forked from DoD-Platform-One/bigbang
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoscal-component.yaml
1069 lines (1063 loc) · 60.2 KB
/
oscal-component.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
component-definition:
uuid: "4DEDC09C-B2ED-407B-82C6-229F77DDDC8C"
metadata:
title: Big Bang
last-modified: '2022-06-06T15:26:59.676009+00:00'
version: 1.39.0
oscal-version: 1.0.4
parties:
- uuid: 72134592-08C2-4A77-ABAD-C880F109367A
type: organization
name: Platform One
links:
- href: <https://p1.dso.mil>
rel: website
components:
- uuid: 81F6EC5D-9B8D-408F-8477-F8A04F493690
type: software
title: Istio Controlplane
description: |
Istio Service Mesh
purpose: Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-8BAD-C880F109367A
control-implementations:
- uuid: 06717F3D-CE1E-494C-8F36-99D1316E0D13
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description:
Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 1822457D-461B-482F-8564-8929C85C04DB
control-id: ac-3
description: >-
Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these
policies.
- uuid: D7717A9B-7604-45EF-8DCF-EE4DF0417F9C
control-id: ac-4
description: >-
All HTTP(S) connections into the system via Istio ingress gateways
and throughout the system with Istio sidecars.
- uuid: 1D1E8705-F6EB-4A21-A24F-1DF7427BA491
control-id: ac-4.4
description: >-
All encrypted HTTPS connections are terminated at the istio ingress
gateway.
- uuid: CD1315BF-91FE-490A-B6A6-5616690D78A8
control-id: ac-6.3
description: >-
Can be configured with an "admin" gateway to restrict access
to applications that only need sysadmin access. Not standard in BB itself
though.
- uuid: 6109E09A-8279-44AB-8CA4-2051AF895648
control-id: ac-14
description: >-
Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
- uuid: 9B6BA674-E6ED-4FB6-B216-3C8733F36411
control-id: au-2
description: >-
Istio provides access logs for all HTTP network requests, including
mission applications.
- uuid: D3CBC898-F938-4FAA-B1B1-2597A69B5600
control-id: au-3
description: >-
By default, Istio uses the Common Log Format with additional information for access logs.
The default configuration does not include the identity of individuals associated with the event.
- uuid: D01F6B2D-F18E-47E9-94DC-95C0B5675E13
control-id: cm-5
description: >-
Configured via Kubernetes resources. Inherited from cluster and
flux/ArgoCD.
- uuid: 6370B2DA-1E35-4916-8591-91FB9EDBE72B
control-id: cm-8
description: >-
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali.
- uuid: AB9189FF-34E2-4D7E-8018-EB346C7AE967
control-id: cm-8.1
description: >-
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali. The inventory is automatically and
continuously updated.
- uuid: A740C741-23B4-4ED9-937C-E0276A9B92EE
control-id: cm-8.2
description: >-
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali. The inventory is automatically and
continuously updated.
- uuid: 61615706-5395-4168-8AD0-5C4ACBCC5D7E
control-id: ia-2
description: >-
Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
- uuid: 3004BB1D-0F50-48F1-ABFE-40CC522B1C15
control-id: ia-4
description: >-
Istio uses Kubernetes namespaces and resource names to identifiy
workloads in the service mesh. This provides management of identifiers for
all services in the cluster.
- uuid: FE110D6B-CCB5-41E8-B2DE-287ED843D417
control-id: ia-9
description: >-
Istio registers all workload identities in the service mesh.
The identity is transmitted in the mTLS certificate when establishing communication
between services, and is validated by Istio sidecars.
- uuid: 50EE9EB1-0DA4-411C-8771-AA1725B27E22
type: software
title: Jaeger
description: |
An open source, end-to-end distributed tracing system
purpose: Implementation of Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-8542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by jaeger for inheritance by applications
implemented-requirements:
- uuid: 1822457D-461B-482F-8564-8929C85C04DA
control-id: si-4.4
description: Jaeger is used, in conjunction with Istio configurations, to
collect and aggregate network communications within the system. This allows
the moniotiring of inbound/outbound traffic and payloads within the deployed
environment.
- uuid: A97D1364-BA7F-46AA-ADE6-1998E846E125
type: software
title: Kiali
description: |
A management console for Istio Service Mesh
purpose: Observibility into Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-A542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 6EC9C476-9C9D-4EF6-854B-A5B799D8AED1
control-id: si-4.10
description: Kiali provides visibility into mTLS settings of all Istio traffic
in the cluster.
- uuid: 4045FB97-C11A-4F3B-A021-FD94538F0356
type: software
title: Cluster Auditor
description: |
Aggregator of policy violtions in environment
purpose: Display policy violations
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-A542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: FD81FE18-FF28-4150-B05D-8001488282BC
control-id: ac-6.9
description: Cluster Auditor provides a record of policy violiations identified
by OPA Gatekeeper to the Monitoring stack
- uuid: CDA82D9B-70DC-469A-BE63-43DDA26DE6F2
control-id: au-2
description: Cluster Auditor has identified policy violations as events that
are recorded.
