From fcec7990011a94eafa02faa02f36597184734b58 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Mon, 1 Jul 2024 03:06:53 +0000 Subject: [PATCH] chore(oscal): instrument compliance gate for required adherence --- compliance/oscal-assessment-results.yaml | 1275 ++++++++++++++++++++++ tasks/test.yaml | 3 + 2 files changed, 1278 insertions(+) create mode 100644 compliance/oscal-assessment-results.yaml diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml new file mode 100644 index 000000000..5a2d57801 --- /dev/null +++ b/compliance/oscal-assessment-results.yaml @@ -0,0 +1,1275 @@ +assessment-results: + import-ap: + href: "" + metadata: + last-modified: 2024-06-30T22:27:28.032093229Z + oscal-version: 1.1.2 + published: 2024-06-30T22:27:28.032093229Z + remarks: Assessment Results generated from Lula + title: '[System Name] Security Assessment Results (SAR)' + version: 0.0.1 + results: + - description: Assessment results for performing Validations with Lula version v0.4.1 + findings: + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' + uuid: 530f15c4-f2af-48b4-8ffe-bbd93c2ac02c + - description: |- + # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-4 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' + uuid: 21cf73d7-c46c-4e05-9be3-44b78f7e7b2f + - description: |- + # Control Implementation + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 508d4a07-79aa-4265-b605-7a6cb49f4564 + - observation-uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + target: + status: + state: not-satisfied + target-id: sc-4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' + uuid: 47164bc1-4927-4071-bb1c-96601149488b + - description: |- + # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' + uuid: b6ed044d-1e5d-401d-aa2f-58ccfa1c370c + - description: |- + # Control Implementation + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 795a243f-2559-4284-ad45-b3e41e184b8a + target: + status: + state: satisfied + target-id: au-12 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' + uuid: 0c575663-bf90-419f-99c0-a3d4801df02d + - description: |- + # Control description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7.1 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' + uuid: 8d2ee169-ead9-40d5-8d1c-cb7fb5887c0a + - description: |- + # Control Implementation + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + - observation-uuid: ff864080-f43e-4e2d-89a3-74c31666ccfa + target: + status: + state: not-satisfied + target-id: sc-7.8 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' + uuid: 92b0e321-c7fc-4d9b-8e34-5685a1f73102 + - description: |- + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + target: + status: + state: not-satisfied + target-id: au-4 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' + uuid: ac06539e-42a7-4d5b-af3d-89e1a42fdd8f + - description: |- + # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." + # Control Implementation Loki implements RBAC to define system authorization and separation of duties. + target: + status: + state: not-satisfied + target-id: ac-5 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' + uuid: b7867063-1723-45d1-8d98-ad84dc7ef4af + - description: |- + # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' + uuid: a399ae4f-ed31-4208-9991-81177aa29c6c + - description: |- + # Control Implementation + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + target: + status: + state: not-satisfied + target-id: sc-3 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' + uuid: 1eb6882e-580e-47ac-9483-80e1bebbb02d + - description: |- + # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' + uuid: 437e0a7f-0469-41bc-9d84-b824bf2d77c4 + - description: |- + # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' + uuid: d818e8f4-e1bf-4942-85ab-c77f25fe6b6e + - description: |- + # Control Description Define the breadth and depth of vulnerability scanning coverage. + # Control Implementation NeuVector container scanning configurations depth can be modified. + target: + status: + state: not-satisfied + target-id: ra-5.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' + uuid: 716ae053-abe6-44e0-bd41-762c3a98a2dc + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' + uuid: d19371d4-0ebb-49fc-8dce-41b80aab95f4 + - description: Velero can be configured to restore only certain components of a back-up when necessary. + target: + status: + state: not-satisfied + target-id: cp-9.