From f250edba588b8c638e837c52f4d3b6fcb59f61c0 Mon Sep 17 00:00:00 2001 From: Andy Mills <61879371+CloudBeard@users.noreply.github.com> Date: Tue, 6 Feb 2024 11:39:13 -0500 Subject: [PATCH] feat: added initial oscal files (#145) ## Description Added initial OSCAL files from current upstream work being done in BB. Note it does not include OSCAL for everything, adding OSCAL as tools are setup. Currently each control has a remark of fully implemented. This will be updated as validations are put in-place and tested. Promtail has validations included, will test in UDS Staging/Prod to verify and update as needed. ... ## Related Issue Relates to https://github.com/defenseunicorns/uds/issues/348 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Micah Nagel --- src/grafana/oscal-component.yaml | 237 ++++++++ src/istio/oscal-component.yaml | 671 ++++++++++++++++++++++ src/loki/oscal-component.yaml | 196 +++++++ src/neuvector/oscal-component.yaml | 424 ++++++++++++++ src/prometheus-stack/oscal-component.yaml | 242 ++++++++ src/promtail/oscal-component.yaml | 265 +++++++++ 6 files changed, 2035 insertions(+) create mode 100644 src/grafana/oscal-component.yaml create mode 100644 src/istio/oscal-component.yaml create mode 100644 src/loki/oscal-component.yaml create mode 100644 src/neuvector/oscal-component.yaml create mode 100644 src/prometheus-stack/oscal-component.yaml create mode 100644 src/promtail/oscal-component.yaml diff --git a/src/grafana/oscal-component.yaml b/src/grafana/oscal-component.yaml new file mode 100644 index 00000000..e0c0516d --- /dev/null +++ b/src/grafana/oscal-component.yaml @@ -0,0 +1,237 @@ +component-definition: + uuid: 7d316238-f7c4-4d3b-ab33-6ecbf49de5a7 + metadata: + title: Grafana + last-modified: "2024-01-18T16:36:58Z" + version: "20240118" + oscal-version: 1.1.1 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://defenseunicorns.com + rel: website + components: + - uuid: 375f8171-3eb9-48d6-be3c-c8f1c0fe05fa + type: software + title: Grafana + description: | + Grafana is an analytics and interactive visualization web application. + purpose: It provides charts, graphs, and alerts when connected to supported data sources. + responsible-roles: + - role-id: provider + party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + control-implementations: + - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by Grafana for inheritance by applications. + implemented-requirements: + - uuid: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 + control-id: ac-6.9 + description: >- + # Control Description + Log the execution of privileged functions. + + # Control Implementation + Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. + + remarks: This control is fully implemented by this tool. + + - uuid: 7449f733-6809-4a0b-a6f9-7857f46a106e + control-id: au-2 + description: >- + # Control Description + a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; + b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; + d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + + # Control Implementation + API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. + In addition, system and cluster level metrics are emitted by containers with read only access to host level information. + Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. + Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: 6700f065-8e51-4224-a5a0-8d3aff9d8d96 + control-id: au-3.1 + description: >- + # Control Description + Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose + or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + + # Control Implementation + Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + remarks: This control is fully implemented by this tool. + + - uuid: 36f95dfb-626f-4fce-8417-4d808560b9d3 + control-id: au-5.1 + description: >- + # Control Description + Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + + # Control Implementation + Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: d2d90ddf-dcc9-4087-ad71-ac67b66a154a + control-id: au-5.2 + description: >- + # Control Description + Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + + # Control Implementation + Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. + Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. + Data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: 042fae4b-2779-4cfb-b68d-6f2dcbaa10ad + control-id: au-6.1 + description: >- + # Control Description + Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + + # Control Implementation + Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: c79cf2fa-2081-4034-831f-2c8016a275da + control-id: au-6.3 + description: >- + # Control Description + Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + + # Control Implementation + Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + + remarks: This control is fully implemented by this tool. + + - uuid: 80de1b87-8288-49ac-8a6b-fc71509df64b + control-id: au-6.5 + description: >- + # Control Description + Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + + # Control Implementation + Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: b8c17326-8821-4536-8409-64d571540e37 + control-id: au-6.6 + description: >- + # Control Description + Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + + # Control Implementation + Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: 8abbc53e-0ec4-49c6-8ef1-a1c237695f96 + control-id: au-7 + description: >- + # Control Description + Provide and implement an audit record reduction and report generation capability that: + a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and + b. Does not alter the original content or time ordering of audit records. + + # Control Implementation + Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + + remarks: This control is fully implemented by this tool. + + - uuid: 56d09aae-ab73-49d8-b2a4-1e81db2878eb + control-id: au-7.1 + description: >- + # Control Description + Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + + # Control Implementation + Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + + remarks: This control is fully implemented by this tool. + + - uuid: 9be1e683-93e1-4769-aa7d-951e2c8f8627 + control-id: au-8 + description: >- + # Control Description + a. Use internal system clocks to generate time stamps for audit records; and + b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset + from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + + # Control Implementation + Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: f800923b-6367-4468-9f42-1afae4b6d38d + control-id: au-9 + description: >- + # Control Description + a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and + b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + + # Control Implementation + Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an + identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control + when using Grafana Enterprise. + + remarks: This control is fully implemented by this tool. + + - uuid: 3c4bf1e8-b873-4c43-a912-5f443fc0208f + control-id: au-9.2 + description: >- + # Control Description + Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + + # Control Implementation + Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of + the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. + Metrics data can be displayed through a Grafana dashboard for visualization. + + remarks: This control is fully implemented by this tool. + + - uuid: 3c5ff037-ea46-4e41-b601-a9b223da30a8 + control-id: au-9.4 + description: >- + # Control Description + Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + + # Control Implementation + Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an + identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control + when using Grafana Enterprise. + + remarks: This control is fully implemented by this tool. + + - uuid: 301093ed-d023-4bf8-a915-e624589acadd + control-id: au-12.1 + description: >- + # Control Description + Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + + # Control Implementation + Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps + of when the data was collected. + + back-matter: + resources: + - uuid: d429396c-1dab-4712-9034-607c90a63b8a + title: Defense Unicorns UDS Core + rlinks: + - href: https://github.com/defenseunicorns/uds-core diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml new file mode 100644 index 00000000..e1f62152 --- /dev/null +++ b/src/istio/oscal-component.yaml @@ -0,0 +1,671 @@ +# add the descriptions inline +component-definition: + uuid: cc873a43-e9fa-433b-8c20-222d733daf1e + metadata: + title: Istio Controlplane + last-modified: "2024-01-18T16:41:56Z" + version: "20240118" + oscal-version: 1.1.1 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://defenseunicorns.com + rel: website + components: + - uuid: e7e62a4f-8ae7-4fb0-812c-60ea6ae26374 + type: software + title: Istio Controlplane + description: | + Istio Service Mesh + purpose: Istio Service Mesh + responsible-roles: + - role-id: provider + party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + control-implementations: + - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by Istio and authservice that are inherited by applications + implemented-requirements: + - uuid: 17b76910-1395-48a2-9441-edbb7c1f04ec + control-id: ac-3 + description: >- + # Control Description + Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + + # Control Implementation + Istio implements with global configuration. + + # How Istio Helps + Istio helps implement access enforcement in two ways: limiting service-to-service access (see AC-4 below), + and acting as an enforcement point for end user authentication and authorization (AC-3, this section). + - Service to Service Access: Istio provides authenticatable runtime