- uuid: B381423A-46E9-4E39-8B72-3ABBC46DE4B9
control-id: ca-7
description: 'Continuous monitoring of controls/violations of the system in
accordance with the Control Assessment Plan '
- uuid: 8078c070-2d5b-44b8-8fd1-47797fa12c6d
type: software
title: OPA Gatekeeper
description: "An application which assists in enforcing, monitoring, and remediating
policies in Kubernetes while strengthening governance of an environment. \n"
purpose: Monitors existing clusters, detects policy violations, and also acts
as a customizable Kubernetes Admission Webhook
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-A542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by <component> for inheritance by applications
implemented-requirements:
- uuid: c89a52f1-4d60-4d4e-9c4c-7c5eb04fe21a
control-id: au-2
description: OPA Gatekeeper provides policy violations events to Cluster Auditor
for event logging. The list of policies being audited is/will be captured
by the Policy Document in Gatekeeper's chart
- uuid: c38f765f-b706-4810-96b6-2971f37122df
control-id: au-3
description: 'Gatekeeper provides the policy being violated, the timestamp
of when it occured, the location (cluster/namespace), the object causing
the violation and whether it was in warn or deny mode. '
- uuid: f856dc53-1c3a-428e-83ff-65723c325dac
control-id: au-8
description: Gatekeeper policies have timestamps assoicated to when the violation
was found and identified. By logging policy violations into log messages
(via logDenies=true ), these logs are also available in the logging framework
- uuid: 41b6ce08-5827-4e08-8ff4-1a61a2e378f8
control-id: au-9
description: Access to the Gatekeeper violations are managed by/inherited
from the Kubernetes cluster
- uuid: da7ff1f0-2a16-491c-8854-788cc46cef3c
control-id: cm-1
description: Provides enforcement of configuration management policy
- uuid: ffb9f4b5-0bfe-4053-9e12-5657a1ceb0b9
control-id: cm-7.5
description: OPA Gatekeeper can prevent by default unauthorized changes to
the system.
- uuid: 07a4e16a-944b-4989-a6d8-057b545748d0
control-id: cm-11
description: Gatekeeper can provide the ability for end users to control the
policies that allow for the installation of end-user software. It also provides
the enforcement and monitoring
- uuid: 72d2434e-0dac-4267-8594-d2df5da6b22a
control-id: sa-9
description: Gatekeeper can ensure applications installed on the kubernetes
cluster meet policy requirements for manfiests
- uuid: BE039F48-F418-4D86-BD5F-8CE8CBEAD91E
type: software
title: Elasticsearch and Kibana
description: |
Deployment of Elasticsearch and Kibana for logging stack
purpose: Provides storage and UI for log aggregation in the cluster
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-A542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 31ED9374-C146-4B40-ABD5-537B24DBDCEF
control-id: ac-6.9
description: Elasticsearch stores and aggregates privilege function calls
collected by fluentbt.
- uuid: 373074CC-F1EA-40CB-AD17-DB8F199D0600
control-id: au-4
description: Underlying log storage is elastically scaleable.
- uuid: 90FFF3BA-3E88-47AD-88B7-B50A92833A45
control-id: au-5
description: Kibana has the ability to alert based on events discovered in
Elastic indecies
- uuid: 3230D443-A18C-4F9B-A0DE-DC89CE5D01C8
control-id: au-5.1
description: Authservice allows the use of an extenrral idtntiy OIDC provider
for application login by configuring filter chain matching for hostname
(headers) for applications. This control can then be inherited by the Identity
Provider
- uuid: 98DE555D-1B90-475F-9C2E-954438172B39
control-id: au-9
description: Kibana provides ability to use Role Based Access Control to allow
for the indexes that store audit logs to be restricted to just cluster administrators
- uuid: 6ED4D692-F65F-40AB-AC3F-C056C2F41BD9
control-id: au-9.4
description: Kibana provides ability to use Role Based Access Control to allow
for the indexes that store audit logs to be restricted to just cluster administrators
- uuid: BE039F48-F418-4D86-BD5F-8CE8CBEAD91E
type: software
title: Fluentbit
description: |
Log collector
purpose: Collects logs from the cluster
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 6358159C-2710-46EF-ACC5-39FD3117391D
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: D9D09567-C4C7-4DEA-921C-6318DF2F9331
control-id: ac-6.9
description: Fluentbit can be configured to collect all logs from Kubernetes
and underlying operating systems, allowing the aggregation of privileged
function calls.
- uuid: 373074CC-F1EA-40CB-AD17-DB8F199D0600
control-id: au-2
description: |-
Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured:
* all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers) * all kubernetes api server requests * all events emitted by the kubelet
- uuid: 90FFF3BA-3E88-47AD-88B7-B50A92833A45
control-id: au-3
description: |-
Records captured by the logging daemon are enriched to ensure the following are always present:
* time of the event (UTC) * source of event (pod, namespace, container id)
Applications are responsible for providing all other information.
