Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add automation script to export security control annotations into a set of bidirectional code-control, services-control mappings - for compliance - example: ComputeFirewallPolicy maps to AC-3(9), AC-4... #560

Open
fmichaelobrien opened this issue Oct 13, 2023 · 6 comments
Open

Add automation script to export security control annotations into a set of bidirectional code-control, services-control mappings - for compliance - example: ComputeFirewallPolicy maps to AC-3(9), AC-4... #560

fmichaelobrien opened this issue Oct 13, 2023 · 6 comments
Assignees
@obriensystems @fmichaelobrien
Labels
automation azure compliance security/network compliance scrum security-controls

Comments

@fmichaelobrien
Copy link
Contributor

fmichaelobrien commented Oct 13, 2023
edited
Loading

see #151

expanding...
see for example ComputeFirewallPolicy mapping to AC-3(9)...

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml#L22

# Client Compute Firewall Policy to folder client-folder
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicy

and annotation based - thanks Dave

pubsec-declarative-toolkit/solutions/guardrails-policies/09-network-security-services/template.yaml

Line 22 in dde8eb7

related-security-controls: AC-3, AC‑4, SC-5, SC‑7, SC‑7(5), SI-3, SI-3(7), SI-4 

kind: ConstraintTemplate
metadata:
  name: limitegresstraffic
  annotations:
    description: Establish external and internal network perimeters and monitor network traffic.
    reference: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/09_Network-Security-Services.md
    related-security-controls: AC-3, AC‑4, SC-5, SC‑7, SC‑7(5), SI-3, SI-3(7), SI-4

TODO: Dynamic version - integration as a KRM resource that keys off KCC/K8S deployment changes
TODO: offline version - parse the code/annotations using a yaml parser
TODO: online hosted version - d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls
@fmichaelobrien fmichaelobrien added compliance security/network compliance automation labels Oct 13, 2023
@fmichaelobrien fmichaelobrien self-assigned this Oct 13, 2023
@davelanglois-ssc
Copy link
Collaborator

just so you know, we have a script underwork. we will include you in the demo when it's ready

@fmichaelobrien
Copy link
Contributor Author

Thanks Dave as usual. I'll look for the work item in the issue list.

We will need automated security control mappings on top of screencap evidence for at least 2 other ATOs - ideally we inherit from the first

@obriensystems obriensystems mentioned this issue Nov 13, 2023
Closed
@obriensystems
Copy link
Collaborator

Example visuals for extract and/or live compliance dashboard

d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls

https://observablehq.com/@kerryrodden/sequences-sunburst
https://d3js.org/
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#controls-coverage
https://mermaid.js.org/#/flowchart?id=graph

See exercise at compliance dashboard and automated security control mapping extract - so we don't have to manually create one of these

Screenshot 2023-11-12 at 19 21 57

or the wiki based editing of

Screenshot 2023-11-12 at 19 24 11

@obriensystems
Copy link
Collaborator

obriensystems commented Nov 25, 2023
edited
Loading

Input

  • hashmap of all itsg-33 security control keys as search criteria - transformable to AC-2, AC-2(1).. with camelcase
  • pdt repo clone
  • optionalnlive gke cluster to mine tags/labels/namespaces

Output dynamic

  • reuse for canary app to drive the ato/SA&A
  • spring boot container serving a live graph database visual and exportable relationship map

Output static

  • ideal
  • csv output than can convert to readme.md table format
  • relative hyperlink to the repo with file and line number
  • optional (context of the yaml service above the hit)
  • optional correlation mapd (code to controls, sergice to controls and reverse)

Method

  • File.lines()
  • Scanner class with next()
  • avoid raw BufferedReader

@obriensystems obriensystems self-assigned this Nov 25, 2023
@obriensystems
Copy link
Collaborator

Review of generated * securitycontrols.md
Some are missing

Controls to Code Mappings

(From generated source)

(From yaml comments)

(From KRM tagging)

@obriensystems obriensystems mentioned this issue Nov 29, 2023
Open
@fmichaelobrien
Copy link
Contributor Author

received internal inventory*.py script - running some reverse engineering on the k8s yaml and will advise - thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obriensystems obriensystems

@fmichaelobrien fmichaelobrien

Labels
automation azure compliance security/network compliance scrum security-controls
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@obriensystems @davelanglois-ssc @fmichaelobrien