identities for all applications in the mesh in the form of X.509 certificates. + Those certificates are used for encryption in transit as well as authentication of the service's identity. + This authenticated principal can be used for access control of service to service communication via Istio's AuthorizationPolicy. + We cover this in detail in AC-4, Information Flow Enforcement, below. + - End User Authentication and Authorization: Istio facilitates end user authentication and authorization in two ways: + 1. Istio has native support for JWT authentication and authorization based on JWT claims. + It can be configured to extract a JWT from each request's headers, validate them against issuers and with specific keys, and limit access based on any of the JWT's fields. + 2. Istio supports extracting metadata from each request and forwarding it to an external authentication and authorization server. + Istio will enforce the verdict returned by this server, and can attach additional metadata returned by the server (e.g., an internal JWT in place of an external API key). + + remarks: This control is fully implemented by this tool. + + - uuid: b4383b6b-bcdf-41db-a323-873de77ba46b + control-id: ac-4 + description: >- + # Control Description + Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. + + # Control Implementation + Istio implements with mission team configuration. + + # How does Istio help? + Istio encrypts all in-mesh communication at runtime using the service's identity. + This provides TLS for all applications in the mesh. If you're using the Tetrate Istio Distribution, then this TLS is FIPS verified. mTLS is configured through the PeerAuthentication resource, and should be set to STRICT to enforce mTLS between all components of the information system. + Istio's AuthorizationPolicy controls service-to-service communication within the mesh. + Combined with Istio ingress and egress gateways, as well as a few installation settings, Istio can manage all traffic into and out of your deployment. + In addition to AuthorizationPolicies controlling traffic in the mesh, Istio ingress gateways terminate HTTPS on behalf of applications in the mesh (AC-4 (4) - not required by moderate but valuable nonetheless). + By managing how traffic flows out of applications using VirtualServices or ServiceEntries, all traffic leaving your infrastructure can be channeled through an egress gateway. + Egress gateways can audit and limit how traffic flows to external services outside of the information system under control. + + remarks: This control is fully implemented by this tool. + + - uuid: 19bd393a-25fb-4ef1-9633-5fc510247d69 + control-id: ac-4.4 + description: >- + # Control Description + Prevent encrypted information from bypassing [Assignment: intrusion detection mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. + + # Control Implementation + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + + remarks: This control is fully implemented by this tool. + + - uuid: 2e0879f1-381d-445d-b201-8ba3a1194147 + control-id: ac-4.21 + description: >- + # Control Description + Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. + + # Control Implementation + Istio implements with mission team configuration. + + # How does Istio help? + When Istio is configured as above for AC-4 limiting access to services within the information system and controlling communication ingress and egress to and from the information system it provides logical separation of information flows. + Istio policies can provide this separation at the finest grain possible. For example, for HTTP traffic, Istio provides the ability to limit communication per verb and path, as well as based on header values or end-user credentials stored at headers, in addition to controlling traffic with the traditional network five-tuple. + Istio enforces the policy at the application instance itself. + + remarks: This control is fully met by this tool. + + - uuid: 7e8f7b8e-e95a-479b-96dd-7ff0bf957a84 + control-id: ac-6.3 + description: >- + # Control Description + Authorize network access to [Assignment: [all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. + + # Control Implementation + Configured with an "admin" gateway to restrict access to applications that only need sysadmin access. + + remarks: This control is fully implemented by this tool. + + - uuid: 36e1ad45-4c25-42b0-b06b-889734fde442 + control-id: ac-6.9 + description: >- + # Control Description + Log the execution of privileged functions. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio help? + Istio produces logs for all traffic in the information system see AU-3 below for more information on what information is logged and how to configure additional information to be logged with each access. + As long as the privileged functions are exposed as network endpoints in the information system, Istio will log their use like it logs all other network traffic. + Logging privileged use outside of the information system like using kubectl to access the cluster directly is outside of the scope of Istio's runtime logging. + + remarks: This control is fully implemented by this tool. + + - uuid: 25609c9a-a482-49e3-ba76-2cee88a5932a + control-id: ac-14 + description: >- + # Control Description + "a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and + b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + + # Control Implementation + Istio implements with mission team configuration. + + # How does Istio help? + Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. + This is configured using RequestAuthentication and AuthorizationPolicy resources, described at length in AC-4 above. + Using this, Istio's authorization policy becomes documentation of services that do not require authentication. + + remarks: This control is fully implemented by this tool. + + - uuid: 908b6b76-978d-4089-a422-3112656c8452 + control-id: ac-17.3 + description: >- + # Control Description + Route remote accesses through authorized and managed network access control points. + + # Control Implementation + Istio routes remote access through correct configuration and managed network access control points. + + remarks: This control is fully implemented by this tool. + + - uuid: 524006e4-67d7-4124-8679-58392ab20cbb + control-id: au-2 + description: >- + # Control Description + "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; + b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; + d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + + # Control Implementation + Istio provides access logs for all HTTP network requests, including mission applications. + + remarks: This control is fully implemented by this tool + + - uuid: a8e9fcc9-f900-4467-9287-b288341c9575 + control-id: au-3 + description: >- + # Control Description + "Ensure that audit records contain information that establishes the following: + a. What type of event occurred; + b. When the event occurred; + c. Where the event occurred; + d. Source of the event; + e. Outcome of the event; and + f. Identity of any individuals, subjects, or objects/entities associated with the event." + + # Control Implementation + Istio implements with global configuration. + + # How does Istio help? + Istio generates access logs for all traffic in the mesh (ingress, internal, and egress) that is a superset of the data in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). + For HTTP traffic, this includes timestamp, source and destination IPs, request verb, response code, and more. + You can get a full overview of the data that is provided [in the Istio documentation](https://istio.io/latest/docs/tasks/observability/logs/access-log/). + The format of these logs can be configured per deployment or globally at install time to conform with requirements of existing log analysis tools or other organizational needs. + By default, Envoy sidecars in the mesh emit these logs as text to standard out. However, Envoy can be configured to forward this log data over gRPC to a server that aggregates (and potentially acts on) them. + This is called the [Access Log Service (ALS)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto). + These can be augmented by application-specific audit logging, but for many services (and HTTP services especially), the mesh's logs are sufficient to reconstruct an understanding of events to perform an audit. + + remarks: This control is fully implemented by this tool. + + - uuid: 1db223f2-4b59-424a-9bb5-d7a6a2f381e8 + control-id: au-3.1 + description: >- + # Control Description + Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio help? + Istio’s access logs can be configured to produce additional information as needed by the organization. + + remarks: This control is fully implemented by this tool. + + - uuid: 4739a734-5ad6-4898-afb7-00561ee84736 + control-id: au-9 + description: >- + # Control Description + "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and + b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." + + # Control Implementation + Istio contributes but does not implement. + + # How does Istio Help? + If you’re using Istio to produce audit information (see AU-3, AU-3 (1)), then the logs that Istio produces are subject to AU-9 controls. + Protecting the logs that Istio produces is outside of the scope of Istio itself, but integrating your log ingestion and protection system with the logs that Istio produces, you can easily satisfy this requirement. + Kubernetes RBAC should be configured to allow only specific users access to the log files Envoy produces, ideally no users should have direct access and instead only access logs via the log ingestion system (like Splunk). + + remarks: This control is fully implemented by this tool. + + - uuid: 