- uuid: 3230D443-A18C-4F9B-A0DE-DC89CE5D01C8
control-id: au-8
description: |-
Records captured by the logging daemon are enriched to ensure the following are always present:
* time of the event (UTC) * source of event (pod, namespace, container id)
Applications are responsible for providing all other information.
- uuid: 4045FB97-C11A-4F3B-A021-FD94538F0356
type: software
title: Monitoring
description: |
Aggregator of policy violtions in environment
purpose: Display policy violations
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-A542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: B5B39044-B02A-4655-B466-7586B24963A1
control-id: ac-6.9
description: 'Privileged events, including updating the deployment of an application,
or use of privileged containers are collected as metrics by prometheus and
displayed by Grafana '
- uuid: 8AE237CE-E7FF-42FE-B79F-2DF106B0CC09
control-id: au-2
description: "API endpoints suitable for capturing application level metrics
are present on each of the supported applications running as containers.
\ In addition, system and cluster level metrics are emitted by containers
with read only access to host level information.\nMetrics are captured and
stored by Prometheus, an web server capable of scraping endpoints formatted
in the appropriate dimensional data format. Metrics information is stored
on disk in a time series data base, and later queried through a separate
component providing a web interface for the query language: PromQL. "
- uuid: F2FFC2FD-6826-43EE-9922-705A76FE63CC
control-id: au-3.1
description: Grafana has pre-configured dashboards showing the audit records
from Cluster Auditor saved in Prometheus.
- uuid: B958C179-EE1F-40FC-BA2A-03B0072B20E6
control-id: au-4
description: Prometheus is the log aggregator for audit logs since it is used
to scrape/collect violations from ClusterAuditor. The storage capability
can be configured in prometheus to use PVCs to ensure metrics have log retention
complioance with the org-defined audit-log retention requirements
- uuid: 01975AD9-8F46-48EB-81F1-1DDEB6DB0882
control-id: au-5
description: Grafana and Alertmanager can both alert on prometheus metrics
and alerts can be created in either to support this control
- uuid: FA95745B-E13E-4153-ABEE-1970C315A381
control-id: au-5.1
description: Alertmanager has pre-built alerts for PVC storage thresholds
that would fire for PVCs supporting prometheus metrics storage
- uuid: 5D45F4A3-A37F-451D-9670-8FA9DFD1355F
control-id: au-5.2
description: |-
Alertmanager has pre-build alerts for failed pods that would show when ClusterAuditor is not processeing events, or prometheus is unable to scrape events.
Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration
- uuid: 603A45C9-E730-4321-B8AE-60D048E14BAB
control-id: au-6.1
description: Cluster Audtitor Events/Alerts could be exported from Prometheus
to an external system. Integration for specific tooling would need to be
completed by end user
- uuid: 92D322C1-B4D3-4842-8B06-538218AECA7D
control-id: au-6.3
description: Aggregating cluster auditor events across multiple sources (clusters)
is possible with a multi-cluster deployment of prometheus/grafana
- uuid: BB0DF859-827F-4E3A-8C61-DEDCE4A9B3EB
control-id: au-6.5
description: Cluster Auditor's audit data is consolidated with system monitoring
tooling (node exporters) for consolidated view to enhance inappropriate
or unusual activity
- uuid: 77C00727-4195-45A8-8BB6-534AE5889E71
control-id: au-6.6
description: Cluster Auditor data in prometheus would enable this, but would
require prometheus to also obtain access to physical metrics.
- uuid: 6F291DF6-5613-46DF-9D9A-AC7CEDFF4A7B
control-id: au-7
description: Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor
- uuid: 54D583CE-DB4A-4C03-902D-9A37949F4820
control-id: au-7.1
description: Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor
- uuid: 91D9D559-1666-420B-9F2B-240BC7CD1A3E
control-id: au-8
description: Prometheus stores all data as timeseries data, so the timestamps
of when those violitions were present is part of the datastream
- uuid: 2D7AB4A4-1AE7-45A6-BC56-9FBB6402AD98
control-id: au-9
description: Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Acces Control when using Grafana Enterprise.
- uuid: 58B88EBD-ABAD-4505-9243-809D8DEFAEF7
control-id: au-9.2
description: Prometheus can scrape external components outside of the system,
but this configuration is not easily supported as part of the current big
bang configuration of ClusterAuditor since external access to ClusterAuditor
metrics is not exposed via Istio
- uuid: 8178202C-6E6C-415A-8B0D-C486AAC85B3A
control-id: au-9.4
description: Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Acces Control when using Grafana Enterprise.