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' + uuid: c5282d69-7df0-4edf-b2a6-a491ebfaaa4a + - description: |- + # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' + uuid: 0904e35b-0673-4ae1-853f-5df22a9e21b7 + - description: |- + # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + # Control Implementation NeuVector is configured securely and only access to required ports are available. + target: + status: + state: not-satisfied + target-id: cm-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' + uuid: 545bea9e-6b3e-4665-b2b4-6164eb0fcecb + - description: |- + # Control Implementation + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: a6c63d2c-79b2-48d2-9ebd-badb8c1e23cb + target: + status: + state: not-satisfied + target-id: sc-10 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' + uuid: cee5490b-9149-4f00-b7f1-64b20cbc8f0a + - description: |- + # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + target: + status: + state: not-satisfied + target-id: au-6.5 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' + uuid: c4144a96-7b23-435e-8052-3ec79da0a9aa + - description: |- + # Control Implementation + Istio implements with global configuration. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 + target: + status: + state: satisfied + target-id: sc-8.2 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' + uuid: 46959113-939a-4d3c-9995-89a818c0f05f + - description: |- + # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' + uuid: 1d8817a2-21bb-4122-ae58-e552b0879b68 + - description: |- + # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' + uuid: 1e7eaa29-97cb-454a-bea7-2142ef44343f + - description: |- + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-9.2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' + uuid: bdfd832a-b4a2-4b2e-af0a-ebf39ad51a18 + - description: |- + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. + target: + status: + state: not-satisfied + target-id: au-12.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' + uuid: 080c0868-fa0f-4ce2-a8bc-ff03197651fb + - description: |- + # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' + uuid: e760b83a-b3e4-4286-9a94-3167c3f6368b + - description: |- + # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' + uuid: d8eb2332-91df-477a-be2c-fa56a93f1c20 + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + target: + status: + state: not-satisfied + target-id: cp-10.4 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' + uuid: 4bd2c151-b8f5-40b5-819f-89727701f6f7 + - description: |- + # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + target: + status: + state: not-satisfied + target-id: ac-6.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' + uuid: 58646676-b28b-45dd-9b90-ddd3c348f5b2 + - description: |- + # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. + target: + status: + state: not-satisfied + target-id: sc-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' + uuid: 907e7159-6e90-4025-b3d6-dbcf123cbb33 + - description: |- + # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. + target: + status: + state: not-satisfied + target-id: ra-5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' + uuid: 187ae20d-8d47-4eaa-bb64-e529672c8936 + - description: |- + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6.10 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' + uuid: d8591c7f-7c3c-48d8-b7c8-6ac161621cdc + - description: |- + # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." + # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-11 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' + uuid: c62884fd-59e8-4836-ba02-095415dd8af8 + - description: |- + # Control Description + Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious + user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. + + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-2.2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' + uuid: d79e0fae-943f-4afe-8269-807cf92aae0e + - description: |- + # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' + uuid: 097c80d2-4971-4188-9de9-54a509ad3cdc + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments. + target: + status: + state: not-satisfied + target-id: cp-9.3 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' + uuid: 4a91b5b2-810b-493d-9bff-98bec053065f + - description: |- + "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup." + target: + status: + state: not-satisfied + target-id: cp-9 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' + uuid: 09c6df43-c339-464d-a5f3-4711511ba7a2 + - description: |- + # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' + uuid: ee8400e9-79e8-4447-9717-97e1197356dd + - description: |- + # Control Implementation + Istio is configured to use ingress and egress gateways to provide logical flow separation. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 4a5882b3-28a7-450d-9917-aacfa39106eb + - observation-uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + target: + status: + state: not-satisfied + target-id: ac-4.21 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' + uuid: 2b3617e2-9cff-438a-b029-cc5912742d55 + - description: |- + # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' + uuid: c36595c9-4cd9-4175-9aa5-b316739a4f10 + - description: |- + # Control Implementation + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + target: + status: + state: satisfied + target-id: ac-4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' + uuid: bce00e12-51f3-4a65-874c-63f0270f4bd7 + - description: |- + # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' + uuid: 42a427cb-acc2-4ded-8444-2a36ffc71b5e + - description: |- + # Control Description + Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). + + # Control Implementation + Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f7270c2f-5355-4186-afc0-f56a7e7e2e17 + target: + status: + state: not-satisfied + target-id: au-3 + type: objective-id + title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' + uuid: 13145f93-94b3-4a06-abe5-c88e547604f3 + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' + uuid: b893b49e-64d6-4062-bdab-02404c9adb9a + - description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-8.1 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' + uuid: 415a3412-96ad-482c-a9c8-dd67d8a5c8f5 + - description: |- + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Loki provides an API for retrieving and filtering logs. + target: + status: + state: not-satisfied + target-id: au7.1 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' + uuid: eed4d866-735f-4688-ad58-c7ab93248697 + - description: |- + # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. + target: + status: + state: not-satisfied + target-id: au-11 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' + uuid: 6ef793a1-525f-4cb5-90e9-d6b2eaa20ba7 + - description: |- + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + target: + status: + state: not-satisfied + target-id: au-6.6 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' + uuid: 2b6f5a3b-28e0-4bbf-bd92-f0dbad82e873 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-6.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' + uuid: 7386dec2-3c3e-4194-aae4-71f68428e468 + - description: |- + # Control Implementation + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-7.20 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' + uuid: e31a17ff-ad3a-4835-8883-c15a290b0b60 + - description: |- + # Control Implementation + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-7.21 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' + uuid: 5d9a771f-b974-434d-8ede-252d1c9f7343 + - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. + target: + status: + state: not-satisfied + target-id: cp-9.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' + uuid: 03c2c9d4-da54-4b4c-aaa5-fdbc483ec5ac + - description: |- + # Control Implementation + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 7ebd56cf-fcd1-49ab-9e49-4cb08c4bb0a3 + - observation-uuid: 6a59d34a-e37f-4dda-8e13-3999bed1c5fa + target: + status: + state: not-satisfied + target-id: cm-5 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' + uuid: f54983d0-3e83-4d74-ac13-d96a9c14309c + - description: |- + # Control Implementation + Istio produces logs for all traffic in the information system. + related-observations: + - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - observation-uuid: 9a0794ac-4b32-4154-9694-974c4f26ddf9 + target: + status: + state: not-satisfied + target-id: ac-6.9 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' + uuid: 30a4343a-25e7-40f2-968e-832894732967 + - description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: not-satisfied + target-id: sc-8 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' + uuid: c5567414-902a-4439-8272-3cce25d6d8d3 + - description: |- + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9.4 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' + uuid: 22e63487-b471-4b44-9983-6673268a6360 + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-6.3 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' + uuid: 22749401-71be-4c49-b512-7b1047ef71bb + - description: |- + # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ra-5.5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' + uuid: 548197f1-46e3-4ad2-bb0e-41d8cdeff4b3 + - description: |- + # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. + # Control Implementation NeuVector container scanning vulnerability database is updated frequently. + target: + status: + state: not-satisfied + target-id: ra-5.2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' + uuid: 84b79bb2-2bb2-4ac5-9a37-9a8eea22ac5d + - description: |- + # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + related-observations: + - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - observation-uuid: fb6ec7c8-cafa-4cb9-9ee3-a7ca43af0c00 + target: + status: + state: not-satisfied + target-id: au-8 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' + uuid: a8cb7268-12d0-4322-ac3e-f727c73f4e7f + - description: |- + # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-2.