forked from alexander-blackwell/zarf-package-big-bang
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoscal-component.yaml
1069 lines (1069 loc) · 70.2 KB
/
oscal-component.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
component-definition:
uuid: a6a530a1-c6f8-4bb3-9862-3680f25388ad
metadata:
version: 0.0.1
parties:
- type: organization
name: Defense Unicorns
uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3
links:
- rel: website
href: https://defenseunicorns.com
last-modified: "2024-01-30T20:21:59Z"
oscal-version: 1.1.1
title: DUBBD
components:
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 6EC9C476-9C9D-4EF6-854B-A5B799D8AED1
control-id: si-4.10
description:
Kiali provides visibility into mTLS settings of all Istio traffic
in the cluster.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: A97D1364-BA7F-46AA-ADE6-1998E846E125
title: Kiali
description: |
A management console for Istio Service Mesh
type: software
purpose: Observibility into Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by Tempo for inheritance by applications
implemented-requirements:
- uuid: 3C102ED9-4CE5-4AB1-ABE5-78426DF15BBE
control-id: au-4
description: Uses scalable object storage to allocate audits logs.
- uuid: 9904027A-28A8-4808-8617-D0DD29BF9B8B
control-id: au-12.1
description: Provides a time-series event compilation audit trail capabilities.
- uuid: D0EE25CB-DAA8-4298-BBB9-A5AC72034020
control-id: si-4.4
description:
Jaeger is used, in conjunction with Istio configurations, to
collect and aggregate network communications within the system. This allows
the monitoring of inbound/outbound traffic and payloads within the deployed
environment.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: AE3E8F16-D93B-4594-82A3-5DA38AC066BF
title: Tempo
description: |
Grafana Tempo is an open source, easy-to-use, and high-scale distributed tracing backend
type: software
purpose: Implementation of Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by authservice for inheritance by applications.
implemented-requirements:
- uuid: B5B39044-B02A-4655-B466-7586B24963A1
control-id: ac-6.9
description:
"Privileged events, including updating the deployment of an application,
or use of privileged containers are collected as metrics by prometheus and
displayed by Grafana. "
- uuid: 8AE237CE-E7FF-42FE-B79F-2DF106B0CC09
control-id: au-2
description:
"API endpoints suitable for capturing application level metrics
are present on each of the supported applications running as containers.
In addition, system and cluster level metrics are emitted by containers
with read only access to host level information. Metrics are captured and
stored by Prometheus, an web server capable of scraping endpoints formatted
in the appropriate dimensional data format. Metrics information is stored
on disk in a time series data base, and later queried through a separate
component providing a web interface for the query language: PromQL. "
- uuid: F2FFC2FD-6826-43EE-9922-705A76FE63CC
control-id: au-3.1
description:
Grafana has pre-configured dashboards showing the audit records
from Cluster Auditor saved in Prometheus.
- uuid: B958C179-EE1F-40FC-BA2A-03B0072B20E6
control-id: au-4
description:
Prometheus is the log aggregator for audit logs since it is used
to scrape/collect violations from ClusterAuditor. The storage capability
can be configured in prometheus to use PVCs to ensure metrics have log retention
compliance with the org-defined audit-log retention requirements.
- uuid: FA95745B-E13E-4153-ABEE-1970C315A381
control-id: au-5.1
description:
Alertmanager has pre-built alerts for PVC storage thresholds
that would fire for PVCs supporting prometheus metrics storage.
- uuid: 5D45F4A3-A37F-451D-9670-8FA9DFD1355F
control-id: au-5.2
description:
Alertmanager has pre-build alerts for failed pods that would
show when ClusterAuditor is not processing events, or prometheus is unable
to scrape events. Prometheus also has a deadman's alert to ensure end users
are seeing events from prometheus as part of its configuration.
- uuid: 603A45C9-E730-4321-B8AE-60D048E14BAB
control-id: au-6.1
description:
Cluster Audtitor Events/Alerts could be exported from Prometheus
to an external system. Integration for specific tooling would need to be
completed by end user.
- uuid: 92D322C1-B4D3-4842-8B06-538218AECA7D
control-id: au-6.3
description:
Aggregating cluster auditor events across multiple sources (clusters)
is possible with a multi-cluster deployment of prometheus/grafana.
- uuid: BB0DF859-827F-4E3A-8C61-DEDCE4A9B3EB
control-id: au-6.5
description:
Cluster Auditor's audit data is consolidated with system monitoring
tooling (node exporters) for consolidated view to enhance inappropriate
or unusual activity.
- uuid: 77C00727-4195-45A8-8BB6-534AE5889E71
control-id: au-6.6
description:
Cluster Auditor data in prometheus would enable this, but would
require prometheus to also obtain access to physical metrics.
- uuid: 6F291DF6-5613-46DF-9D9A-AC7CEDFF4A7B
control-id: au-7
description:
Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor.
- uuid: 54D583CE-DB4A-4C03-902D-9A37949F4820
control-id: au-7.1
description:
Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor.
- uuid: 91D9D559-1666-420B-9F2B-240BC7CD1A3E
control-id: au-8
description:
Prometheus stores all data as time-series data, so the timestamps
of when those violations were present is part of the data-stream.
- uuid: 2D7AB4A4-1AE7-45A6-BC56-9FBB6402AD98
control-id: au-9
description:
Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Access Control when using Grafana Enterprise.
- uuid: 58B88EBD-ABAD-4505-9243-809D8DEFAEF7
control-id: au-9.2
description:
Prometheus can scrape external components outside of the system,
but this configuration is not easily supported as part of the current big
bang configuration of ClusterAuditor since external access to ClusterAuditor
metrics is not exposed via Istio.