- uuid: A471F648-C22C-4217-A3BA-1063E80B4BA3
control-id: au-12.1
description: Compatible metrics endpoints emitted from each application is
compiled by Prometheus and displayed through Grafana with associated timestamps
of when the data was collected
- uuid: 660B7C27-2997-4EB7-BA61-C66FEC2D1602
type: software
title: ArgoCD
description: |
A declarative GitOps continuous delivery tool for Kubernetes
purpose: GitOps continuous delivery
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 909C0D05-5BF7-4D89-B82F-38488A02CC85
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by ArgoCD for inheritance by applications
implemented-requirements:
- uuid: 4F924345-FED4-496B-91E3-5361F2B2F2DA
control-id: AC-5
description: ArgoCD can be configured for granular user access to certain
application deployments.
- uuid: 27C176A6-BF99-4BE9-9748-63C99C75328E
control-id: AC-6
description: ArgoCD can be configured per user with the least privilige needed.
- uuid: EC3BC1CA-4E31-4130-A246-D15857F1A6E7
control-id: AU-2
description: ArgoCD logs events related to the applicaction state itself,
i.e. start/stop failures.
- uuid: ACC00F83-5C88-44FA-A6CA-0AD68AD9E09F
control-id: AU-3
description: ArgoCD has a natural audit log for what changes were made to
an applications configuration, when they were made, and by who. This is
provided by the Git commit history in the GitOps workflow.
- uuid: C4E89AE2-3959-4828-B15F-7D4AD1BDB4BC
control-id: AC-7
description: ArgoCD rejects login attemps after too many failed in order to
prevent passsword brute-forcing. Proceted by the following components,
max fail count, failure window, max entry cache size, and max concurrent
login requests.
- uuid: 8B181052-6E36-4A12-A58B-4049F035021D
control-id: CM-2.2
description: ArgoCD provides the configuration management engine to ensure
CM-2 is met
- uuid: 48DBC6A1-28E4-4AF0-95F1-CB70EB818B3C
control-id: CM-2.3
description: ArgoCD / Git provides history for releases
- uuid: 21F72DBE-EA11-4E27-9AE3-82B08C4E16EA
control-id: CM-3
description: ArgoCD / Git enable teams to do this as part of their workflow
- uuid: A89D4C6B-C885-43A4-85A0-7BB1B33E20DF
control-id: CM-3.1
description: ArgoCD / Git provide automation of documentation, notifications
of upgrades to BB
- uuid: E3C277C6-A058-4595-B034-3BEE1D74AE51
control-id: CM-3.2
description: ArgoCD allows for workflows to be created by end users to deploy
exact configurations into stage/dev environment that mirror production.
- uuid: ADF0F06E-F773-43A2-BA91-109D4C3B8AF5
control-id: CM-4
description: BB/Git provides changelogs which identify changes to system via
upgrades
- uuid: A202F34E-1689-47A2-A55C-406C0437C7DD
control-id: CM-4.2
description: This current effort will provide controls explicitly as part
of the product to track how controls will change with upgrades
- uuid: 373DC91F-E590-44B5-B4B1-8DF8453EB9B9
control-id: CM-5.1
description: Use of ArgoCD/GitOps allows this to be inherited by management
in GitLab
- uuid: D2B04238-01DB-49B0-A787-069BE6D962C7
control-id: CM-6
description: ArgoCD manages application configuration settings controlled
in GitLab and ensures they match the expected state.
- uuid: 4EC8B133-3118-4429-A4F7-A1AF3737F5AD
control-id: CM-6.1
description: ArgoCD manages/applies and verifies configuration as code
- uuid: 8B027EED-6484-473A-B4F6-BADF9F55978D
control-id: CM-8
description: ArgoCD provides visualization of the deployed application and
configurations.
- uuid: 0323639F-85B3-4858-99A8-C69C0D6DA16F
control-id: CM-8.1
description: ArgoCD automatically updates its inventory when changes occur
to cluster resources.
- uuid: 53E65314-43DB-4464-B9B8-6075AA6B96AB
control-id: CM-8.2
description: ArgoCD maintains the currency, completeness, accuracy, and availability
of cluster resources by continuously reconciling the desired state in Git
to the actual state in Kubernetes.