395a4976-bf4a-4193-b928-05a0700e03fb + control-id: au-9.2 + description: >- + # Control Description + Store audit records [Assignment: oat least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + + # Control Implementation + Istio contributes but does not implement. + + # How does Istio Help? + See AU-9 above, but in short: ensure that Istio’s logging configuration aligns with your larger log collection pipeline. The log collection pipeline itself should implement the AU-9 controls required by the organization. + + remarks: This control is fully implemented by this tool. + + - uuid: b06017d9-c9ab-462d-9861-99b9849f4ee4 + control-id: au-12 + description: >- + # Control Description + "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: all information system and network components where audit capability is deployed/available]; + b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and + c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. These events are a subset of all events defined by most organizations in AU-2 a. as worthy of audit. + See AU-3 for details of the information that can be generated, and AU-3 (1) for information on customizing it. + If the only events to be logged per AU-2 a. are network events, then Istio satisfies AU-12 fully for the information system. + + remarks: This control is fully implemented by this tool. + + - uuid: bf8b66b2-8909-4935-98ba-189bf3ffde03 + control-id: cm-5 + description: >- + # Control Description + Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + + # Control Implementation + Istio contributes but does not implement. + + # How does Istio Help? + Istio is configured with Kubernetes Custom Resources. As such it can be configured as code, and managed by your existing CM-5 conformant code management processes. + Kubernetes RBAC should be used to control who can change which configuration at runtime. + UDS Core implements CM-5 controls by implementing infrastructure as code practices, configuring Kubernetes RBAC to prevent humans from authoring configuration and allowing only continuous delivery systems (Flux, by default) to author runtime configuration. Since all configuration is managed in this CM-5 conformant way, Istio’s configuration is controlled in a CM-5 conformant way. + + remarks: This control is fully implemented by this tool. + + - uuid: 3ee327e1-2cce-4908-a78d-99e65ce2333a + control-id: cm-6 + description: >- + # Control Description + "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: United States Government Configuration Baseline (USGCB)]; + b. Implement the configuration settings; + c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and + d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + + "CM-6 (a) Requirement 1: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings or establishes its own configuration settings if USGCB is not available. + CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). + CM-6 (a) Guidance: Information on the USGCB can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + + + # Control Implementation + Istio contributes but does not implement. + + # How does Istio Help? + This document provides the guidance for configuring Istio, both globally as well as for mission teams. Additional best practices should be followed, including: + - NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture + - NIST SP 800-204B: Attribute-based Access Control for Microservices-based Applications using a Service Mesh + Tetrate helps maintain and periodically audits UDS Core’s Istio configurations to ensure they implement best practice defaults. + + remarks: This control is fully implemented by this tool. + + - uuid: 0ab5781b-2f6b-4c71-83ef-e00f10c7ed93 + control-id: cm-8.1 + description: >- + # Control Description + Update the inventory of system components as part of component installations, removals, and system updates. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio’s service inventory is updated continuously from the Kubernetes API server (the information system’s source of truth for what applications are running). Therefore, the inventory is updated when components of the information system are installed or removed. As a result, Istio implements CM-8 (1) for the information system. + + remarks: This control is fully implemented by this tool. + + - uuid: 8d72738e-99ae-40e8-9fc0-bdfc51d24121 + control-id: cm-8.2 + description: >- + # Control Description + Update the inventory of system components as part of component installations, removals, and system updates. + + # Control Implementation + Provides an inventory of all workloads (including mission apps) in the service mesh, viewable in Kiali. The inventory is automatically and continuously updated. + + remarks: This control is fully implemented by this tool. + + - uuid: 3d88af30-61e0-47ed-a495-74ca61ce99a7 + control-id: ia-2 + description: >- + # Control Description + Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. + + # Control Implementation + Istio implements with mission team configuration. + + # How does Istio Help? + Istio can be used to implement authentication of end-user credentials for applications in the mesh. This is typically configured via Istio’s external authorization service or by validating JWTs on each request (see AC-3). + If components in the information system are protected by Istio configured to validate end-user credentials, then Istio satisfies the authentication clause IA-2: “[the information system] authenticates organizational users (or processes acting on behalf or organizational users).” + Assigning user identities themselves, and ensuring their uniqueness, is out of scope of Istio. (Istio does assign identities to applications or processes running in the information system – see AC-4.) + + remarks: This control is fully implemented by this tool. + + - uuid: 4b28dcb2-f7fb-4944-9661-1182ccf197b2 + control-id: ia-4 + description: >- + # Control Description + "Manage system identifiers by: + a. Receiving authorization from [Assignment: oat a minimum, the ISSO (or similar role within the organization)] to assign an individual, group, role, service, or device identifier; + b. Selecting an identifier that identifies an individual, group, role, service, or device; + c. Assigning the identifier to the intended individual, group, role, service, or device; and + d. Preventing reuse of identifiers for [Assignment: at least two (2) years]." + + # Control Implementation + Istio contributes but does not implement. + + # How does Istio Help? + Istio assigned identities to runtime entities based on their Kubernetes service account. Service accounts are unique per (namespace, service account name) pair and are assigned to all pods in the cluster. + Pods should opt in to using a specific service account, but if they do not then Kubernetes provides a default service account per namespace. + + The identities Istio assigned are: + a. Authorized for the specific application by checking against the Kubernetes API server (the system of record for runtime identities). + b. Each service receives an identity from Kubernetes at runtime, whether it is assigned explicitly or not. + c. Sent only to correct workloads because Istio authenticates runtime proofs (mainly, the pod’s service account token) in addition to authorizing the identity by checking with the Kubernetes API server. + d. Service accounts in Kubernetes are unique. However, Kubernetes-level controls (out of the scope of Istio) need to be implemented to ensure that identities are not re-used. + e. The Kubernetes service account lifecycle is out of scope of Istio. A Kubernetes-level control is need to satisfy this requirement. + + remarks: This control is fully implemented by this tool. + + - uuid: 501ef187-1344-40bf-a697-127ae1d65a41 + control-id: ia-7 + description: >- + # Control Description + Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio provides encryption in transit for all applications in the mesh, and can also provide TLS termination at ingress and TLS origination at egress. Tetrate Istio Distribution (TID) is the only FIPS 140-2 Verified Istio distribution that exists. It is available from the Iron Bank. + When using the TID FIPS builds, all communication between components of the information system is encrypted using FIPS 140-2 verified software. + + remarks: This control is fully implemented by this tool. + + - uuid: 902e23be-f46b-416e-b407-fa579be28612 + control-id: sc-3 + description: >- + # Control Description + Isolate security functions from nonsecurity functions. + + # Control Implementation + Istio breaks-down services into microservices to isolate security functions from non-security functions. + + remarks: This control is fully implemented by this tool. + + - uuid: 11732a14-62d3-43ff-b294-5b2508b8e967 + control-id: sc-4 + description: >- + # Control Description + Prevent unauthorized and unintended information transfer via shared system resources. + + # Control Implementation + Istio can enforce that outbound traffic goes through an Egress Gateway. When combined with a Network Policy, you can enforce all traffic, or some subset, goes through the egress gateway to prevent unauthorized and unintended information transfer via shared system resources. + + remarks: This control is fully implemented by this tool. + + - uuid: 8258a234-68c6-4b0b-b527-b58e5b39ecda + control-id: sc-5 + description: >- + # Control Description + "a. [Selection: Protect against] the effects of the following types of denial-of-service events: [Assignment: at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack]; and + b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." + + # Control Implementation + Istio monitors the egress traffic and enforces all the security policies. Monitoring the