- uuid: 8178202C-6E6C-415A-8B0D-C486AAC85B3A
control-id: au-9.4
description:
Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Access Control when using Grafana Enterprise.
- uuid: A471F648-C22C-4217-A3BA-1063E80B4BA3
control-id: au-12.1
description:
Compatible metrics endpoints emitted from each application is
compiled by Prometheus and displayed through Grafana with associated timestamps
of when the data was collected
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: 4045FB97-C11A-4F3B-A021-FD94538F0356
title: Monitoring
description: |
Aggregator of policy violations in environment
type: software
purpose: Display policy violations
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by NeuVector for inheritance by applications
implemented-requirements:
- uuid: 7d524c68-a463-4283-9f50-a4f914b0feb9
control-id: ac-2
description:
"NeuVector supports internal user accounts and roles in addition
to LDAP and SSO for providing RBAC access. "
- uuid: c32ebef9-831b-4662-9172-7cec6697b1e5
control-id: ac-2.1
description:
"NeuVector supports internal user accounts and roles in addition
to LDAP and SSO for providing RBAC access. "
- uuid: 56ab01ce-a2eb-4a9b-9e77-4b598c0c9230
control-id: ac-3
description:
"NeuVector supports internal user accounts and roles in addition
to LDAP and SSO for providing RBAC access. "
- uuid: de3fa1f1-b7ce-43a4-97c7-53a15f9dadaf
control-id: ac-6
description:
"NeuVector supports mapping internal user accounts and roles
in addition to LDAP and SSO roles or groups for providing RBAC access. "
- uuid: 4a200112-0c9b-4fae-a9dd-45c8d9a70886
control-id: ac-6.1
description:
"NeuVector supports mapping internal user accounts and roles
in addition to LDAP and SSO roles or groups for providing RBAC access. "
- uuid: 37d720fa-d135-49b8-b423-00ad9f77a92d
control-id: ac-6.3
description:
"NeuVector supports mapping internal user accounts and roles
in addition to LDAP and SSO roles or groups for providing RBAC access. "
- uuid: 107864dd-f3e6-46b5-8004-2c7f717b2426
control-id: ac-6.9
description: "NeuVector provides logging access related audit events. "
- uuid: 88d83b17-b238-48e5-b1d2-f500035c6dc0
control-id: ac-6.10
description:
"NeuVector supports mapping internal user accounts and roles
in addition to LDAP and SSO roles or groups for providing RBAC access. "
- uuid: 53c7d03b-80f7-42e5-b300-dca43b2b8f05
control-id: au-2
description: "NeuVector provides logging access related audit events. "
- uuid: 4f50b73f-ff6a-4ce0-8139-dbae4f95b0d5
control-id: au-3
description: "NeuVector provides logging access related audit events. "
- uuid: 297107b6-bbe9-44e0-a36a-e5d7798f8ddd
control-id: au-4
description:
NeuVector can scale elastically based upon actual workload demands
to allocate audit log storage capacity.
- uuid: 510ce893-a40a-4bf4-92e0-1f1b1cd7d7a4
control-id: ca-2.2
description:
NeuVector continually monitors kubernetes environments and container
images to detect misconfigurations, advanced network threats, and vulnerable
hosts with all attempts to exploit a vulnerability is documented.
- uuid: 15d6de3a-14ef-4efd-ab27-329a9adc4979
control-id: ca-7
description:
NeuVector continually monitors kubernetes environments and container
images to detect misconfigurations, advanced network threats, and vulnerable
hosts with all attempts to exploit a vulnerability is documented.
- uuid: 5f04cfad-8aac-4809-970c-aca8067533fd
control-id: cm-6
description:
NeuVector is configured using Helm Charts. Default settings can
be found.
- uuid: f1425616-8ebb-48a9-a774-3d1a20c2d74a
control-id: cm-7
description:
"NeuVector is configured securely and only access to required
ports are available. "
- uuid: 6f18f2f4-3796-4189-8bfa-57d5b7bb10e7
control-id: ra-5
description:
"NeuVector is Kubernetes and container security tool. NeuVector
will scan containers for vulnerabilities in addition to continuous monitoring
for active threats. "
- uuid: c458f99a-78fd-4322-91e9-034b51f3e414
control-id: ra-5.2
description:
"NeuVector container scanning vulnerability database is updated
frequently. "
- uuid: 3ae44f3f-b44a-44e6-8752-e494b82e0ded
control-id: ra-5.3
description: "NeuVector container scanning configurations depth can be modified. "
- uuid: 142a0165-16de-4a5b-a151-cc646a5a943c
control-id: ra-5.5
description:
NeuVector supports mapping internal user accounts and roles in
addition to LDAP and SSO roles or groups for providing RBAC access.
- uuid: 8974dd78-8695-41ed-b68e-92e3105ff414
control-id: sa-11
description:
NeuVector continually monitors kubernetes environments and container
images to detect misconfigurations, advanced network threats, and vulnerable
hosts with all attempts to exploit a vulnerability is documented.
- uuid: 4a59d604-10f9-4407-b062-1661063d760d
control-id: sa-11.1
description:
NeuVector continually monitors kubernetes environments and container
images to detect misconfigurations, advanced network threats, and vulnerable
hosts with all attempts to exploit a vulnerability is documented.
- uuid: 4daa5851-1f8d-41fc-aabe-fafcb97d8b84
control-id: sc-7
description:
NeuVector monitors all communications to external interfaces
by only connecting to external networks through managed interfaces and utilizes
whitelists and blacklists for rules at Layer 7.
- uuid: 16c820af-4216-437c-a5e2-356dde1fb626
control-id: sc-8
description:
Data in transit is protected using a TLS connection and secured
between components within the data center using an internal certificate
until it is terminated at the application node. This ensures that data in
transit is encrypted using SSL.