- uuid: 593D198A-E5DF-429F-9BCB-EE5561B50522
control-id: CM-8.4
description: ArgoCD displays the name of an individual who made a Git commit
that resulted in changes to the system component inventory
- uuid: 6379A5B5-C5AC-4A30-AAC1-A40BB7AAABFC
control-id: CP-2
description: ArgoCD will restore applications it manages to the known GitOps
state in GitLab
- uuid: 4753C850-EC7C-47F2-AE55-541B73D3D957
control-id: CP-10
description: ArgoCD will restore applications it manages to the known GitOps
state in GitLab
- uuid: CBCC3D5C-03FE-4F6F-A587-6776813AA87B
control-id: CP-10.2
description: ArgoCD will restore applications it manages to the known GitOps
state in GitLab
- uuid: 28D7704A-7859-4A7E-9967-4E564D94BA93
control-id: CP-10.4
description: ArgoCD will restore applications it manages to the known GitOps
state in GitLab
- uuid: E70A5057-3BA4-4E62-8C74-ED19122BBA9E
type: software
title: Authservice
description: "an implementation of thee Envoy External Authorization focused on
handling AuthN/AuthZ \nfor Istio and Kubernetes.\n"
purpose: Provides authn/authz capabilites to applications via Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-A542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 6EC9C476-9C9D-4EF6-854B-A5B799D8AED1
control-id: ac-2.1
description: Authservice allows the use of an extenrral idtntiy OIDC provider
for application login by configuring filter chain matching for hostname
(headers) for applications. This control can then be inherited by the Identity
Provider
- uuid: 373074CC-F1EA-40CB-AD17-DB8F199D0600
control-id: ac-2.2
description: Authservice allows the use of an extenrral idtntiy OIDC provider
for application login by configuring filter chain matching for hostname
(headers) for applications. This control can then be inherited by the Identity
Provider
- uuid: 90FFF3BA-3E88-47AD-88B7-B50A92833A45
control-id: ac-2.3
description: Authservice allows the use of an extenrral idtntiy OIDC provider
for application login by configuring filter chain matching for hostname
(headers) for applications. This control can then be inherited by the Identity
Provider
- uuid: 3230D443-A18C-4F9B-A0DE-DC89CE5D01C8
control-id: ac-2.4
description: Authservice allows the use of an extenrral idtntiy OIDC provider
for application login by configuring filter chain matching for hostname
(headers) for applications. This control can then be inherited by the Identity
Provider
- uuid: 98DE555D-1B90-475F-9C2E-954438172B39
control-id: ac-8
description: Authservice allows the use of an extenrral idtntiy OIDC provider
for application login by configuring filter chain matching for hostname
(headers) for applications. This control can then be inherited by the Identity
Provider
- uuid: 6ED4D692-F65F-40AB-AC3F-C056C2F41BD9
control-id: ac-10
description: "Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application.\nBy
restricting the lifetime of the JWT, Authservice will reauthenticate the
user when it expires. The IdP can then implement concurrent session control,
enforced during reauthentication. This control can then be inherited from
the IdP. "
- uuid: 5D737AC5-0841-480E-87C0-DBBDE4F61F8E
control-id: ac-12
description: "Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application.\nBy
restricting the lifetime of the JWT, Authservice will reauthenticate the
user when it expires. The IdP can then implement concurrent session control,
enforced during reauthentication. This control can then be inherited from
the IdP. "
- uuid: CBBAA8D3-276F-40C2-8E55-02C883201123
control-id: ac-14
description: "Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application.\nBy
restricting the lifetime of the JWT, Authservice will reauthenticate the
user when it expires. The IdP can then implement concurrent session control,
enforced during reauthentication. This control can then be inherited from
the IdP. "
- uuid: 085E711D-A3E8-4CC2-B2E4-F1F0D1E9CE87
control-id: ia-2
description: Authservice maps user sessions to user identities in an IdP.
- uuid: FB487DED-D360-4988-BD1B-4FCFA351258A
control-id: ia-2.1
description: 'Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application. The
IdP can enforce multi-factor authentication for the client used by authservice.
This control can then be inherited from the IdP. '
- uuid: EC6FF902-2E29-4FEC-A5B7-F3DD1573F61A
control-id: ia-2.2
description: 'Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application. The
IdP can enforce multi-factor authentication for the client used by authservice.
This control can then be inherited from the IdP. '
- uuid: B41B29FF-131D-4CD8-9275-9E0391BA35C5
control-id: ia-2.8
description: 'Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application. The
IdP and OIDC protocol use "nonce" and "state" fields for replay resistance.
This control can then be inherited from the IdP. '
- uuid: 8BD41F8B-3072-4AAD-A7E2-1DFC24F6D0C5
control-id: ia-3
description: 'Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application. The
IdP can be configured to uniquely idenfify and authenticate devices before
establishing connections. This control can then be inherited from the IdP. '
- uuid: 2519BEBB-327B-4E03-BA47-423D96114EE4
control-id: ia-4
description: 'Authservice retreives JWT identfiers from the IdP which include
various "claims" including the username of individuals, and a list of "groups"
(roles) the user has access to. This control can then be inherited from
the IdP. '
- uuid: F391AA9E-5EDB-483E-8EC2-60CA9602B1EF
control-id: ia-4.4
description: 'Authservice retreives JWT identfiers from the IdP, which include
various "claims" and such as a list of "groups" (status) that apply to
the user. This control can then be inherited from the IdP. '
- uuid: 59AECD61-0244-4930-897C-EAFA9D423F7F
control-id: ia-5
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: FF69FC29-C3E0-4B02-948E-CF375F93AF05
control-id: ia-5.1
description: "Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. \nAuthservice
does NOT use the OAuth Resource Owner Password Credentials Flow, no passwords
are transmitted by Authservice."
