-
Danny Gershman authoredDanny Gershman authored
oscal-component.yaml 60.11 KiB
component-definition:
uuid: "4DEDC09C-B2ED-407B-82C6-229F77DDDC8C"
metadata:
title: Big Bang
last-modified: '2022-06-06T15:26:59.676009+00:00'
version: 1.39.0
oscal-version: 1.0.4
parties:
- uuid: 72134592-08C2-4A77-ABAD-C880F109367A
type: organization
name: Platform One
links:
- href: https://p1.dso.mil
rel: website
components:
- uuid: 81F6EC5D-9B8D-408F-8477-F8A04F493690
type: software
title: Istio Controlplane
description: |
Istio Service Mesh
purpose: Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuids:
- 72134592-08C2-4A77-8BAD-C880F109367A
control-implementations:
- uuid: 06717F3D-CE1E-494C-8F36-99D1316E0D13
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description:
Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 1822457D-461B-482F-8564-8929C85C04DB
control-id: ac-3
description: >-
Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these
policies.
- uuid: D7717A9B-7604-45EF-8DCF-EE4DF0417F9C
control-id: ac-4
description: >-
All HTTP(S) connections into the system via Istio ingress gateways
and throughout the system with Istio sidecars.
- uuid: 1D1E8705-F6EB-4A21-A24F-1DF7427BA491
control-id: ac-4.4
description: >-
All encrypted HTTPS connections are terminated at the istio ingress
gateway.
- uuid: CD1315BF-91FE-490A-B6A6-5616690D78A8
control-id: ac-6.3
description: >-
Can be configured with an "admin" gateway to restrict access
to applications that only need sysadmin access. Not standard in BB itself
though.
- uuid: 6109E09A-8279-44AB-8CA4-2051AF895648
control-id: ac-14
description: >-
Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
- uuid: 9B6BA674-E6ED-4FB6-B216-3C8733F36411
control-id: au-2
description: >-
Istio provides access logs for all HTTP network requests, including
mission applications.
- uuid: D3CBC898-F938-4FAA-B1B1-2597A69B5600
control-id: au-3
description: >-
By default, Istio uses the Common Log Format with additional information for access logs.
The default configuration does not include the identity of individuals associated with the event.
- uuid: D01F6B2D-F18E-47E9-94DC-95C0B5675E13