- uuid: 4427e494-9ff4-4b98-8c41-62dbe056a1ac
control-id: si-2.3
description:
NeuVector continually monitors your Kubernetes environments to
detect misconfigurations, advanced network threats, and vulnerable hosts
with all attempts to exploit a vulnerability is documented.
- uuid: 6f165f1a-2f91-4ac6-8eee-fe729a715952
control-id: si-4
description:
NeuVector continually monitors your Kubernetes environments to
detect misconfigurations, advanced network threats, and vulnerable hosts
with all attempts to exploit a vulnerability is documented.
- uuid: e56438e7-b572-450a-b5a9-dc9a4cb93665
control-id: si-5
description:
NeuVector correlates configuration data with user behavior and
network traffic to provide context around misconfigurations and threats
in the form of actionable alerts.
- uuid: 93e508f9-530b-43e6-8fb8-c95b20b7e887
control-id: si-6
description:
NeuVector correlates configuration data and network traffic to
provide context around verification in the form of actionable alerts.
- uuid: 8392f45f-d74e-4a99-a7bb-d3ba45743b0a
control-id: si-11
description:
NeuVector correlates configuration data and network traffic for
error tracking to provide context around misconfigurations and threats in
the form of actionable alerts.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: f316b988-dfb0-475c-9f1f-58d35cee9157
title: NeuVector
description: |
NeuVector Full Lifecycle Container Security Platform delivers the only cloud-native security with uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall.
type: software
purpose:
To use Security Scanning and Integrated Compliance and Vulnerability
Results, Scanning registries and Serverless Repositories, Cloud Native Firewalls,
Displays
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by Promtail for inheritance by applications
implemented-requirements:
- uuid: 1E11CEA9-CE73-45F0-BE08-D16B521B8E7E
control-id: ac-6.9
description:
Promtail can be configured to collect all logs from Kubernetes
and underlying operating systems, allowing the aggregation of privileged
function calls.
- uuid: CF81FA93-D365-42C2-82B1-A24EB92556E5
control-id: au-2
description:
"Logging daemons are present on each node that BigBang is installed
on. Out of the box, the following events are captured: * all containers
emitting to STDOUT or STDERR (captured by container runtime translating
container logs to /var/log/containers). * all kubernetes api server requests.
* all events emitted by the kubelet."
- uuid: 6DDD209A-87A4-48BF-B6B9-5925CC7CF4C3
control-id: au-3
description:
"Records captured by the logging daemon are enriched to ensure
the following are always present: * time of the event (UTC). * source of
event (pod, namespace, container id). Applications are responsible for providing
all other information."
- uuid: D3F883A0-4531-407F-8802-F8233CD1DEE9
control-id: au-8
description:
"Records captured by the logging daemon are enriched to ensure
the following are always present: * time of the event (UTC). * source of
event (pod, namespace, container id). Applications are responsible for providing
all other information."
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: 6266DF09-F893-4D44-9823-4486B91D81ED
title: Promtail
description: |
Log collector
type: software
purpose: Collects logs from the cluster
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by Loki for inheritance by applications
implemented-requirements:
- uuid: DEA798EE-6B68-4BB8-80DE-1BC85952F26C
control-id: ac-5
description:
GEL implements RBAC to define system authorization and separation
of duties.
- uuid: 642C8714-73E3-4A59-A89A-ACF2A36AAB6D
control-id: ac-6
description: GEL implements RBAC to employ principle of least privilege.
- uuid: 7BA2A7E8-D7AA-4229-8A32-53DE9147B4A8
control-id: ac-6.1
description: "GEL implements RBAC to employ principle of least privilege. "
- uuid: 02388229-428F-4896-92A1-AE93210057EC
control-id: ac-6.9
description:
Privileged events that modify the application are logged in the
application itself.
- uuid: 1A3EA794-360A-492B-8FEB-EE666FCE2010
control-id: ac-6.10
description:
GEL layers an additional RBAC layer that prohibits non-privileged
users from executing privileged functions.
- uuid: E3221BCB-EFF6-4E6C-9856-3C228735A7D2
control-id: ac-21
description:
GEL layers an additional RBAC layer that prohibits non-privileged
users from executing privileged functions.
- uuid: AB29AE94-C867-4BBE-AAB4-8BF21DBD31D9
control-id: au-4
description: Uses scalable object storage.
- uuid: B552D3B6-0C38-4B59-9D97-FB1D748EE8EA
control-id: au-6
description:
Provides audit record query and analysis capabilities. Organization
will implement record review and analysis.
- uuid: D45A7DA4-A9F9-46CD-AFA4-991824D2BAF5
control-id: au-6.1
description:
Provides audit record query and analysis capabilities. Organization
will implement record review and analysis.
- uuid: 9CCC7BF3-2710-4E00-BC22-2C272FCEC771
control-id: au7.1
description: Loki provides an API for retrieving and filtering logs.
- uuid: 80BCE3BD-97D2-4525-A80C-4759F3B756AD
control-id: au-9
description:
Access to metrics can be restricted to org-defined personnel
behind a private endpoint and not given to mission owners.
- uuid: E3771199-CBA3-46D0-8632-F745E9B6BFAE
control-id: au-9.2
description: Supports any object storage.
- uuid: 4D71EA77-3904-4CE4-AFDC-5123C88A8BD7
control-id: au-9.4
description: Enterprise version (GEL) implements RBAC.
- uuid: D75DF925-E6CE-49D8-8AB0-BD07DAF559E9
control-id: au-11
description:
Can configure audit record storage retention policy for defined
periods of time via the store(s) Loki is configured to use.