- uuid: 1489616B-8A08-437A-8EE8-E86E10C64D94
control-id: ia-5.2
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 2B01945F-2793-4CA1-BD40-B236A190EE66
control-id: ia-5.6
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: B48BD91F-5A89-4653-89C5-45EC55267049
control-id: ia-6
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: BC78A59A-7E43-4F27-8961-7DD8957499D7
control-id: ia-8.1
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 13E81A49-24C1-4E05-8E5F-F50402FEEE54
control-id: ia-8.2
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 475636F6-74AC-4E12-938C-BA92999A34AF
control-id: ia-8.5
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 63130DA3-52C8-402A-9CB9-1DE9AF62DE5E
control-id: ia-10
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 9DA88C51-E81D-4D02-8B51-33CF15F5C46C
control-id: ia-11
description: "Allows the use of an external identiy OIDC provider for application
login by configuring filter chain matching hostname for application.\nBy
restricting the lifetime of the JWT, Authservice will reauthenticate the
user when it expires. The IdP can then implement concurrent session control,
enforced during reauthentication. This control can then be inherited from
the IdP. "
- uuid: 86C613C9-D6AC-4DF1-B8A2-5C51654CB933
control-id: ia-12
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: FA83073D-77E5-4DAA-A1A3-88FAD126ED50
control-id: ia-12.2
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: AFA5160F-11C1-471E-94E0-8B8E5D2C9050
control-id: ia-12.3
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 4284CA32-4CB9-484B-A769-34D6C1364F22
control-id: ia-12.4
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 1906F9E4-6E82-46A5-A575-70FA0F2E131E
control-id: ia-12.4
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: C9C67A58-CBA4-4F9D-92A6-B73068C7F3AD
control-id: ia-12.5
description: 'Authservice does not manage authenticators, they are managed
by the IdP. This control can then be inherited from the IdP. '
- uuid: 3127D34A-517B-473B-83B0-6536179ABE38
type: software
title: Velero
description: |
Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes
purpose: Provides backup and restore capabilities to a Kubernetes cluster
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 5108E5FC-C45F-477B-8542-9C5611A92485
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by velero for inheritance by applications
implemented-requirements:
- uuid: 2ADA7512-E0D5-4CAE-81BC-C889C640AF93
control-id: cp-6
description: Velero can take backups of your application configuration/data
and store them off-site in either an approved cloud environment or on-premise
location.
- uuid: 6C3339A0-9636-4E35-8FA8-731CF900B326
control-id: cp-6.1
description: Velero can take backups of your application configuration/data
and store them off-site in either an approved cloud environment or on-premise
location.
- uuid: 2799CCBF-C48D-4451-85BA-EBD9B949C361
control-id: cp-6.2
description: Velero can restore application configuration/data from an approved
cloud provider or on-premise location on-demand.
- uuid: 0AE59B43-50A7-4420-881B-E0635CCB8424
control-id: cp-6.3
description: Velero supports back-ups to multiple cloud environments (including
geo-separated locations for high availibility) and on-premise environments
in the event of an accessibility disruptions.
- uuid: B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574
control-id: cp-7
description: Velero can restore application configuration/data from an approved
cloud provider or on-premise location to an alternative deployment environment
on-demand.
- uuid: D74C3A8C-E5B0-4F81-895D-FB2A318D723B
control-id: cp-7.1
description: Velero supports back-ups to and restores from multiple cloud
environments (including geo-separated locations for high availibility) and
on-premise environments in the event of an accessibility disruptions.
- uuid: 72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC
control-id: cp-7.2
description: Velero supports back-ups to and restores from multiple cloud
environments (including geo-separated locations for high availibility) and
on-premise environments in the event of an accessibility disruptions.
- uuid: 5B0AA4CB-9C49-4D32-8242-5631788BD941
control-id: cp-9
description: |-
"Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes:
- System components/data.
- User-level information/application metadata.
- User-level storage/data.
- Scheduled back-ups with configurable scopes.
- Multi-cloud and on-premise support for availability of backup."
- uuid: 8E5917F3-3E45-46C1-8585-48550E19AFFB
control-id: cp-9.1
description: Velero provides feedback/logging of back-up status for configuration/data
via kubectl or the Velero CLI tool. Velero can restore your production configuration/data
to validation environment to ensure reliability/integrity.
- uuid: 51191D0E-0C7B-4D2D-861D-202AC8C505CF
control-id: cp-9.2
description: Velero can be configured to restore only certain components of
a back-up when necessary.
- uuid: C650411C-33FD-4B59-8899-AC34B43C860F
control-id: cp-9.3
description: Velero supports back-ups to multiple cloud environments (including
geo-separated locations for high availibility) and on-premise environments.
- uuid: 8AB09B17-301B-4836-835B-9CE22A9E2300
control-id: cp-9.5
description: 'Velero gives you tools to back up and restore your Kubernetes
cluster resources and persistent volumes. You can run Velero with a cloud
provider or on-premises. This includes: - System components/data. - User-level
information/application metadata. - User-level storage/data. - Scheduled
back-ups with configurable scopes. - Multi-cloud and on-premise support
for availability of backup.'
- uuid: 7FACB782-C183-4585-8C0B-17824438FEA6
control-id: cp-9.8
description: Velero supports encryption of backups via its supported providers'
encryption support/mechanisms.
- uuid: 26B3D98B-0C9D-434B-8DE5-06CBBC46A38C
control-id: cp-10
description: Velero can restore application configuration/data from an approved
cloud provider or on-premise location on-demand.
- uuid: 3EA444B7-61ED-43DD-8B3D-24B55F286E59
control-id: cp-10.4
description: 'Velero gives you tools to back up and restore your Kubernetes
cluster resources and persistent volumes. You can run Velero with a cloud
provider or on-premises. This includes: - System components/data. - User-level
information/application metadata. - User-level storage/data. - Scheduled
back-ups with configurable scopes. - Multi-cloud and on-premise support
for availability of backup.'
- uuid: 13936e92-24bd-4948-abe6-af88422174aa
type: software
title: Keycloak
description: |
An implementation of a customizable Keycloak for single sign-on (SSO) with Identity and Access Management
purpose: Provides user federation, strong authentication, user management, fine-grained
authorization.
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 44bb0268-355d-455b-be33-7fc6ecc89668
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by Keycloak for inheritance by applications
implemented-requirements:
- uuid: 045bbf72-d7d1-4763-a997-caf62785b2aa
control-id: ac-1
description: |-
System-level access controls
Keycloak supports fine-grained authorization policies and is able to combine different access control mechanisms such as:
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
- User-based access control (UBAC)
- Context-based access control (CBAC)
- Rule-based access control
- Using JavaScript
- Time-based access control
- Support for custom access control mechanisms (ACMs) through a Policy Provider Service Provider Interface (SPI)
Keycloak is based on a set of administrative UIs and a RESTful API, and provides the necessary means to create permissions for your protected resources and scopes, associate those permissions with authorization policies, and enforce authorization decisions in your applications and services.
Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request.
Permissions can be created to protect two main types of objects:
- Resources: resource-based permission defines a set of one or more resources to protect using a set of one or more authorization policies.
- Scopes: scope-based permissions defines a set of one or more scopes to protect using a set of one or more authorization policies. Unlike resource-based permissions, you can use this permission type to create permissions not only for a resource, but also for the scopes associated with it, providing more granularity when defining the permissions that govern your resources and the actions that can be performed on them.
https://www.keycloak.org/docs/latest/authorization_services/
Organizational access controls
Organizational roles could be broken down into cluster admins, resource owners / administrators, clients / users
- uuid: 86815b87-fc12-432b-9d0a-77492186ad6e
control-id: ac-2
description: |-
Big Bang implements a custom plugin to handle account managment, found here (https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/tree/main/development). Through this plugin logic is implemented to control automated registration and ties into DoD PKI validation/verification. Additionally, this plugin validates group membership in conjunction with Keycloak Clients to prohibit/allow access to various resources behind the single sign on solution.
a/c. non-privileged users are prohibited by the keycloak plugin and declarative group structure defined here (https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/tree/main/development). Privileged users follow a similar posture combined with other solutions to prohibit access to resources based on group membership.
b. Keycloak can be configured for fine grain permissions to assign account managers, additionally the custom plugin allows configuration of groups with specific permissions within the keycloak web UI console.
d (1-3). Declarative groups specify authorized users, groups, and roles. Access authorizations and assignment is related to Day 2 operations of keycloak and may vary between organizations.
e. Handled by Day 2 operations of keycloak.
f. declarative groups assist in the handling of accounts, but ultimate is is a day 2 operation.
g. Keycloak web UI has a queryable audit logging feature and backend logs can be monitored.
h. Handled by Day 2 operations of keycloak.
i. Handled by Day 2 operations of keycloak.
j. Mostly, handled by Day 2 operations of keycloak. However, built in registration flow validates and verifies DoD level authorization.
k. Handled by Day 2 operations of keycloak.
l. Handled by Day 2 operations of keycloak.
- uuid: 477fbb45-8837-4755-a1f2-6d1843b7bedb
control-id: ac-2.1
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
- uuid: 440ef311-2711-4bb0-9dd8-438d196e84e5
control-id: ac-2.2
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
- uuid: 9a76f468-1daa-49ca-9582-7c17751f41bc
control-id: ac-2.3
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
- uuid: 93d0b28b-bcf4-4e45-a5e0-f5d1b0ce9d26
control-id: ac-2.4
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
- uuid: 6c10ca0e-7b91-45ab-b066-949bdfba126a
control-id: ac-2.5
description: Keycloak is configured with login timeout, session tokens, etc.
and are managed in realm settings/tokens
- uuid: 473ce520-ed39-4d88-9433-2a04cc451b16
control-id: ac-2.12
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured and automated via email, external webhook, and logging
stack monitored by admins to notify when an account is created, enabled,
modified, disabled, or removed, or when users are terminated or transferred.