egress traffic, enables you to analyze, possibly offline, and detect an attack. + + - uuid: 8fcf76d0-a612-4f1a-8c07-2dfe03d7b03a + control-id: sc-7 + description: >- + # Control Description + "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; + b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and + c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio alone can not completely satisfy the SC-7 requirement, because Istio sits at Layer 4 and above, in other words it sits atop the IP network you provide it. However, Istio can aid in implementing boundary protection in your stack: + a. Istio provides monitoring (AU-12) and control of traffic ingress into and egressing out of the cluster, as well as internally for all communication between components. If all information system components are running in the cluster, this satisfies SC-7 a. + b. Istio operates at layer 4 and above - it cannot implement sub-networks at the IP layer. However, Istio can be used for logical separation of components at runtime (see AC-4 (21)). + Istio’s separation should be augmented with network-level separation, e.g. via a CNI plugin, to help implement a defense in depth strategy. + c. The only ingress into the cluster is via Istio gateways (AC-3), egress is controlled by Istio gateways (AC-4). If all information system components are running in the cluster, this satisfies the needs of SC-7 c. + Further, access policy can be applied at both points, as well as at every application instance via Istio’s sidecar. This gives the organization the opportunity to implement more fine-grained controls than is needed by SC-7. + + remarks: This control is fully implemented by this tool. + + - uuid: cbc3fcca-7628-4f70-ac40-8bea413ae4dc + control-id: sc-7.4 + description: >- + # Control Description + "(a) Implement a managed interface for each external telecommunication service; + (b) Establish a traffic flow policy for each managed interface; + (c) Protect the confidentiality and integrity of the information being transmitted across each interface; + (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; + (e) Review exceptions to the traffic flow policy [Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and remove exceptions that are no longer supported by an explicit mission or business need; + (f) Prevent unauthorized exchange of control plane traffic with external networks; + (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and + (h) Filter unauthorized control plane traffic from external networks." + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Like SC-7, Istio works in tandem with a few other components of the infrastructure to satisfy SC-7 (4). + For example, it’s common to use an identity-aware proxy (like UDS Core’s CNAP), or even a cloud provider load balancer (like an ELB) as the initial interface for an external service, immediately passing the requests on to Istio’s ingress. + For all of the information system components in the cluster: + a. Istio provides an interface its ingress and egress gateways for external network traffic. Istio allows configuring how that interface is exposed, including ports and protocols as well as certificates that are served. See AC-4. + b. Istio provides fine-grained layer 7 policy on each request to control how traffic flows through that ingress. It enforces this policy at ingress gateways to control the external traffic ingress into your information system. + Istio also enforces them at egress gateways to control how components of your information system communicate with external systems. See AC-4. + c. Istio’s ingress gateways serve TLS (or mTLS) to external systems, and Istio provides mTLS between applications of the information system in the mesh. See AC-4. + d. Istio must be explicitly configured to allow exceptions, either in AuthorizationPolicy documents controlling runtime access or in resource annotations exempting traffic from Istio’s sidecar. + These can be used as supporting documents for SC-7 (4) d., but will need to be augmented with organizational documentation citing specific mission needs and durations. + e. This is an organizational activity out of the scope of Istio. + + remarks: This control is fully implemented by this tool. + + - uuid: e8c72e81-4e58-42cb-bcd4-714df65e2225 + control-id: sc-7.5 + description: >- + # Control Description + Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: any systems]]. + + # Control Implementation + Istio implements with mission team configuration. + + # How does Istio Help? + At ingress and egress gateways, Istio denies all traffic that does not have explicit traffic routing policies in the form of a VirtualService attached to the gateways. + Inside of the mesh, and to control egress out to external services, you can author AuthorizationPolicies to limit access. + Those policies must be written in the “allow with positive matching” style. + Together, Istio implements the SC-7 (5) control on behalf of applications in the mesh. + + remarks: This control is fully implemented by this tool. + + - uuid: 6ef57828-3fda-49a6-8b18-e4926ade2e05 + control-id: sc-7.8 + description: >- + # Control Description + Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. + + # Control Implementation + Istio’s traffic management model relies on the Envoy proxies that are deployed along with the services. + All traffic that the mesh services send and receive (data plane traffic) is proxied through Envoy, making it easy to direct and control traffic around the mesh without making any changes to the services. + + remarks: This control is fully implemented by this tool. + + - uuid: e288c006-3a9d-44d7-91c9-61a4260bc148 + control-id: sc-7.10 + description: >- + # Control Description + "(a) Prevent the exfiltration of information; and + (b) Conduct exfiltration tests [Assignment: organization-defined frequency]." + Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol + formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, + monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence + to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with + cross-domain solutions and system guards that enforce information flow requirements. + + # Control Implementation + Istio can set an alert to detect attempted data exfiltration by a service in the cluster. In this mode, Prometheus can tell you both the source and (attempted) destination workload for the blocked request. + The Istio System manages the ingress and egress network traffic permitted within your OPA-integrated Istio service mesh. You can specify egress traffic is only allowed to a predefined collection of endpoints to minimize the risk of data exfiltration or to implement microservice API authorization. + + remarks: This control is fully implemented by this tool. + + - uuid: 5aadb273-8674-4220-b905-3828b57499cb + control-id: sc-7.20 + description: >- + # Control Description + Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components. + + # Control Implementation + Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate. + These localities are specified using arbitrary labels that designate a hierarchy of localities in {region}/{zone}/{sub-zone} form. + If the goal of the operator is not to distribute load across zones and regions but rather to restrict the region of failover to meet other operational requirements an operator can set a ‘failover’ policy instead of a ‘distribute’ policy. + + remarks: This control is fully implemented by this tool. + + - uuid: 35490063-9fc5-4ea7-ae6e-4ef25fbf2d5a + control-id: sc-7.21 + description: >- + # Control Description + Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. + + # Control Implementation + Multi-mesh deployments facilitate division of a system into subsystems with different security and compliance requirements, and facilitate the boundary protection. + You put each subsystem into a separate service mesh, preferably on a separate network. You connect the Istio meshes using gateways. The gateways monitor and control cross-mesh traffic at the boundary of each mesh. + Istio isolation boundaries can run multiple TSB-managed Istio environments within a Kubernetes cluster, or spanning several clusters. + These Istio environments are isolated from each other in terms of service discovery and config distribution. + + remarks: This control is fully implemented by this tool. + + - uuid: d07f799b-d95c-461e-ae03-4f174ada99bb + control-id: sc-7.25 + description: >- + # Control Description + Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. + + # Control Implementation + All outbound traffic from an Istio-enabled pod is redirected to its sidecar proxy by default, accessibility of URLs outside of the cluster depends on the configuration of the proxy. + By default, Istio configures the Envoy proxy to pass through requests for unknown services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable. + Egress gateways can limit how traffic flows to external services outside of the information system under control. + Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. + + remarks: This control is fully implemented by this tool. + + - uuid: fbdaaeea-0ac4-4bbc-8b75-5b6b7da031e5 + control-id: sc-8 + description: >- + # Control Description + Protect the [Selection confidentiality AND integrity] of transmitted information. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. + + remarks: This control is fully implemented by this tool. + + - uuid: 3a204429-6f70-481c-8092-657cc7e79456 + control-id: sc-8.1 + description: >- + # Control Description + Implement cryptographic mechanisms to [Selection prevent unauthorized disclosure of information AND detect changes to information] during transmission. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + See SC-8 for full details. In short, Istio provides encryption in transit (mutual TLS) for all applications in the mesh. When you’re using TID’s FIPS verified build of Istio, then this encryption also satisfies FIPS 140-2 requirements. + + remarks: This control is fully implemented by this tool. + + - uuid: b044588e-77b1-4e5d-a1bb-b6b0a789c5b0 + control-id: sc-8.2 + description: >- + # Control Description + Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. + + remarks: This control is fully implemented by this tool. + + - uuid: 1e4bf509-37d9-4e06-b6ac-11108e760f4c + control-id: sc-10 + description: >- + # Control Description + Terminate the network connection associated with a communications session at the end of the session or after [Assignment: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions.] + + # Control Implementation + A timeout for HTTP requests can be specified using a timeout field in a route rule. + + remarks: This control is fully implemented by this tool. + + - uuid: 042b6b8a-759e-472b-b70b-c4351b53803a + control-id: sc-13 + description: >- + # Control Description + "a. Determine the [Assignment: organization-defined cryptographic uses]; and + b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: FIPS-validated or NSA-approved cryptography]." + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + As outlined in the section on SC-8, Istio provides encryption in transit for all applications in the mesh. The Tetrate Istio Distribution’s FIPS Verified build is the only FIPS verified build of Istio and Envoy available, and satisfies requirements for FIPS 140-2 as well as the requirement to use the best available software for the job. + + remarks: This control is fully implemented by this tool. + + - uuid: 97cd68fc-1519-4fbc-bca2-c76c16fcc7e1 + control-id: sc-23 + description: >- + # Control Description + Protect the authenticity of communications sessions. + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. + + remarks: This control is fully implemented by this tool. + + - uuid: 18df5a35-f209-47d1-84f5-346c22530a5f + control-id: sc-39 + description: >- + # Control Description + Maintain a separate execution domain for each executing system process. + + # Control Implementation + Istio’s authorization features provide mesh-, namespace-, and workload-wide access control for your workloads in the mesh. + Istio supports trust domain migration for authorization policy. This means if an Istio mesh needs to change its trust domain, the authorization policy doesn’t need to be changed manually. + + remarks: This control is fully implemented by this tool. + + - uuid: 1a778726-73cb-4335-a13d-8ca2bdb6f7d9 + control-id: si-4.22 + description: >- + # Control Description + "(a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and + (b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected." + + # Control Implementation + Istio implements with global configuration. + + # How does Istio Help? + Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. Can be configured for specific network traffic such as not authorized or approved by a system process or user. + Network event alerts can be configured by organizations need. + + remarks: This control is fully implemented by this tool. + + back-matter: + resources: + - uuid: 11d6961f-7ea3-463e-a765-8e0eddf08c4c + title: Defense Unicorns UDS Core + rlinks: + - href: https://github.com/defenseunicorns/uds-core diff --git a/src/loki/oscal-component.yaml b/src/loki/oscal-component.yaml new file mode 100644 index 00000000..4faecc47 --- /dev/null +++ b/src/loki/oscal-component.yaml @@ -0,0 +1,196 @@ +component-definition: + uuid: aaa97ff3-41f7-4f11-b74a-0cf0de527e6e + metadata: + title: Loki Component + last-modified: "2024-01-18T20:36:22Z" + version: "20240118" + oscal-version: 1.1.1 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://defenseunicorns.com + rel: website + components: + - uuid: a735b5a4-aabd-482d-b335-60ddcd4b1c00 + type: software + title: Loki + description: | + Deployment of Loki as a lighter weight replacement for elasticsearch + purpose: Provides storage and indexing for logs in the cluster + responsible-roles: + - role-id: provider + party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + control-implementations: + - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by Loki for inheritance by applications + implemented-requirements: + - uuid: 386fb410-27e5-413d-8e6d-607afa86bb72 + control-id: ac-5 + description: >- + # Control Description + "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and + b. Define system access authorizations to support separation of duties." + + # Control Implementation + Loki implements RBAC to define system authorization and separation of duties. + + remarks: This control is fully implemented by this tool. + + - uuid: 60ad5f60-3852-49a1-961b-b6454edb8319 + control-id: ac-6 + description: >- + # Control Description + Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + + # Control Implementation + Loki implements RBAC to employ principle of least privilege. + + remarks: This control is fully implemented by this tool. + + - uuid: e7721974-f672-47cf-9421-e1530aec1217 + control-id: ac-6.1 + description: >- + # Control Description + "Authorize access for [Assignment: organization-defined individuals or roles] to: + (a) [Assignment: all functions not publicly accessible]]; and + (b) [Assignment: all security-relevant information not publicly available]]." + + # Control Implementation + Loki implements RBAC to employ principle of least privilege. + + remarks: This control is fully implemented by this tool. + + - uuid: e36ba9d5-f12d-4524-a777-a041a0203bb6 + control-id: ac-6.9 + description: >- + # Control Description + Log the execution of privileged functions. + + # Control Implementation + Privileged events that modify the application are logged in the application itself. + + remarks: This control is fully implemented by this tool. + + - uuid: d0ffa50d-d91f-4dc3-8827-24e0f84b49d2 + control-id: ac-6.10 + description: >- + # Control Description + Prevent non-privileged users from executing privileged functions. + + # Control Implementation + Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. + + remarks: This control is fully implemented by this tool. + + - uuid: 836408b9-1ae9-4c99-8510-6ee35a4d11e9 + control-id: au-4 + description: >- + # Control Description + Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + + # Control Implementation + Loki uses scalable object storage. + + remarks: This control is fully implemented by this tool. + + - uuid: 25477ca3-4607-449e-9d33-a2a67ede0019 + control-id: au-6 + description: >- + # Control Description + "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; + b. Report findings to [Assignment: organization-defined personnel or roles]; and + c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + + # Control Implementation + Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + + remarks: This control is fully implemented by this tool. + + - uuid: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 + control-id: au-6.1 + description: >- + # Control Description + Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + + # Control Implementation + Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + + remarks: This control is fully implemented by this tool. + + - uuid: 973c9f19-8c96-4c84-925a-b69f28625962 + control-id: au7.1 + description: >- + # Control Description + Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + + # Control Implementation + Loki provides an API for retrieving and filtering logs. + + remarks: This control is fully implemented by this tool. + + - uuid: 21879fc4-927e-4ad4-a049-c96cb581e260 + control-id: au-9 + description: >- + # Control Description + "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and + b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." + + # Control Implementation + Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. + + remarks: This control is fully implemented by this tool. + + - uuid: b89edef2-5668-407b-b3d5-86ca68862536 + control-id: au-9.2 + description: >- + # Control Description + Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + + # Control Implementation + Supports any object storage. + + remarks: This control is fully implemented by this tool. + + - uuid: f3292e9a-1c10-45cd-9178-aeecbaec0283 + control-id: au-9.4 + description: >- + # Control Description + Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + + # Control Implementation + Enterprise version (Loki) implements RBAC. + + remarks: This control is fully implemented by this tool. + + - uuid: 20ecdb48-997e-4958-b74c-21f462049877 + control-id: au-11 + description: >- + # Control Description + Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + + # Control Implementation + Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. + + remarks: This control is fully implemented by this tool. + + - uuid: 58766714-a477-42b9-bae4-856f14b58cea + control-id: au-12.1 + description: >- + # Control Description + Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + + # Control Implementation + Provides time-series event compilation capabilities. + + remarks: This control is fully implemented by this tool. + + back-matter: + resources: + - uuid: b989384f-54c9-4bb9-8cbd-ae993f8f6e0b + title: Defense Unicorns UDS Core + rlinks: + - href: https://github.com/defenseunicorns/uds-core diff --git a/src/neuvector/oscal-component.yaml b/src/neuvector/oscal-component.yaml new file mode 100644 index 00000000..b9aedd9f --- /dev/null +++ b/src/neuvector/oscal-component.yaml @@ -0,0 +1,424 @@ +component-definition: + uuid: 80bc0932-82d9-4144-8e7c-dec0f79e04fc + metadata: + title: NeuVector + last-modified: "2024-01-30T17:01:30Z" + version: "20240130" + oscal-version: 