- uuid: 0833500E-517A-4F52-BD2F-64DE658E22C4
control-id: au-12.1
description: Provides time-series event compilation capabilities.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: 991BD5DF-A3E7-42D6-AC4F-9A8D01E96F91
title: Loki
description: |
Deployment of Loki as a lighter weight replacement for elasticsearch
type: software
purpose: Provides storage and indexing for logs in the cluster
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description:
Controls implemented by Istio and authservice that are inherited
by applications
implemented-requirements:
- uuid: 1822457D-461B-482F-8564-8929C85C04DB
control-id: ac-3
description: |-
Istio implements with global configuration.
# How Istio Helps Istio helps implement access enforcement in two ways: limiting service-to-service access (see AC-4 below), and acting as an enforcement point for end user authentication and authorization (AC-3, this section). - Service to Service Access: Istio provides authenticatable runtime identities for all applications in the mesh in the form of X.509 certificates.
Those certificates are used for encryption in transit as well as authentication of the service's identity.
This authenticated principal can be used for access control of service to service communication via Istio's AuthorizationPolicy.
We cover this in detail in AC-4, Information Flow Enforcement, below.
- End User Authentication and Authorization: Istio facilitates end user authentication and authorization in two ways:
1. Istio has native support for JWT authentication and authorization based on JWT claims.
It can be configured to extract a JWT from each request's headers, validate them against issuers and with specific keys, and limit access based on any of the JWT's fields.
2. Istio supports extracting metadata from each request and forwarding it to an external authentication and authorization server.
Istio will enforce the verdict returned by this server, and can attach additional metadata returned by the server (e.g., an internal JWT in place of an external API key).
- uuid: D7717A9B-7604-45EF-8DCF-EE4DF0417F9C
control-id: ac-4
description: |-
Istio implements with mission team configuration.
# How does Istio help? Istio encrypts all in-mesh communication at runtime using the service's identity. This provides TLS for all applications in the mesh. If you're using the Tetrate Istio Distribution, then this TLS is FIPS verified. mTLS is configured through the PeerAuthentication resource, and should be set to STRICT to enforce mTLS between all components of the information system. Istio's AuthorizationPolicy controls service-to-service communication within the mesh. Combined with Istio ingress and egress gateways, as well as a few installation settings, Istio can manage all traffic into and out of your deployment. In addition to AuthorizationPolicies controlling traffic in the mesh, Istio ingress gateways terminate HTTPS on behalf of applications in the mesh (AC-4 (4) - not required by moderate but valuable nonetheless). By managing how traffic flows out of applications using VirtualServices or ServiceEntries, all traffic leaving your infrastructure can be channeled through an egress gateway. Egress gateways can audit and limit how traffic flows to external services outside of the information system under control.
- uuid: 1D1E8705-F6EB-4A21-A24F-1DF7427BA491
control-id: ac-4.4
description:
All encrypted HTTPS connections are terminated at the Istio ingress
gateway.
- uuid: 366AAE60-AC24-4F48-BF63-4C0EB496CC9E
control-id: ac-4.21
description: |-
Istio implements with mission team configuration.
# How does Istio help? When Istio is configured as above for AC-4 limiting access to services within the information system and controlling communication ingress and egress to and from the information system it provides logical separation of information flows. Istio policies can provide this separation at the finest grain possible. For example, for HTTP traffic, Istio provides the ability to limit communication per verb and path, as well as based on header values or end-user credentials stored at headers, in addition to controlling traffic with the traditional network five-tuple. Istio enforces the policy at the application instance itself.
- uuid: CD1315BF-91FE-490A-B6A6-5616690D78A8
control-id: ac-6.3
description:
'Configured with an "admin" gateway to restrict access to applications
that only need sysadmin access. '
- uuid: 3772B5F3-34BC-4EAE-B739-8499F828C2F4
control-id: ac-6.9
description: |-
Istio implements with global configuration.
# How does Istio help? Istio produces logs for all traffic in the information system see AU-3 below for more information on what information is logged and how to configure additional information to be logged with each access. As long as the privileged functions are exposed as network endpoints in the information system, Istio will log their use like it logs all other network traffic. Logging privileged use outside of the information system like using kubectl to access the cluster directly is outside of the scope of Istio's runtime logging.
- uuid: 6109E09A-8279-44AB-8CA4-2051AF895648
control-id: ac-14
description: |-
Istio implements with mission team configuration.
# How does Istio help? Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. This is configured using RequestAuthentication and AuthorizationPolicy resources, described at length in AC-4 above. Using this, Istio's authorization policy becomes documentation of services that do not require authentication.
- uuid: ead87eb9-a436-4ac9-bdde-8d60fd2b6c72
control-id: ac-17.3
description:
Istio routes remote access through correct configuration and
managed network access control points.
- uuid: 9B6BA674-E6ED-4FB6-B216-3C8733F36411
control-id: au-2
description:
Istio provides access logs for all HTTP network requests, including
mission applications.
- uuid: D3CBC898-F938-4FAA-B1B1-2597A69B5600
control-id: au-3
description: |-
Istio implements with global configuration.
# How does Istio help? Istio generates access logs for all traffic in the mesh (ingress, internal, and egress) that is a superset of the data in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). For HTTP traffic, this includes timestamp, source and destination IPs, request verb, response code, and more. You can get a full overview of the data that is provided [in the Istio documentation](https://istio.io/latest/docs/tasks/observability/logs/access-log/). The format of these logs can be configured per deployment or globally at install time to conform with requirements of existing log analysis tools or other organizational needs. By default, Envoy sidecars in the mesh emit these logs as text to standard out. However, Envoy can be configured to forward this log data over gRPC to a server that aggregates (and potentially acts on) them. This is called the [Access Log Service (ALS)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto). These can be augmented by application-specific audit logging, but for many services (and HTTP services especially), the mesh's logs are sufficient to reconstruct an understanding of events to perform an audit.