- uuid: cb4929fc-3685-45e4-8720-405dc5ed9ea3
control-id: ac-2.13
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured and automated via email, external webhook, and logging
stack monitored by admins to notify when an account is created, enabled,
modified, disabled, or removed, or when users are terminated or transferred.
- uuid: b704526e-e18f-46ec-8072-2e361115265a
control-id: ac-3
description: Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak
and the enforcement of approved authorizaions for logical access to information
and system resources.
- uuid: ef73dc31-ab9a-4d67-b5b8-c042e47aba25
control-id: ac-4
description: Keycloak is designed and recommended to be deployed in a stand-alone
BB cluster with TLS passthrough for OIDC/SAML integration. Controls are
inherited from istio via network policies, virtual services and gateway
configs.
- uuid: 34ea5ae5-3525-4a81-974f-a73e1999610f
control-id: ac-4.4
description: Keycloak is designed and recommended to be deployed in a stand-alone
BB cluster with TLS passthrough for OIDC/SAML integration. Controls are
inherited from istio via network policies, virtual services and gateway
configs.
- uuid: 25a717a7-3f1f-4d24-9cc1-701be6f97df9
control-id: ac-5
description: Keycloak is designed and recommended to be deployed in a stand-alone
BB cluster with TLS passthrough for OIDC/SAML integration. Controls are
inherited from istio via network policies, virtual services and gateway
configs.
- uuid: 28fba4bc-e1ae-4164-9673-6ed90d93a7c0
control-id: ac-6
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: 2f8de149-d07f-4e8a-8baf-5bdbace0cf8d
control-id: ac-6.1
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: 5a04932c-05cf-489a-932c-cb31b9480b73
control-id: ac-6.2
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: 337a9b7f-71d0-46ef-aaa2-af5367d9b371
control-id: ac-6.5
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: 6de217bb-f767-4af0-b813-b54df9baf173
control-id: ac-6.7
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: 59032e55-f51e-4a0d-9394-7474631005ec
control-id: ac-6.9
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: ad95419d-4506-48b0-a736-723724acea34
control-id: ac-6.10
description: Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
- uuid: 16088314-7668-41a2-9ee1-a7128d6c209e
control-id: ac-7
description: 'Keycloak has brute force protection which has three components:
max login failures, quick login check (time between failures) & minimum
quick login check wait (time user will be disabled when multiple login failures
are detected)'
- uuid: 35992922-7375-45fc-bac1-1a6b551a76b9
control-id: ac-8
description: Keycloak has a standard DOD login banner see https://login.dso.mil
- uuid: 2a99e48f-6631-4ff7-b955-b73caafdedac
control-id: ac-10
description: Keycloak does not suffice this control natively; however, you
can implement a “only one session per user” behavior with an ```EventListenerProvider```.
On every LOGIN event, delete all the sessions of a user, except the current
one.
- uuid: 77c2aa64-ab6b-4508-b6f6-fcca929de9ab
control-id: ac-12
description: Keycloak does not suffice this control natively; however, you
can implement a session behaviors with an ```EventListenerProvider```.
- uuid: 3b38e765-41f8-4ea6-90dc-b4a1845b62cc
control-id: ac-14
description: Keycloak has the ability to allow anonymous access to resource
if Client Access Type is set to public.
- uuid: 9bd24189-a9f7-4ddb-98fb-ba259b46b459
control-id: ac-17.1
description: Keycloak manages remote access to other applications through
IAM.
- uuid: 3e901895-d5da-48a0-8317-56b456371243
control-id: ac-17.2
description: Through EventListeners Keycloak can either ship logs to a SIEM
which could alert on remote session events, or with custom SPIs Keycloak
can perform an action directly on events. A VPN client would need to use
Keycloak as an SSO to generate these events.
- uuid: 66bc3835-8369-48ec-b54f-ca5ca034e2fd
control-id: ac-17.3
description: Keycloak can restrict access to control points through IAM, but
a VPN solution like Appgate would be better suited working with Keycloak.
- uuid: f6e0f2a4-c729-4335-97f4-b16fb49d27f9
control-id: ac-17.4
description: Keycloak can support a VPN or other remote management system
as its IAM to support remote access control.
- uuid: 6a948220-d3ef-4357-989a-38e25f27eb3f
control-id: au-2
description: Keycloak captures user and admin events and can ship them out
to a logging server for analysis or trigger an action on specific event
via customizable EventListeners.
- uuid: 4b4d19b0-b8e1-4fdd-b57b-448f4e163342
control-id: au-3
description: Keycloak events contain what, when, where, source, and objects/entities
for policy violations.
- uuid: 35b33698-d3c5-496e-9cb4-4524c63e2fac
control-id: au-3.1