1.1.1 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://defenseunicorns.com + rel: website + components: + - uuid: b2fae6f6-aaa1-4929-b453-3c64398a054e + type: software + title: NeuVector + description: | + NeuVector Full Lifecycle Container Security Platform delivers the only cloud-native security with uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall. + purpose: To use Security Scanning and Integrated Compliance and Vulnerability Results, Scanning registries and Serverless Repositories, Cloud Native Firewalls, Displays + responsible-roles: + - role-id: provider + party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + control-implementations: + - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by NeuVector for inheritance by applications + implemented-requirements: + - uuid: 069521de-43bc-4dce-ac4e-4adc9a559c3f + control-id: ac-2 + description: >- + # Control Description + "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; + b. Assign account managers; + c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; + d. Specify: + 1. Authorized users of the system; + 2. Group and role membership; and + 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; + e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; + f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; + g. Monitor the use of accounts; + h. Notify account managers and [Assignment: organization-defined personnel or roles] within: + 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; + 2. [Assignment: eight (8) hours] when users are terminated or transferred; and + 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; + i. Authorize access to the system based on: + 1. A valid access authorization; + 2. Intended system usage; and + 3. [Assignment: organization-defined attributes (as required)]; + j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; + k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and + l. Align account management processes with personnel termination and transfer processes." + + # Control Implementation + NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: bf59763a-0c22-4046-ab00-1d2b47dad8df + control-id: ac-2.1 + description: >- + # Control Description + Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. + + # Control Implementation + NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: 051af8b7-75aa-4c26-9132-0cb46d5965aa + control-id: ac-3 + description: >- + # Control Description + Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + + # Control Implementation + NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: df51cf5f-9c1b-4004-ae4a-195a663594ac + control-id: ac-6 + description: >- + # Control Description + Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + + # Control Implementation + NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: f1b66def-f822-4859-a448-5d5f77cd6f75 + control-id: ac-6.1 + description: >- + # Control Description + "Authorize access for [Assignment: organization-defined individuals or roles] to: + (a) [Assignment: organization-defined all functions not publicly accessible]; and + (b) [Assignment: organization-defined all security-relevant information not publicly available]." + + # Control Implementation + NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: 0b3faf98-8a76-4b49-8e4b-c785cf26cfbe + control-id: ac-6.3 + description: >- + # Control Description + Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. + + # Control Implementation + NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: 921ec1c7-923c-4a28-a4dd-b59c1d3d9998 + control-id: ac-6.9 + description: >- + # Control Description + Log the execution of privileged functions. + + # Control Implementation + NeuVector provides logging access related audit events. + + remarks: This control is fully implemented by this tool. + + - uuid: e196edcd-fd88-42c2-9a99-0e67e2ba8919 + control-id: ac-6.10 + description: >- + # Control Description + Prevent non-privileged users from executing privileged functions. + + # Control Implementation + NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: fc829f66-2354-4546-8e5d-f1e5d0287200 + control-id: au-2 + description: >- + # Control Description + "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; + b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; + d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + + # Control Implementation + NeuVector provides logging access related audit events. + + remarks: This control is fully implemented by this tool. + + - uuid: e342a5af-b7d4-474b-9416-61e844083531 + control-id: au-3 + description: >- + # Control Description + "Ensure that audit records contain information that establishes the following: + a. What type of event occurred; + b. When the event occurred; + c. Where the event occurred; + d. Source of the event; + e. Outcome of the event; and + f. Identity of any individuals, subjects, or objects/entities associated with the event." + + # Control Implementation + NeuVector provides logging access related audit events. + + remarks: This control is fully implemented by this tool. + + - uuid: 7562092e-d076-49f9-8f03-9e5e7908752c + control-id: au-4 + description: >- + # Control Description + Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + + # Control Implementation + NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. + + remarks: This control is fully implemented by this tool. + + - uuid: 9de67d41-1c18-4ebd-af55-cac2573aa77e + control-id: ca-2.2 + description: >- + # Control Description + Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious + user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. + + # Control Implementation + NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + + remarks: This control is fully implemented by this tool. + + - uuid: 2d771492-b5c8-4475-b258-0038287f29e6 + control-id: ca-7 + description: >- + # Control Description + "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: + a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; + b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; + c. Ongoing control assessments in accordance with the continuous monitoring strategy; + d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; + e. Correlation and analysis of information generated by control assessments and monitoring; + f. Response actions to address results of the analysis of control assessment and monitoring information; and + g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." + + # Control Implementation + NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + + remarks: This control is fully implemented by this tool. + + - uuid: 2fb488b2-f7f7-4db9-8fc8-3de7f3a9daba + control-id: cm-6 + description: >- + # Control Description + "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; + b. Implement the configuration settings; + c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and + d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + + # Control Implementation + NeuVector is configured using Helm Charts. Default settings can be found. + + remarks: This control is fully implemented by this tool. + + - uuid: a9d92277-809d-440f-82c9-35c820ba00b8 + control-id: cm-7 + description: >- + # Control Description + "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and + b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." + "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. + CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + + # Control Implementation + NeuVector is configured securely and only access to required ports are available. + + remarks: This control is fully implemented by this tool. + + - uuid: 8ef96f45-dfc4-41a8-999a-fc717e746966 + control-id: ra-5 + description: >- + # Control Description + "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; + b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: + 1. Enumerating platforms, software flaws, and improper configurations; + 2. Formatting checklists and test procedures; and + 3. Measuring vulnerability impact; + c. Analyze vulnerability scan reports and results from vulnerability monitoring; + d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; + e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and + f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + + # Control Implementation + NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. + + remarks: This control is fully implemented by this tool. + + - uuid: 760dde06-de0b-4575-8575-95a5835f97c0 + control-id: ra-5.2 + description: >- + # Control Description + Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. + + # Control Implementation + NeuVector container scanning vulnerability database is updated frequently. + + remarks: This control is fully implemented by this tool. + + - uuid: 621595cd-f998-4f55-b68e-f765db48b332 + control-id: ra-5.3 + description: >- + # Control Description + Define the breadth and depth of vulnerability scanning coverage. + + # Control Implementation + NeuVector container scanning configurations depth can be modified. + + remarks: This control is fully implemented by this tool. + + - uuid: 994b03df-8320-4987-887b-fac8088bd944 + control-id: ra-5.5 + description: >- + # Control Description + Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. + + # Control Implementation + NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + + remarks: This control is fully implemented by this tool. + + - uuid: 5a7bddc2-f94c-46c8-a15a-1e2f4d4ab948 + control-id: sa-11 + description: >- + # Control Description + "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: + a. Develop and implement a plan for ongoing security and privacy control assessments; + b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; + c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; + d. Implement