- uuid: 630301DB-8730-4107-9E14-A1EEDE351122
control-id: au-3.1
description: |-
Istio implements with global configuration.
# How does Istio help? Istio’s access logs can be configured to produce additional information as needed by the organization.
- uuid: 6F2A603C-D240-47F1-9BED-334000E15011
control-id: au-9
description: |-
Istio contributes but does not implement.
# How does Istio Help? If you’re using Istio to produce audit information (see AU-3, AU-3 (1)), then the logs that Istio produces are subject to AU-9 controls. Protecting the logs that Istio produces is outside of the scope of Istio itself, but integrating your log ingestion and protection system with the logs that Istio produces, you can easily satisfy this requirement. Kubernetes RBAC should be configured to allow only specific users access to the log files Envoy produces, ideally no users should have direct access and instead only access logs via the log ingestion system (like Splunk).
- uuid: 6F2A603C-D240-47F1-9BED-334000E15011
control-id: au-9.2
description: |-
Istio contributes but does not implement.
# How does Istio Help? See AU-9 above, but in short: ensure that Istio’s logging configuration aligns with your larger log collection pipeline. The log collection pipeline itself should implement the AU-9 controls required by the organization.
- uuid: 13EC0F18-2696-4407-8478-3AFE839D4764
control-id: AU-12
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. These events are a subset of all events defined by most organizations in AU-2 a. as worthy of audit. See AU-3 for details of the information that can be generated, and AU-3 (1) for information on customizing it. If the only events to be logged per AU-2 a. are network events, then Istio satisfies AU-12 fully for the information system.
- uuid: D01F6B2D-F18E-47E9-94DC-95C0B5675E13
control-id: cm-5
description: |-
Istio contributes but does not implement.
# How does Istio Help? Istio is configured with Kubernetes Custom Resources. As such it can be configured as code, and managed by your existing CM-5 conformant code management processes. Kubernetes RBAC should be used to control who can change which configuration at runtime. BigBang implements CM-5 controls by implementing infrastructure as code practices, configuring Kubernetes RBAC to prevent humans from authoring configuration and allowing only continuous delivery systems (Flux, by default) to author runtime configuration. Since all configuration is managed in this CM-5 conformant way, Istio’s configuration is controlled in a CM-5 conformant way.
- uuid: 618C16DE-82D0-46FF-9A3A-D260D5F4F654
control-id: cm-6
description:
"Istio contributes but does not implement. \n# How does Istio
Help? This document provides the guidance for configuring Istio, both globally
as well as for mission teams. Additional best practices should be followed,
including: - NIST SP 800-204A: Building Secure Microservices-based Applications
Using Service-Mesh Architecture - NIST SP 800-204B: Attribute-based Access
Control for Microservices-based Applications using a Service Mesh Tetrate
helps maintain and periodically audits BigBang’s Istio configurations to
ensure they implement best practice defaults."
- uuid: AB9189FF-34E2-4D7E-8018-EB346C7AE967
control-id: cm-8.1
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio’s service inventory is updated continuously from the Kubernetes API server (the information system’s source of truth for what applications are running). Therefore, the inventory is updated when components of the information system are installed or removed. As a result, Istio implements CM-8 (1) for the information system.
- uuid: A740C741-23B4-4ED9-937C-E0276A9B92EE
control-id: cm-8.2
description:
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali. The inventory is automatically and
continuously updated.
- uuid: 61615706-5395-4168-8AD0-5C4ACBCC5D7E
control-id: ia-2
description: |-
Istio implements with mission team configuration.
# How does Istio Help? Istio can be used to implement authentication of end-user credentials for applications in the mesh. This is typically configured via Istio’s external authorization service or by validating JWTs on each request (see AC-3). If components in the information system are protected by Istio configured to validate end-user credentials, then Istio satisfies the authentication clause IA-2: “[the information system] authenticates organizational users (or processes acting on behalf or organizational users).” Assigning user identities themselves, and ensuring their uniqueness, is out of scope of Istio. (Istio does assign identities to applications or processes running in the information system – see AC-4.)
- uuid: 3004BB1D-0F50-48F1-ABFE-40CC522B1C15
control-id: ia-4
description: |-
Istio contributes but does not implement.
# How does Istio Help? Istio assigned identities to runtime entities based on their Kubernetes service account. Service accounts are unique per (namespace, service account name) pair and are assigned to all pods in the cluster. Pods should opt in to using a specific service account, but if they do not then Kubernetes provides a default service account per namespace.
The identities Istio assigned are:
a. Authorized for the specific application by checking against the Kubernetes API server (the system of record for runtime identities).
b. Each service receives an identity from Kubernetes at runtime, whether it is assigned explicitly or not.
c. Sent only to correct workloads because Istio authenticates runtime proofs (mainly, the pod’s service account token) in addition to authorizing the identity by checking with the Kubernetes API server.
d. Service accounts in Kubernetes are unique. However, Kubernetes-level controls (out of the scope of Istio) need to be implemented to ensure that identities are not re-used.
e. The Kubernetes service account lifecycle is out of scope of Istio. A Kubernetes-level control is need to satisfy this requirement.
- uuid: 3FC44715-6068-44E5-9079-641D3FAA6A14
control-id: ia-7
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio provides encryption in transit for all applications in the mesh, and can also provide TLS termination at ingress and TLS origination at egress. Tetrate Istio Distribution (TID) is the only FIPS 140-2 Verified Istio distribution that exists. It is available from the Iron Bank. When using the TID FIPS builds, all communication between components of the information system is encrypted using FIPS 140-2 verified software.