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' + uuid: dac85ad9-0e0e-44c3-bf85-09bbb03d3349 + - description: |- + # Control Implementation + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: abd5f912-d86f-4952-bf47-3bb43cd630ab + - observation-uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 + - observation-uuid: 20529117-f400-4d22-b60a-f168a19f097c + target: + status: + state: not-satisfied + target-id: sc-7.4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' + uuid: f60b1dd1-f387-4aff-88b9-5fb0c9ac02ec + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + target: + status: + state: not-satisfied + target-id: cp-9.5 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' + uuid: ab6bdb32-3872-4131-9148-5ce885d2e90a + - description: |- + # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + target: + status: + state: not-satisfied + target-id: au-6.3 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' + uuid: fceb1b23-d4c2-48ac-9015-e3d6c51b643b + - description: |- + # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. + target: + status: + state: not-satisfied + target-id: cm-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' + uuid: 32761afe-74dc-4698-a758-9bf9028b102d + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. + target: + status: + state: not-satisfied + target-id: cp-7 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' + uuid: 7ab5474d-9104-48e9-8b0b-61d5e80c85dc + - description: |- + # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: 3d01431e-03c0-4698-88f9-4113954ecf1f + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: fe77669c-58f2-450d-a51d-9ca4af2b1b62 + target: + status: + state: not-satisfied + target-id: au-3.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' + uuid: 78b88a9d-0ead-4f50-acd1-34fffb4887c9 + - description: |- + # Control Implementation + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + - observation-uuid: 805a92da-edf3-404d-bae1-3dbe204f2292 + - observation-uuid: 3d2fdd35-4f50-459a-beda-c087a4e8c436 + target: + status: + state: not-satisfied + target-id: sc-13 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' + uuid: 3913dd6a-a176-4366-a456-64eebedfddaa + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' + uuid: e8ebaa45-f132-40f7-97c3-ac0260de8657 + - description: |- + # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." + # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' + uuid: 6a5c1d9e-08b7-4cec-a5b2-5e1d449dfb42 + - description: |- + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. + related-observations: + - observation-uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - observation-uuid: 1a53a90a-57e0-4872-bfdd-e638cd92a3ba + target: + status: + state: not-satisfied + target-id: au-2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' + uuid: 4e443b5a-87b2-4b91-ba98-c6c83d9bf9a2 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-10 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' + uuid: 8b8d6ca5-b795-4ad3-b798-e8558a3c0bad + - description: |- + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6.1 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' + uuid: 888b091f-a818-4177-9283-0eb5b74dcd26 + - description: |- + # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' + uuid: bbfc2b16-0d6f-48cd-82b0-3609974bfbdc + - description: |- + # Control Implementation + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + target: + status: + state: satisfied + target-id: sc-23 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' + uuid: e66bb22e-9afe-4215-bdda-1327f015ed00 + - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. + target: + status: + state: not-satisfied + target-id: cp-9.8 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' + uuid: f0acd50b-ce08-4179-b7e5-c7b2850c37e0 + - description: |- + # Control Implementation + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + target: + status: + state: satisfied + target-id: sc-39 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' + uuid: 009e00d9-2fd5-43d3-9b9c-feeaa9350b91 + - description: |- + # Control Implementation + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - observation-uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - observation-uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + target: + status: + state: satisfied + target-id: ac-4.4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' + uuid: dff58c6a-29db-4e7e-b46d-715764fa737a + - description: |- + # Control Implementation + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + related-observations: + - observation-uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - observation-uuid: e0d47802-5d77-4cbc-af92-f84a9ea11b8f + target: + status: + state: satisfied + target-id: ac-14 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' + uuid: f5a77d77-029b-4b50-bd37-e09902be020d + observations: + - collected: 2024-06-30T22:27:27.695366242Z + description: | + [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil + uuid: f2bdc9d4-f720-497c-bfb4-d2d5a79b394c + - collected: 2024-06-30T22:27:27.695414341Z + description: | + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil + uuid: 3d2fdd35-4f50-459a-beda-c087a4e8c436 + - collected: 2024-06-30T22:27:27.695457522Z + description: | + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil + uuid: fb6ec7c8-cafa-4cb9-9ee3-a7ca43af0c00 + - collected: 2024-06-30T22:27:27.712083114Z + description: | + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + istiohealth.deployment_message: All deployment conditions are true. + istiohealth.hpa_message: HPA has sufficient replicas. + uuid: 7264bf28-3b9e-41fe-98f9-ee3b9909c578 + - collected: 2024-06-30T22:27:27.712135712Z + description: | + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil + uuid: 6a59d34a-e37f-4dda-8e13-3999bed1c5fa + - collected: 2024-06-30T22:27:27.821536311Z + description: | + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have Istio sidecar proxy. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: fc482a86-3801-474f-9c2d-38fe5eb0dd4f + - collected: 2024-06-30T22:27:27.821606552Z + description: | + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil + uuid: 9a0794ac-4b32-4154-9694-974c4f26ddf9 + - collected: 2024-06-30T22:27:27.827790559Z + description: | + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: f1ec78f7-c262-4c92-bd4e-1ad2e8418d54 + - collected: 2024-06-30T22:27:27.839654751Z + description: | + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Expected Virtual Services not using expected Gateways + validate.msg_actual: Gateways configured: {"istio-admin-gateway/admin-gateway", "istio-passthrough-gateway/passthrough-gateway", "istio-tenant-gateway/tenant-gateway"}. VirtualServices using Gateways: {"istio-admin-gateway/admin-gateway": {"grafana-admin-grafana-80-grafana", "keycloak-admin-admin-access-with-optional-client-certificate", "neuvector-admin-neuvector-8443-neuvector-service-webui"}, "istio-passthrough-gateway/passthrough-gateway": set(), "istio-tenant-gateway/tenant-gateway": {"keycloak-tenant-public-auth-access-with-optional-client-certificate", "keycloak-tenant-remove-private-paths-from-public-gateway"}} + validate.msg_expected: Expected VirtualServices using Gateways: {"istio-admin-gateway/admin-gateway": {"grafana-admin-grafana-80-grafana", "keycloak-admin-admin-access-with-optional-client-certificate", "neuvector-admin-neuvector-8443-neuvector-service-webui"}, "istio-passthrough-gateway/passthrough-gateway": [], "istio-tenant-gateway/tenant-gateway": {"keycloak-tenant-emulate-gitlab-authorize-endpoint", "keycloak-tenant-emulate-gitlab-token-endpoint", "keycloak-tenant-emulate-gitlab-user-endpoint", "keycloak-tenant-public-auth-access-with-optional-client-certificate", "keycloak-tenant-remove-private-paths-from-public-gateway"}} + uuid: 20529117-f400-4d22-b60a-f168a19f097c + - collected: 2024-06-30T22:27:27.839700617Z + description: | + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil + uuid: a6c63d2c-79b2-48d2-9ebd-badb8c1e23cb + - collected: 2024-06-30T22:27:27.847217778Z + description: | + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Tracing logging not supported. + uuid: f7270c2f-5355-4186-afc0-f56a7e7e2e17 + - collected: 2024-06-30T22:27:27.854811286Z + description: | + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio is logging all traffic + uuid: 795a243f-2559-4284-ad45-b3e41e184b8a + - collected: 2024-06-30T22:27:27.863207892Z + description: | + [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. + uuid: 837e9b1f-fb62-4024-8676-71bca8b4f934 + - collected: 2024-06-30T22:27:27.870971856Z + description: | + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Metrics logging supported + uuid: 3d01431e-03c0-4698-88f9-4113954ecf1f + - collected: 2024-06-30T22:27:27.969063343Z + description: | + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have correct prometheus annotations. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: fe77669c-58f2-450d-a51d-9ca4af2b1b62 + - collected: 2024-06-30T22:27:27.969127302Z + description: | + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil + uuid: ff864080-f43e-4e2d-89a3-74c31666ccfa + - collected: 2024-06-30T22:27:27.975975858Z + description: | + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway + uuid: c478e839-bc74-4ea4-9df1-4ce89b423cb5 + - collected: 2024-06-30T22:27:27.980306727Z + description: | + [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Authorization Policy requires authentication for keycloak + uuid: e0d47802-5d77-4cbc-af92-f84a9ea11b8f + - collected: 2024-06-30T22:27:27.980345319Z + description: | + [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil + uuid: 508d4a07-79aa-4265-b605-7a6cb49f4564 + - collected: 2024-06-30T22:27:27.980365106Z + description: | + [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil + uuid: 1a53a90a-57e0-4872-bfdd-e638cd92a3ba + - collected: 2024-06-30T22:27:27.98038338Z + description: | + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil + uuid: cbce0fc8-925b-4ebd-9cf8-e2b699641157 + - collected: 2024-06-30T22:27:27.985138045Z + description: | + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio RBAC enforced + validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway + uuid: 7ebd56cf-fcd1-49ab-9e49-4cb08c4bb0a3 + - collected: 2024-06-30T22:27:27.985176246Z + description: | + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil + uuid: 805a92da-edf3-404d-bae1-3dbe204f2292 + - collected: 2024-06-30T22:27:28.008478858Z + description: | + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. + validate.msg_incorrect: No incorrect istiod NetworkPolicies found. + uuid: abd5f912-d86f-4952-bf47-3bb43cd630ab + - collected: 2024-06-30T22:27:28.016548441Z + description: | + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 4a5882b3-28a7-450d-9917-aacfa39106eb + - collected: 2024-06-30T22:27:28.02612714Z + description: | + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. + uuid: 890f7074-60c6-4082-864b-7b1ea6d34721 + props: + - name: threshold + ns: https://docs.lula.dev/ns + value: "true" + reviewed-controls: + control-selections: + - description: Controls Assessed by Lula + include-controls: + - control-id: cp-7.1 + - control-id: si-4 + - control-id: sc-4 + - control-id: si-5 + - control-id: au-12 + - control-id: au-7.1 + - control-id: sc-7.8 + - control-id: au-4 + - control-id: ac-5 + - control-id: au-5.2 + - control-id: sc-3 + - control-id: au-6 + - control-id: ac-2.1 + - control-id: ra-5.3 + - control-id: cp-7.2 + - control-id: cp-9.2 + - control-id: au-9 + - control-id: cm-7 + - control-id: sc-10 + - control-id: au-6.5 + - control-id: sc-8.2 + - control-id: ca-7 + - control-id: sa-11 + - control-id: au-9.2 + - control-id: au-12.1 + - control-id: ac-6.1 + - control-id: ac-6 + - control-id: cp-10.4 + - control-id: ac-6.3 + - control-id: sc-7 + - control-id: ra-5 + - control-id: ac-6.10 + - control-id: si-11 + - control-id: ca-2.2 + - control-id: ac-3 + - control-id: cp-9.3 + - control-id: cp-9 + - control-id: sa-11.1 + - control-id: ac-4.21 + - control-id: ac-2 + - control-id: ac-4 + - control-id: au-5.1 + - control-id: au-3 + - control-id: cp-6 + - control-id: sc-8.1 + - control-id: au7.1 + - control-id: au-11 + - control-id: au-6.6 + - control-id: cp-6.2 + - control-id: sc-7.20 + - control-id: sc-7.21 + - control-id: cp-9.1 + - control-id: cm-5 + - control-id: ac-6.9 + - control-id: sc-8 + - control-id: au-9.4 + - control-id: cp-6.3 + - control-id: ra-5.5 + - control-id: ra-5.2 + - control-id: au-8 + - control-id: si-2.3 + - control-id: sc-7.4 + - control-id: cp-9.5 + - control-id: au-6.3 + - control-id: cm-6 + - control-id: cp-7 + - control-id: au-3.1 + - control-id: sc-13 + - control-id: cp-6.1 + - control-id: si-6 + - control-id: au-2 + - control-id: cp-10 + - control-id: au-6.1 + - control-id: au-7 + - control-id: sc-23 + - control-id: cp-9.8 + - control-id: sc-39 + - control-id: ac-4.4 + - control-id: ac-14 + description: Controls validated + remarks: Validation performed may indicate full or partial satisfaction + start: 2024-06-30T22:27:28.032093229Z + title: Lula Validation Result + uuid: 8af0e1bc-5014-44ef-9ef8-9d1f6f653824 + uuid: 9be178a0-2337-40ec-b760-bef3c1df5589 diff --git a/tasks/test.yaml b/tasks/test.yaml index f553127e8..5031c3708 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -36,6 +36,9 @@ tasks: with: oscalfile: ./compliance/oscal-component.yaml assessment_results: ./compliance/oscal-assessment-results.yaml + - task: compliance:evaluate + with: + assessment_results: ./compliance/oscal-assessment-results.yaml - description: copy assessment file to log location cmd: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml