-
Tom Runyon authoredTom Runyon authored
oscal-component.yaml 52.28 KiB
component-definition:
uuid: ""
metadata:
title: "Big Bang"
last-modified: '2022-05017T11:21:00Z'
version: "1.33.0"
oscal-version: "1.0.0"
parties:
- uuid: 72134592-08C2-4A77-ABAD-C880F109367A
type: organization
name: Platform One
links:
- href: <https://p1.dso.mil>
rel: website
components:
- uuid: 81F6EC5D-9B8D-408F-8477-F8A04F493690
type: software
title: Istio Controlplane
description: |
Istio Service Mesh
purpose: Istio Service Mesh
responsible-roles:
- role-id: provider
party-uuid: 72134592-08C2-4A77-ABAD-C880F109367A
control-implementations:
- uuid: 06717F3D-CE1E-494C-8F36-99D1316E0D13
source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
description: Controls implemented by authservice for inheritance by applications
implemented-requirements:
- uuid: 1822457D-461B-482F-8564-8929C85C04DB
control-id: ac-3
description: |-
Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these
policies.
- uuid: D7717A9B-7604-45EF-8DCF-EE4DF0417F9C
control-id: ac-4
description: All HTTP(S) connections into the system via Istio ingress gateways
and throughout the system with Istio sidecars.
- uuid: 1D1E8705-F6EB-4A21-A24F-1DF7427BA491
control-id: ac-4.4
description: All encrypted HTTPS connections are terminated at the istio ingress
gateway.
- uuid: CD1315BF-91FE-490A-B6A6-5616690D78A8
control-id: ac-6.3
description: Can be configured with an "admin" gateway to restrict access
to applications that only need sysadmin access. Not standard in BB itself
though.
- uuid: 6109E09A-8279-44AB-8CA4-2051AF895648
control-id: ac-14
description: Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
- uuid: 9B6BA674-E6ED-4FB6-B216-3C8733F36411
control-id: au-2
description: Istio provides access logs for all HTTP network requests, including
mission applications.
- uuid: D3CBC898-F938-4FAA-B1B1-2597A69B5600
control-id: au-3
description: |-
By default, Istio uses the Common Log Format with additional information for access logs.
The default configuration does not include the identity of individuals associated with the event.
- uuid: D01F6B2D-F18E-47E9-94DC-95C0B5675E13
control-id: cm-5
description: Configured via Kubernetes resources. Inherited from cluster and
flux/ArgoCD.
- uuid: 6370B2DA-1E35-4916-8591-91FB9EDBE72B
control-id: cm-8
description: 'Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali. '