- uuid: 82AC8314-BDA8-4A4D-B54D-4A0233563C7C
control-id: sc-3
description:
"Istio breaks-down services into microservices to isolate security
functions from non-security functions. "
- uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c
control-id: sc-4
description:
Istio can enforce that outbound traffic goes through an Egress
Gateway. When combined with a Network Policy, you can enforce all traffic,
or some subset, goes through the egress gateway to prevent unauthorized
and unintended information transfer via shared system resources.
- uuid: ffe69802-65bf-48bf-a7cd-6cab0cbf43d3
control-id: sc-5
description:
Istio monitors the egress traffic and enforces all the security
policies. Monitoring the egress traffic, enables you to analyze, possibly
offline, and detect an attack.
- uuid: 986E0C8B-6956-42AF-804E-FDB366DE6EDC
control-id: sc-7
description:
"Istio implements with global configuration.\n# How does Istio
Help? Istio alone can not completely satisfy the SC-7 requirement, because
Istio sits at Layer 4 and above, in other words it sits atop the IP network
you provide it. However, Istio can aid in implementing boundary protection
in your stack:\n a. Istio provides monitoring (AU-12) and control of traffic
ingress into and egressing out of the cluster, as well as internally for
all communication between components. If all information system components
are running in the cluster, this satisfies SC-7 a.\n b. Istio operates
at layer 4 and above - it cannot implement sub-networks at the IP layer.
However, Istio can be used for logical separation of components at runtime
(see AC-4 (21)). \n Istio’s separation should be augmented with network-level
separation, e.g. via a CNI plugin, to help implement a defense in depth
strategy.\n c. The only ingress into the cluster is via Istio gateways
(AC-3), egress is controlled by Istio gateways (AC-4). If all information
system components are running in the cluster, this satisfies the needs of
SC-7 c. \n Further, access policy can be applied at both points, as well
as at every application instance via Istio’s sidecar. This gives the organization
the opportunity to implement more fine-grained controls than is needed by
SC-7."
- uuid: CB84CC94-BBAA-4177-9836-5AD0DE3A9937
control-id: sc-7.4
description:
"Istio implements with global configuration.\n# How does Istio
Help? Like SC-7, Istio works in tandem with a few other components of the
infrastructure to satisfy SC-7 (4). For example, it’s common to use an
identity-aware proxy (like Platform One’s CNAP), or even a cloud provider
load balancer (like an ELB) as the initial interface for an external service,
immediately passing the requests on to Istio’s ingress. For all of the information
system components in the cluster:\n a. Istio provides an interface its
ingress and egress gateways for external network traffic. Istio allows configuring
how that interface is exposed, including ports and protocols as well as
certificates that are served. See AC-4.\n b. Istio provides fine-grained
layer 7 policy on each request to control how traffic flows through that
ingress. It enforces this policy at ingress gateways to control the external
traffic ingress into your information system. \n Istio also enforces them
at egress gateways to control how components of your information system
communicate with external systems. See AC-4.\n c. Istio’s ingress gateways
serve TLS (or mTLS) to external systems, and Istio provides mTLS between
applications of the information system in the mesh. See AC-4.\n d. Istio
must be explicitly configured to allow exceptions, either in AuthorizationPolicy
documents controlling runtime access or in resource annotations exempting
traffic from Istio’s sidecar. \n These can be used as supporting documents
for SC-7 (4) d., but will need to be augmented with organizational documentation
citing specific mission needs and durations.\n e. This is an organizational
activity out of the scope of Istio."
- uuid: CB84CC94-BBAA-4177-9836-5AD0DE3A9937
control-id: sc-7.5
description: |-
Istio implements with mission team configuration.
# How does Istio Help? At ingress and egress gateways, Istio denies all traffic that does not have explicit traffic routing policies in the form of a VirtualService attached to the gateways. Inside of the mesh, and to control egress out to external services, you can author AuthorizationPolicies to limit access. Those policies must be written in the “allow with positive matching” style. Together, Istio implements the SC-7 (5) control on behalf of applications in the mesh.
- uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8
control-id: sc-7.8
description:
Istio’s traffic management model relies on the Envoy proxies
that are deployed along with the services. All traffic that the mesh services
send and receive (data plane traffic) is proxied through Envoy, making it
easy to direct and control traffic around the mesh without making any changes
to the services.
- uuid: 5baf367f-d917-4399-80e5-5c77a18a120a
control-id: sc-7.10
description:
Istio can set an alert to detect attempted data exfiltration
by a service in the cluster. In this mode, Prometheus can tell you both
the source and (attempted) destination workload for the blocked request.
The Istio System manages the ingress and egress network traffic permitted
within your OPA-integrated Istio service mesh. You can specify egress traffic
is only allowed to a predefined collection of endpoints to minimize the
risk of data exfiltration or to implement microservice API authorization.
- uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02
control-id: sc-7.20
description:
Locality-weighted load balancing allows administrators to control
the distribution of traffic to endpoints based on the localities of where
the traffic originates and where it will terminate. These localities are
specified using arbitrary labels that designate a hierarchy of localities
in {region}/{zone}/{sub-zone} form. If the goal of the operator is not to
distribute load across zones and regions but rather to restrict the regionality
of failover to meet other operational requirements an operator can set a
‘failover’ policy instead of a ‘distribute’ policy.
- uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987
control-id: sc-7.21
description:
"Multi-mesh deployments facilitate division of a system into
subsystems with different security and compliance requirements, and facilitate
the boundary protection. You put each subsystem into a separate service
mesh, preferably on a separate network. You connect the Istio meshes using
gateways. The gateways monitor and control cross-mesh traffic at the boundary
of each mesh. Istio isolation boundaries can run multiple TSB-managed Istio
environments within a Kubernetes cluster, or spanning several clusters. These
Istio environments are isolated from each other in terms of service discovery
and config distribution. "
- uuid: ca307f39-eb42-4df3-9054-4d66130e0118
control-id: sc-7.25
description:
"All outbound traffic from an Istio-enabled pod is redirected
to its sidecar proxy by default, accessibility of URLs outside of the cluster
depends on the configuration of the proxy. By default, Istio configures
the Envoy proxy to pass through requests for unknown services. Although
this provides a convenient way to get started with Istio, configuring stricter
control is usually preferable. Egress gateways can limit how traffic flows
to external services outside of the information system under control. Istio
can be configured to extract end-user credentials from requests for authentication
(either locally, or forwarding them on to an external authorization service),
and to disallow requests without authentication tokens. "
- uuid: CB84CC94-BBAA-4177-9836-5AD0DE3A9937
control-id: sc-8
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh.
- uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C
control-id: sc-8.1
description: |-
Istio implements with global configuration.
# How does Istio Help? See SC-8 for full details. In short, Istio provides encryption in transit (mutual TLS) for all applications in the mesh. When you’re using TID’s FIPS verified build of Istio, then this encryption also satisfies FIPS 140-2 requirements.
- uuid: c158b75a-cefc-4794-b124-f1e56ff5646d
control-id: sc-8.2
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh.
- uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c
control-id: sc-10
description:
A timeout for HTTP requests can be specified using a timeout
field in a route rule.
- uuid: B6B9D143-6936-4C33-BF2A-3C2B1F282B25
control-id: sc-13
description: |-
Istio implements with global configuration.
# How does Istio Help? As outlined in the section on SC-8, Istio provides encryption in transit for all applications in the mesh. The Tetrate Istio Distribution’s FIPS Verified build is the only FIPS verified build of Istio and Envoy available, and satisfies requirements for FIPS 140-2 as well as the requirement to use the best available software for the job.
- uuid: 625bfdc1-0b20-45f3-919b-91afbac77799
control-id: sc-23
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh.
- uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa
control-id: sc-39
description:
Istio’s authorization features provide mesh-, namespace-, and
workload-wide access control for your workloads in the mesh. Istio supports
trust domain migration for authorization policy. This means if an Istio
mesh needs to change its trust domain, the authorization policy doesn’t
need to be changed manually.
- uuid: e074c939-cd8c-46d0-a851-f3c54fcd5507
control-id: si-4.22
description: |-
Istio implements with global configuration.
# How does Istio Help? Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. Can be configured for specific network traffic such as not authorized or approved by a system process or user. Network event alerts can be configured by organizations need.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: 81F6EC5D-9B8D-408F-8477-F8A04F493690
title: Istio Controlplane
description: |
Istio Service Mesh
type: software
purpose: Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by Kyverno for inheritance by applications
implemented-requirements:
- uuid: 7D019F27-294F-4759-A44F-BA6E15370ED8
control-id: cm-4
description:
The CLI can be used in CI/CD pipelines to assist with the resource
authoring process to ensure they conform to standards prior to them being
deployed.
- uuid: 91302CE7-181E-4464-9E26-2A1E42D8909F
control-id: cm-4.1
description:
Use of auditing validationFailureAction state in a test environment
would allow changes to be tested against policies without blocking development.
Allowing for policies to be mirrored and enforced in production.
- uuid: BE54EDE4-8279-4AE6-B8C3-5B68CC235E5E
control-id: cm-6
description:
Kyverno can be configured for cluster-wide and namespaced policies
for system configuration. Exceptions can be implemented to policies that
will allow for explicit deviations approved by policies/configurations declared
in git.
- uuid: 6e1f05fc-3eab-45a2-9b16-d2c5acfed20b
control-id: cm-7
description:
Kyverno can enact policies that prevent the use of specific service
types (IE, LoadBalancer or NodePort).
- uuid: C14EA5F8-3926-4BB4-BE44-B134513F143D
control-id: cm-7.5
description:
Policies can be written to enact deny-all for workloads unless
exceptions are identified.
- uuid: 69A5689A-DAA5-48F6-9953-AEF482B0FEE0
control-id: cm-8.3
description:
Policies can be written to validate all software workloads can
be verified against a signature.
- uuid: D0CEE97B-A884-4ECB-B56E-34048148144C
control-id: sc.5
description:
Policies can be written to limit the effects of a denial of service
attack. For example, when a Pod requests an emptyDir, by default it does
not have a size limit which may allow it to consume excess or all of the
space in the medium backing the volume. This can quickly overrun a Node
and may result in a denial of service for other workloads. This policy adds
a sizeLimit field to all Pods mounting emptyDir volumes, if not present,
and sets it to 100Mi.
- uuid: 860527a1-60d5-4b14-bae8-bf203f9e5be8
control-id: sc-7.20
description:
"Policies can be written to Kubernetes Namespaces as a feature
that provide a way to segment and isolate cluster resources across multiple
applications and users. As a best practice, workloads should be isolated
with Namespaces. "
- uuid: a6a241df-e2d3-4b2f-9d3c-2c00b9f79be9
control-id: sc-7.21
description:
Policies can be written to the boundary needed for incoming (ingress)
and outgoing (egress) traffic and configure a network policy and/or a constraint
configuration.
- uuid: c1063293-602f-4e4d-a662-c7f516fd6608
control-id: sc-7.25
description:
Policies can be written to get block outgoing (egress) traffic
to a specific external network. Configure a network policy and/or a constraint
configuration.
- uuid: ea6d451f-a44b-4394-be85-5b5ff2c846ff
control-id: sc-10
description:
"JMESpath can be used to set specific parameters of time, and
Kyverno policies can be used to terminate a connection based on those parameters. "
- uuid: c5301f91-bd60-4049-9210-a14a47a1fddf
control-id: si-4.22
description:
A validation rule can be made for network services that are not
approved/authorized and a policy report can be created to audit the event.