a verifiable flaw remediation process; and + e. Correct flaws identified during testing and evaluation." + + # Control Implementation + NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + + remarks: This control is fully implemented by this tool. + + - uuid: b6f194ad-bde3-479f-8a77-0ec4c9a5a77d + control-id: sa-11.1 + description: >- + # Control Description + Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. + Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. + + # Control Implementation + NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + + remarks: This control if fully implemented by this tool. + + - uuid: 82d3ab37-b934-4731-9198-56ced7d92708 + control-id: sc-7 + description: >- + # Control Description + "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; + b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and + c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + + # Control Implementation + NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. + + remarks: This control is fully implemented by this tool. + + - uuid: 132fb1ff-8b58-4cfd-8ad4-c01605d89f24 + control-id: sc-8 + description: >- + # Control Description + Protect the [confidentiality AND integrity] of transmitted information. + + # Control Implementation + Data in transit is protected using a TLS connection and secured between components within the data center using an internal certificate until it is terminated at the application node. This ensures that data in transit is encrypted using SSL. + + remarks: This control is fully implemented by this tool. + + - uuid: 4faa4029-52bc-4d7f-9896-e43c6731d5e5 + control-id: si-2.3 + description: >- + # Control Description + "(a) Measure the time between flaw identification and flaw remediation; and + (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." + + # Control Implementation + NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + + remarks: This control is fully implemented by this tool. + + - uuid: c83fdce5-53f5-4860-a586-242d044efaa9 + control-id: si-4 + description: >- + # Control Description + "a. Monitor the system to detect: + 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and + 2. Unauthorized local, network, and remote connections; + b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; + c. Invoke internal monitoring capabilities or deploy monitoring devices: + 1. Strategically within the system to collect organization-determined essential information; and + 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; + d. Analyze detected events and anomalies; + e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; + f. Obtain legal opinion regarding system monitoring activities; and + g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + + # Control Implementation + NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + + remarks: This control is fully implemented by this tool. + + - uuid: ac61e461-5fb8-4cf1-89ff-36d002056fda + control-id: si-5 + description: >- + # Control Description + "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; + b. Generate internal security alerts, advisories, and directives as deemed necessary; + c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and + d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + + # Control Implementation + NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. + + remarks: This control is fully implemented by this too. + + - uuid: 80552838-9db8-41f7-9603-d91f884aa7bb + control-id: si-6 + description: >- + # Control Description + "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; + b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; + c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and + d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." + + # Control Implementation + NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. + + remarks: This control is fully implemented by this tool. + + - uuid: 9b4c7011-aa35-4f61-ade2-7c070bb51767 + control-id: si-11 + description: >- + # Control Description + "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and + b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." + + # Control Implementation + NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. + + remarks: This control is fully implemented by this tool. + + back-matter: + resources: + - uuid: 6ba32bca-c4e2-4f27-a99c-e5ba8251ac61 + title: Defense Unicorns UDS Core + rlinks: + - href: https://github.com/defenseunicorns/uds-core diff --git a/src/prometheus-stack/oscal-component.yaml b/src/prometheus-stack/oscal-component.yaml new file mode 100644 index 00000000..84525040 --- /dev/null +++ b/src/prometheus-stack/oscal-component.yaml @@ -0,0 +1,242 @@ +component-definition: + uuid: 017dbd45-5122-4c11-b5ce-d4b31116c581 + metadata: + title: Prometheus Stack + last-modified: "2024-01-31T14:39:33Z" + version: "20240131" + oscal-version: 1.1.1 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://defenseunicorns.com + rel: website + components: + - uuid: 108c78a9-5494-4abc-a1e7-f046da419687 + type: software + title: Prometheus Stack + description: | + Aggregator of policy violations in environment + purpose: Display policy violations + responsible-roles: + - role-id: provider + party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + control-implementations: + - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by authservice for inheritance by applications. + implemented-requirements: + - uuid: 14db5706-570c-44a2-b430-29a8a8e2d249 + control-id: ac-6.9 + description: >- + # Control Description + Log the execution of privileged functions. + + # Control Implementation + Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. + + remarks: This control is fully implemented by this tool. + + - uuid: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc + control-id: au-2 + description: >- + # Control Description + "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; + b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; + d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + + # Control Implementation + API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. + In addition, system and cluster level metrics are emitted by containers with read only access to host level information. + Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. + Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. + + remarks: This control is fully implemented by this tool. + + - uuid: ee431ef9-3a99-42f4-b37c-6334660da2b2 + control-id: au-3.1 + description: >- + # Control Description + Generate audit records containing the following additional information: [Assignment: organizatiosession, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + + # Control Implementation + Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + + remarks: This control is fully implemented by this tool. + + - uuid: d5d13192-3cae-4a88-8e64-cab44219ab2e + control-id: au-4 + description: >- + # Control Description + Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + + # Control Implementation + Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. + The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + + remarks: This control is fully implemented by this tool. + + - uuid: e2e6d28f-bdf6-462c-8301-bdfa102671ee + control-id: au-5.1 + description: >- + # Control Description + Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + + # Control Implementation + Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. + + remarks: This control is fully implemented by this tool. + + - uuid: bea82b61-fbb6-486b-a8fa-50053715b904 + control-id: au-5.2 + description: >- + # Control Description + Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + + # Control Implementation + Alertmanager has pre-build alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. + Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. + + remarks: This control is fully implemented by this tool. + + - uuid: 3f8f6178-4c57-4592-8c1c-df79507b21cd + control-id: au-6.1 + description: >- + # Control Description + Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + + # Control Implementation + Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. + + remarks: This control is fully implemented by this tool. + + - uuid: 35897d1f-3fcd-4a79-b235-f75e2bbd398a + control-id: au-6.3 + description: >- + # Control Description + Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + + # Control Implementation + Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + + remarks: This control is fully implemented by this tool. + + - uuid: 6b0cd4b8-ab38-4012-b637-de2ca4bf5497 + control-id: au-6.5 + description: >- + # Control Description + Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + + # Control Implementation + Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + + remarks: This control is fully implemented by this tool. + + - uuid: f6d4527a-d4b6-4141-9272-c2c211b1709f + control-id: au-6.6 + description: >- + # Control Description + Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + + # Control Implementation + Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + + remarks: This control is fully implemented by this tool. + + - uuid: 18f4f45b-d707-417f-91ac-28ab503313d8 + control-id: au-7 + description: >- + # Control Description + "Provide and implement an audit record reduction and report generation capability that: + a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and + b. Does not alter the original content or time ordering of audit records." + + # Control Implementation + Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + + remarks: This control is fully implemented by this tool. + + - uuid: 0a4d39e4-979d-4284-a190-e7e5b4aa7162 + control-id: au-7.1 + description: >- + # Control description + Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + + # Control Implementation + Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + + remarks: This control is fully implemented by this tool. + + - uuid: 689aa5d6-2b4b-40ca-a49f-51df0e220ec5 + control-id: au-8 + description: >- + # Control Description + "a. Use internal system clocks to generate time stamps for audit records; and + b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + + # Control Implementation + Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + + remarks: This control is fully implemented by this tool. + + - uuid: bfd070e8-d053-4e48-925a-baf9bcbd9335 + control-id: au-9 + description: >- + # Control Description + "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and + b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." + + # Control Implementation + Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an + identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control + when using Grafana Enterprise. + + remarks: This control is fully implemented by this tool. + + - uuid: 27f26f6a-706e-4514-97c0-45390d6fdf6a + control-id: au-9.2 + description: >- + # Control Description + Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. + + # Control Implementation + Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of + the current UDS Coreg configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. + + remarks: This control is fully implemented by this tool. + + - uuid: 0fee5118-57c8-4617-97a1-76189bc69ea3 + control-id: au-9.4 + description: >- + # Control Description + Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + + # Control Implementation + Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an + identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control + when using Grafana Enterprise. + + remarks: This control is fully implemented by this tool. + + - uuid: 41a6f729-7ab6-4ffe-8da1-cb60fd35dffd + control-id: au-12.1 + description: >- + # Control Description + Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + + # Control Implementation + Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps + of when the data was collected + + remarks: This control is fully implemented by this tool. + + back-matter: + resources: + - uuid: ff397816-6126-4b2c-938b-e7d202003def + title: Defense Unicorns UDS Core + rlinks: + - href: https://github.com/defenseunicorns/uds-core diff --git a/src/promtail/oscal-component.yaml b/src/promtail/oscal-component.yaml new file mode 100644 index 00000000..012159d3 --- /dev/null +++ b/src/promtail/oscal-component.yaml @@ -0,0 +1,265 @@ +component-definition: + uuid: ff959bdb-7be9-49b3-9dc2-c41b34e7017d + metadata: + title: Promtail + last-modified: "2024-01-31T16:44:35Z" + version: "20240132" + oscal-version: 1.1.1 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://defenseunicorns.com + rel: website + components: + - uuid: 3ca1e9a3-a566-48d1-93af-200abd1245e3 + type: software + title: Promtail + description: | + Log collector + purpose: Collects logs from the cluster + responsible-roles: + - role-id: provider + party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + control-implementations: + - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by Promtail for inheritance by applications + implemented-requirements: + - uuid: 954ba9c8-452c-4503-a43f-c880a01b828d + control-id: ac-6.9 + description: >- + # Control Description + Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). + + # Control Implementation + Promtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. + remarks: This control is fully implemented by this tool. + links: + - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" + rel: reference + text: Lula Validation + - href: "#fbe5855d-b4ea-4ff5-9f0d-5901d620577a" + rel: reference + text: Lula Validation + + - uuid: 2a25a5a4-4fbc-4fbc-88e3-2e34ddc3fb0e + control-id: au-2 + description: >- + # Control Description + An event is any observable occurrence in an organizational information system. + Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. + Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. + In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. + To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. + + # Control Implementation + Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured: + * all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers). + * all kubernetes api server requests. + * all events emitted by the kubelet. + remarks: This control is fully implemented by this tool. + links: + - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" + rel: reference + text: Lula Validation + - href: "#0be7345d-e9d3-4248-9c14-5fed8e7bfa01" + rel: reference + text: Lula Validation + + - uuid: 762604db-77ec-415f-8728-c296873ab48b + control-id: au-3 + description: >- + # Control Description + Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). + + # Control Implementation + Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + remarks: This control is fully implemented by this tool. + links: + - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" + rel: reference + text: Lula Validation + - href: "#9bfc68e0-381a-4006-9f68-c293e3b20cee" + rel: reference + text: Lula Validation + + - uuid: 9ad7ddfb-4701-4c34-88f7-9d85abb13d60 + control-id: au-8 + description: >- + # Control Description + Time stamps generated by the information system include date and time. + Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. + Organizations may define different time granularities for different system components. + Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. + + # Control Implementation + Records captured by the logging daemon are enriched to ensure the following are always present: + * time of the event (UTC). + * source of event (pod, namespace, container id). + Applications are responsible for providing all other information. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + remarks: This control is fully implemented by this tool. + links: + - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" + rel: reference + text: Lula Validation + - href: "#9bfc68e0-381a-4006-9f68-c293e3b20cee" + rel: reference + text: Lula Validation + + back-matter: + resources: + - uuid: D552C935-E40C-4A03-B5CC-4605EBD95B6D + title: Promtail + rlinks: + - href: https://grafana.com/docs/loki/latest/clients/promtail/ + - uuid: 211C474B-E11A-4DD2-8075-50CDAC507CDC + title: Big Bang Promtail package + rlinks: + - href: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail + - uuid: 98b97ec9-a9ce-4444-83d8-71066270a424 + title: Lula Validation + rlinks: + - href: lula.dev + remarks: Validation health check + description: >- + target: + provider: opa + domain: kubernetes + payload: + resources: + - name: daemonsets + resourceRule: + Group: apps + Version: v1 + Resource: daemonsets + Namespaces: [promtail] + rego: | + package validate + + import future.keywords.every + + validate { + every daemonset in input.daemonsets { + daemonset.kind == "DaemonSet" + podsScheduled := daemonset.status.desiredNumberScheduled + numberAvailable := daemonset.status.numberAvailable + numberReady := daemonset.status.numberReady + podsScheduled == numberAvailable + numberAvailable == numberReady + } + } + - uuid: fbe5855d-b4ea-4ff5-9f0d-5901d620577a + title: Lula Validation + remarks: Log the execution of privileged functions. + rlinks: + - href: lula.dev + description: >- + target: + provider: opa + domain: kubernetes + payload: + resources: + - name: pods + resourceRule: + Group: + Version: v1 + Resource: pods + Namespaces: [promtail] + rego: | + package validate + + import future.keywords.every + + validate { + every pod in input.pods { + volumes := pod.spec.volumes + + some volume in volumes + volume.name == "varlog" + volume.hostPath.path == "/var/log" + } + } + - uuid: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 + title: Lula Validation + remarks: + a. Identify the types of events that the system is capable of logging in support of the audit function for organization-defined event types that the system is capable of logging; + b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + c. Specify the following event types for logging within the system organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type; + d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and + e. Review and update the event types selected for logging on an organization-defined frequency. + rlinks: + - href: lula.dev + description: >- + target: + provider: opa + domain: kubernetes + payload: + resources: + - name: pods + resourceRule: + Group: + Version: v1 + Resource: pods + Namespaces: [promtail] + rego: | + package validate + + import future.keywords.every + + validate { + every pod in input.pods { + volumes := pod.spec.volumes + + some volume in volumes + volume.name == "pods" + volume.hostPath.path == "/var/log/pods" + } + } + - uuid: 9bfc68e0-381a-4006-9f68-c293e3b20cee + title: Lula Validation + remarks: Ensure that audit records contain information that establishes the following; + a. What type of event occurred; + b. When the event occurred; + c. Where the event occurred; + d. Source of the event; + e. Outcome of the event; and + f. Identity of any individuals, subjects, or objects/entities associated with the event. + rlinks: + - href: lula.dev + description: >- + target: + provider: opa + domain: kubernetes + payload: + resources: + - name: pods + resourceRule: + Group: + Version: v1 + Resource: pods + Namespaces: [promtail] + rego: | + package validate + + import future.keywords.every + + validate { + every pod in input.pods { + containers := pod.spec.containers + + some container in containers + container.name == "promtail" + some i + container.args[i] == "-config.file=/etc/promtail/promtail.yaml" + } + }