata: - name: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - title: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - description: | domain: kubernetes-spec: @@ -848,131 +907,79 @@ component-definition: create-resources: null resources: - description: "" - name: pods + name: gateways resource-rule: - group: "" + group: networking.istio.io name: "" namespaces: [] - resource: pods - version: v1 + resource: gateways + version: v1beta1 type: kubernetes lula-version: "" metadata: - name: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed provider: opa-spec: output: observations: - validate.msg - - validate.exempt_namespaces_msg + - validate.msg_exempt validation: validate.validate rego: | package validate - import future.keywords.every - import future.keywords.in - # Default policy result default validate = false default msg = "Not evaluated" - exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - + # Validation validate { - has_proxyv2_sidecar.result + check_gateways_allowed.result } - msg = has_proxyv2_sidecar.msg + msg := check_gateways_allowed.msg + msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) - # Check for proxyv2 container in pod spec - no_proxyv2 = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_proxyv2(pod); not is_exempt(pod)] + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } - has_proxyv2_sidecar = {"result": true, "msg": msg} { - count(no_proxyv2) == 0 - msg := "All pods have Istio sidecar proxy." + check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { + count(gateways_disallowed) == 0 } else = {"result": false, "msg": msg} { - msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_proxyv2)]) + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) } - contains_proxyv2(pod) { - images := pod.spec.containers[_].image - contains(images, "/proxyv2:") + # Check allowed gateway + allowed_gateway(gateway) { + every server in gateway.spec.servers { + allowed_server(server) + } } - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme } - type: opa - title: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for metrics logging support - validate { - check_metrics_enabled.result + # Check allowed server spec in gateway + allowed_server(server) { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true } - msg = check_metrics_enabled.msg - check_metrics_enabled = { "result": false, "msg": msg } { - input.istioConfig.enablePrometheusMerge == false - msg := "Metrics logging not supported." - } else = { "result": true, "msg": msg } { - msg := "Metrics logging supported." + allowed_server(server) { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} } type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - - description: | - lula-version: "" - metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - provider: - opa-spec: - rego: | - package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + title: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed components: - control-implementations: - description: Controls implemented by Istio and authservice that are inherited by applications @@ -1374,7 +1381,7 @@ component-definition: type: software uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 metadata: - last-modified: 2024-07-12T17:29:23.274390023Z + last-modified: 2024-07-16T02:47:14.949557671Z oscal-version: 1.1.2 parties: - links: From 8da20721a7fe1f0cc1c149137ca43e29b0b918da Mon Sep 17 00:00:00 2001 From: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Date: Tue, 16 Jul 2024 12:57:38 -0700 Subject: [PATCH 67/68] Update .github/workflows/pull-request-conditionals.yaml Co-authored-by: Micah Nagel --- .github/workflows/pull-request-conditionals.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index cd22b6ace..f8e112e29 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -92,6 +92,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] + fail-fast: false uses: ./.github/workflows/compliance.yaml with: flavor: ${{ matrix.flavor }} From ce87762fbb8298b063734a23eb33a913bfecd1a8 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Thu, 18 Jul 2024 21:42:11 +0000 Subject: [PATCH 68/68] chore(tasks): add descriptions to compliance tasks --- tasks.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks.yaml b/tasks.yaml index 1cbb13b9e..525342343 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -111,10 +111,12 @@ tasks: - task: test:uds-core-upgrade - name: test-compliance-validate + description: "Validate Compliance of UDS Core to produce Assessment Results" actions: - task: test:compliance-validate - name: test-compliance-evaluate + description: "Evaluate Compliance of UDS Core against an established threshold" actions: - task: test:compliance-evaluate