- uuid: CBCB72ED-3161-4A6F-B522-FB7082E6E380
control-id: sr-11
description:
Cluster-Wide Policies can be written to require all images be
verified through signature verification.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: 33d8fdde-f6ab-462a-8923-e6e4446d7a10
title: Kyverno
description: |
Deployment as Kyverno as an admission controller for a Kubernetes cluster
type: software
purpose: Admission controller for the Kubernetes API
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
- control-implementations:
- source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
description: Controls implemented by Grafana for inheritance by applications.
implemented-requirements:
- uuid: 3bfac64c-3d7d-4425-87da-82397e6e3a8e
control-id: ac-6.9
description:
"Privileged events, including updating the deployment of an application,
or use of privileged containers are collected as metrics by prometheus and
displayed by Grafana. "
- uuid: 4bedfe60-c66a-4621-b4f2-3369f1b248ad
control-id: au-2
description:
"API endpoints suitable for capturing application level metrics
are present on each of the supported applications running as containers.
In addition, system and cluster level metrics are emitted by containers
with read only access to host level information. Metrics are captured and
stored by Prometheus, an web server capable of scraping endpoints formatted
in the appropriate dimensional data format. Metrics information is stored
on disk in a time series data base, and later queried through a separate
component providing a web interface for the query language: PromQL. Metrics
data can be displayed through a Grafana dashboard for visualization. "
- uuid: bada0000-35e1-4060-ac83-a5014ca05831
control-id: au-3.1
description:
Grafana has pre-configured dashboards showing the audit records
from Cluster Auditor saved in Prometheus.
- uuid: 3cbc2461-6042-4c9a-9a71-f65983ce5bb6
control-id: au-5.1
description:
"Alertmanager has pre-built alerts for PVC storage thresholds
that would fire for PVCs supporting prometheus metrics storage. Metrics
data can be displayed through a Grafana dashboard for visualization. "
- uuid: 09340803-8f1a-45ae-affc-63caf7466ded
control-id: au-5.2
description:
"Alertmanager has pre-build alerts for failed pods that would
show when ClusterAuditor is not processing events, or prometheus is unable
to scrape events. Prometheus also has a deadman's alert to ensure end users
are seeing events from prometheus as part of its configuration. Data can
be displayed through a Grafana dashboard for visualization. "
- uuid: 182dfcc7-af14-4d2a-a47c-d8add373809c
control-id: au-6.1
description:
"Cluster Auditor Events/Alerts could be exported from Prometheus
to an external system. Integration for specific tooling would need to be
completed by end user. Metrics data can be displayed through a Grafana dashboard
for visualization. "
- uuid: abe67aa0-e3fc-4b87-a003-515fac323014
control-id: au-6.3
description:
Aggregating cluster auditor events across multiple sources (clusters)
is possible with a multi-cluster deployment of prometheus/grafana.
- uuid: BB0DF859-827F-4E3A-8C61-DEDCE4A9B3EB
control-id: au-6.5
description:
"Cluster Auditor's audit data is consolidated with system monitoring
tooling (node exporters) for consolidated view to enhance inappropriate
or unusual activity. Metrics data can be displayed through a Grafana dashboard
for visualization. "
- uuid: 22ae84f6-a0f3-4d30-b537-305bdee64eb3
control-id: au-6.6
description:
"Cluster Auditor data in prometheus would enable this, but would
require prometheus to also obtain access to physical metrics. Metrics data
can be displayed through a Grafana dashboard for visualization. "
- uuid: 9976cc27-5ff2-46e4-9c34-d3bc8981e56b
control-id: au-7
description:
Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor.
- uuid: 19c54dd1-f5d3-4cb4-8ebc-25489799e468
control-id: au-7.1
description:
Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor.
- uuid: d2c6aa6d-39fa-453c-8daf-942b34e93025
control-id: au-8
description:
"Prometheus stores all data as time-series data, so the timestamps
of when those violations were present is part of the data-stream. Metrics
data can be displayed through a Grafana dashboard for visualization. "
- uuid: 263c1161-2aed-4532-8e8e-b2e6f9d3f0a4
control-id: au-9
description:
Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Access Control when using Grafana Enterprise.
- uuid: 8a55aac8-3772-4686-9356-557b11629fe3
control-id: au-9.2
description:
"Prometheus can scrape external components outside of the system,
but this configuration is not easily supported as part of the current big
bang configuration of ClusterAuditor since external access to ClusterAuditor
metrics is not exposed via Istio. Metrics data can be displayed through
a Grafana dashboard for visualization. "
- uuid: 6842544b-5a7c-4526-adbc-af0f95d000c8
control-id: au-9.4
description:
Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Access Control when using Grafana Enterprise.
- uuid: c083069f-ddac-4c5e-829b-b4367cdbaad7
control-id: au-12.1
description:
Compatible metrics endpoints emitted from each application is
compiled by Prometheus and displayed through Grafana with associated timestamps
of when the data was collected.
uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
uuid: 04361aec-ae78-4bbb-8a5a-90a352650f52
title: Grafana
description: |
Grafana is an analytics and interactive visualization web application.
type: software
purpose:
It provides charts, graphs, and alerts when connected to supported data
sources.
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
back-matter:
resources:
- uuid: BFF74303-1E06-469E-ADCF-338E6DDB8876
title: Github Repo - Kiali
rlinks:
- href: https://github.com/kiali/kiali
- uuid: FF8AA056-BD14-4862-9614-04A2A8C4A26F
title: Big Bang Kiali package
rlinks: