description:Controls implemented by authservice for inheritance by applications
implemented-requirements:
-uuid:1822457D-461B-482F-8564-8929C85C04DB
control-id:ac-3
description:|-
Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these
policies.
-uuid:D7717A9B-7604-45EF-8DCF-EE4DF0417F9C
control-id:ac-4
description:All HTTP(S) connections into the system via Istio ingress gateways
and throughout the system with Istio sidecars.
-uuid:1D1E8705-F6EB-4A21-A24F-1DF7427BA491
control-id:ac-4.4
description:All encrypted HTTPS connections are terminated at the istio ingress
gateway.
-uuid:CD1315BF-91FE-490A-B6A6-5616690D78A8
control-id:ac-6.3
description:Can be configured with an "admin" gateway to restrict access
to applications that only need sysadmin access. Not standard in BB itself
though.
-uuid:6109E09A-8279-44AB-8CA4-2051AF895648
control-id:ac-14
description:Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
-uuid:9B6BA674-E6ED-4FB6-B216-3C8733F36411
control-id:au-2
description:Istio provides access logs for all HTTP network requests, including
mission applications.
-uuid:D3CBC898-F938-4FAA-B1B1-2597A69B5600
control-id:au-3
description:|-
By default, Istio uses the Common Log Format with additional information for access logs.
The default configuration does not include the identity of individuals associated with the event.
-uuid:D01F6B2D-F18E-47E9-94DC-95C0B5675E13
control-id:cm-5
description:Configured via Kubernetes resources. Inherited from cluster and
description:Controls implemented by authservice for inheritance by applications
implemented-requirements:
-uuid:D9D09567-C4C7-4DEA-921C-6318DF2F9331
control-id:ac-6.9
description:Fluentbit can be configured to collect all logs from Kubernetes
and underlying operating systems, allowing the aggregation of privileged
function calls.
-uuid:373074CC-F1EA-40CB-AD17-DB8F199D0600
control-id:au-2
description:|-
Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured:
* all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers) * all kubernetes api server requests * all events emitted by the kubelet
-uuid:90FFF3BA-3E88-47AD-88B7-B50A92833A45
control-id:au-3
description:|-
Records captured by the logging daemon are enriched to ensure the following are always present:
* time of the event (UTC) * source of event (pod, namespace, container id)
Applications are responsible for providing all other information.
-uuid:3230D443-A18C-4F9B-A0DE-DC89CE5D01C8
control-id:au-8
description:|-
Records captured by the logging daemon are enriched to ensure the following are always present:
* time of the event (UTC) * source of event (pod, namespace, container id)
Applications are responsible for providing all other information.
description:Grafana has pre-configured dashboards showing the audit records
from Cluster Auditor saved in Prometheus.
-uuid:B958C179-EE1F-40FC-BA2A-03B0072B20E6
control-id:au-4
description:Prometheus is the log aggregator for audit logs since it is used
to scrape/collect violations from ClusterAuditor. The storage capability
can be configured in prometheus to use PVCs to ensure metrics have log retention
complioance with the org-defined audit-log retention requirements
-uuid:01975AD9-8F46-48EB-81F1-1DDEB6DB0882
control-id:au-5
description:Grafana and Alertmanager can both alert on prometheus metrics
and alerts can be created in either to support this control
-uuid:FA95745B-E13E-4153-ABEE-1970C315A381
control-id:au-5.1
description:Alertmanager has pre-built alerts for PVC storage thresholds
that would fire for PVCs supporting prometheus metrics storage
-uuid:5D45F4A3-A37F-451D-9670-8FA9DFD1355F
control-id:au-5.2
description:|-
Alertmanager has pre-build alerts for failed pods that would show when ClusterAuditor is not processeing events, or prometheus is unable to scrape events.
Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration
-uuid:603A45C9-E730-4321-B8AE-60D048E14BAB
control-id:au-6.1
description:Cluster Audtitor Events/Alerts could be exported from Prometheus
to an external system. Integration for specific tooling would need to be
completed by end user
-uuid:92D322C1-B4D3-4842-8B06-538218AECA7D
control-id:au-6.3
description:Aggregating cluster auditor events across multiple sources (clusters)
is possible with a multi-cluster deployment of prometheus/grafana
-uuid:BB0DF859-827F-4E3A-8C61-DEDCE4A9B3EB
control-id:au-6.5
description:Cluster Auditor's audit data is consolidated with system monitoring
tooling (node exporters) for consolidated view to enhance inappropriate
or unusual activity
-uuid:77C00727-4195-45A8-8BB6-534AE5889E71
control-id:au-6.6
description:Cluster Auditor data in prometheus would enable this, but would
require prometheus to also obtain access to physical metrics.
-uuid:6F291DF6-5613-46DF-9D9A-AC7CEDFF4A7B
control-id:au-7
description:Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor
-uuid:54D583CE-DB4A-4C03-902D-9A37949F4820
control-id:au-7.1
description:Grafana is configured with a pre-built dashboard for policy violations
that displays data collected by Cluster Auditor
-uuid:91D9D559-1666-420B-9F2B-240BC7CD1A3E
control-id:au-8
description:Prometheus stores all data as timeseries data, so the timestamps
of when those violitions were present is part of the datastream
-uuid:2D7AB4A4-1AE7-45A6-BC56-9FBB6402AD98
control-id:au-9
description:Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Acces Control when using Grafana Enterprise.
-uuid:58B88EBD-ABAD-4505-9243-809D8DEFAEF7
control-id:au-9.2
description:Prometheus can scrape external components outside of the system,
but this configuration is not easily supported as part of the current big
bang configuration of ClusterAuditor since external access to ClusterAuditor
metrics is not exposed via Istio
-uuid:8178202C-6E6C-415A-8B0D-C486AAC85B3A
control-id:au-9.4
description:Grafana has the ability to provide Role Based Access Control
to limit the data sources that end users can view by leveraging an identity
provider. Grafana can also limit users to subsets of metrics within a datasource
by the use of Label Based Acces Control when using Grafana Enterprise.
-uuid:A471F648-C22C-4217-A3BA-1063E80B4BA3
control-id:au-12.1
description:Compatible metrics endpoints emitted from each application is
compiled by Prometheus and displayed through Grafana with associated timestamps
description:Controls implemented by velero for inheritance by applications
implemented-requirements:
-uuid:2ADA7512-E0D5-4CAE-81BC-C889C640AF93
control-id:cp-6
description:Velero can take backups of your application configuration/data
and store them off-site in either an approved cloud environment or on-premise
location.
-uuid:6C3339A0-9636-4E35-8FA8-731CF900B326
control-id:cp-6.1
description:Velero can take backups of your application configuration/data
and store them off-site in either an approved cloud environment or on-premise
location.
-uuid:2799CCBF-C48D-4451-85BA-EBD9B949C361
control-id:cp-6.2
description:Velero can restore application configuration/data from an approved
cloud provider or on-premise location on-demand.
-uuid:0AE59B43-50A7-4420-881B-E0635CCB8424
control-id:cp-6.3
description:Velero supports back-ups to multiple cloud environments (including
geo-separated locations for high availibility) and on-premise environments
in the event of an accessibility disruptions.
-uuid:B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574
control-id:cp-7
description:Velero can restore application configuration/data from an approved
cloud provider or on-premise location to an alternative deployment environment
on-demand.
-uuid:D74C3A8C-E5B0-4F81-895D-FB2A318D723B
control-id:cp-7.1
description:Velero supports back-ups to and restores from multiple cloud
environments (including geo-separated locations for high availibility) and
on-premise environments in the event of an accessibility disruptions.
-uuid:72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC
control-id:cp-7.2
description:Velero supports back-ups to and restores from multiple cloud
environments (including geo-separated locations for high availibility) and
on-premise environments in the event of an accessibility disruptions.
-uuid:5B0AA4CB-9C49-4D32-8242-5631788BD941
control-id:cp-9
description:|-
"Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes:
- System components/data.
- User-level information/application metadata.
- User-level storage/data.
- Scheduled back-ups with configurable scopes.
- Multi-cloud and on-premise support for availability of backup."
-uuid:8E5917F3-3E45-46C1-8585-48550E19AFFB
control-id:cp-9.1
description:Velero provides feedback/logging of back-up status for configuration/data
via kubectl or the Velero CLI tool. Velero can restore your production configuration/data
to validation environment to ensure reliability/integrity.
-uuid:51191D0E-0C7B-4D2D-861D-202AC8C505CF
control-id:cp-9.2
description:Velero can be configured to restore only certain components of
a back-up when necessary.
-uuid:C650411C-33FD-4B59-8899-AC34B43C860F
control-id:cp-9.3
description:Velero supports back-ups to multiple cloud environments (including
geo-separated locations for high availibility) and on-premise environments.
description:Controls implemented by Keycloak for inheritance by applications
implemented-requirements:
-uuid:045bbf72-d7d1-4763-a997-caf62785b2aa
control-id:ac-1
description:|-
System-level access controls
Keycloak supports fine-grained authorization policies and is able to combine different access control mechanisms such as:
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
- User-based access control (UBAC)
- Context-based access control (CBAC)
- Rule-based access control
- Using JavaScript
- Time-based access control
- Support for custom access control mechanisms (ACMs) through a Policy Provider Service Provider Interface (SPI)
Keycloak is based on a set of administrative UIs and a RESTful API, and provides the necessary means to create permissions for your protected resources and scopes, associate those permissions with authorization policies, and enforce authorization decisions in your applications and services.
Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request.
Permissions can be created to protect two main types of objects:
- Resources: resource-based permission defines a set of one or more resources to protect using a set of one or more authorization policies.
- Scopes: scope-based permissions defines a set of one or more scopes to protect using a set of one or more authorization policies. Unlike resource-based permissions, you can use this permission type to create permissions not only for a resource, but also for the scopes associated with it, providing more granularity when defining the permissions that govern your resources and the actions that can be performed on them.
Organizational roles could be broken down into cluster admins, resource owners / administrators, clients / users
-uuid:86815b87-fc12-432b-9d0a-77492186ad6e
control-id:ac-2
description:|-
Big Bang implements a custom plugin to handle account managment, found here (https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/tree/main/development). Through this plugin logic is implemented to control automated registration and ties into DoD PKI validation/verification. Additionally, this plugin validates group membership in conjunction with Keycloak Clients to prohibit/allow access to various resources behind the single sign on solution.
a/c. non-privileged users are prohibited by the keycloak plugin and declarative group structure defined here (https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/tree/main/development). Privileged users follow a similar posture combined with other solutions to prohibit access to resources based on group membership.
b. Keycloak can be configured for fine grain permissions to assign account managers, additionally the custom plugin allows configuration of groups with specific permissions within the keycloak web UI console.
d (1-3). Declarative groups specify authorized users, groups, and roles. Access authorizations and assignment is related to Day 2 operations of keycloak and may vary between organizations.
e. Handled by Day 2 operations of keycloak.
f. declarative groups assist in the handling of accounts, but ultimate is is a day 2 operation.
g. Keycloak web UI has a queryable audit logging feature and backend logs can be monitored.
h. Handled by Day 2 operations of keycloak.
i. Handled by Day 2 operations of keycloak.
j. Mostly, handled by Day 2 operations of keycloak. However, built in registration flow validates and verifies DoD level authorization.
k. Handled by Day 2 operations of keycloak.
l. Handled by Day 2 operations of keycloak.
-uuid:477fbb45-8837-4755-a1f2-6d1843b7bedb
control-id:ac-2.1
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
-uuid:440ef311-2711-4bb0-9dd8-438d196e84e5
control-id:ac-2.2
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
-uuid:9a76f468-1daa-49ca-9582-7c17751f41bc
control-id:ac-2.3
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
-uuid:93d0b28b-bcf4-4e45-a5e0-f5d1b0ce9d26
control-id:ac-2.4
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured to notify when an account is created, enabled, modified,
disabled, or removed, or when users are terminated or transferred.
-uuid:6c10ca0e-7b91-45ab-b066-949bdfba126a
control-id:ac-2.5
description:Keycloak is configured with login timeout, session tokens, etc.
and are managed in realm settings/tokens
-uuid:473ce520-ed39-4d88-9433-2a04cc451b16
control-id:ac-2.12
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured and automated via email, external webhook, and logging
stack monitored by admins to notify when an account is created, enabled,
modified, disabled, or removed, or when users are terminated or transferred.
-uuid:cb4929fc-3685-45e4-8720-405dc5ed9ea3
control-id:ac-2.13
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak.
There are roughly 30 different event types in keycloak and an event listener
can be configured and automated via email, external webhook, and logging
stack monitored by admins to notify when an account is created, enabled,
modified, disabled, or removed, or when users are terminated or transferred.
-uuid:b704526e-e18f-46ec-8072-2e361115265a
control-id:ac-3
description:Keycloak allows the creation of clients that provide login to
app via Keycloak, allowing account management to be inherited from keycloak
and the enforcement of approved authorizaions for logical access to information
and system resources.
-uuid:ef73dc31-ab9a-4d67-b5b8-c042e47aba25
control-id:ac-4
description:Keycloak is designed and recommended to be deployed in a stand-alone
BB cluster with TLS passthrough for OIDC/SAML integration. Controls are
inherited from istio via network policies, virtual services and gateway
configs.
-uuid:34ea5ae5-3525-4a81-974f-a73e1999610f
control-id:ac-4.4
description:Keycloak is designed and recommended to be deployed in a stand-alone
BB cluster with TLS passthrough for OIDC/SAML integration. Controls are
inherited from istio via network policies, virtual services and gateway
configs.
-uuid:25a717a7-3f1f-4d24-9cc1-701be6f97df9
control-id:ac-5
description:Keycloak is designed and recommended to be deployed in a stand-alone
BB cluster with TLS passthrough for OIDC/SAML integration. Controls are
inherited from istio via network policies, virtual services and gateway
configs.
-uuid:28fba4bc-e1ae-4164-9673-6ed90d93a7c0
control-id:ac-6
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
-uuid:2f8de149-d07f-4e8a-8baf-5bdbace0cf8d
control-id:ac-6.1
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
-uuid:5a04932c-05cf-489a-932c-cb31b9480b73
control-id:ac-6.2
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
-uuid:337a9b7f-71d0-46ef-aaa2-af5367d9b371
control-id:ac-6.5
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
-uuid:6de217bb-f767-4af0-b813-b54df9baf173
control-id:ac-6.7
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
-uuid:59032e55-f51e-4a0d-9394-7474631005ec
control-id:ac-6.9
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
-uuid:ad95419d-4506-48b0-a736-723724acea34
control-id:ac-6.10
description:Keycloak as an IDM / IAM provider supports least privilege through
user / group management (ABAC / RBAC) service offerings
description:Keycloak has a standard DOD login banner see https://login.dso.mil
-uuid:2a99e48f-6631-4ff7-b955-b73caafdedac
control-id:ac-10
description:Keycloak does not suffice this control natively; however, you
can implement a “only one session per user” behavior with an ```EventListenerProvider```.
On every LOGIN event, delete all the sessions of a user, except the current
one.
-uuid:77c2aa64-ab6b-4508-b6f6-fcca929de9ab
control-id:ac-12
description:Keycloak does not suffice this control natively; however, you
can implement a session behaviors with an ```EventListenerProvider```.
-uuid:3b38e765-41f8-4ea6-90dc-b4a1845b62cc
control-id:ac-14
description:Keycloak has the ability to allow anonymous access to resource
if Client Access Type is set to public.
-uuid:9bd24189-a9f7-4ddb-98fb-ba259b46b459
control-id:ac-17.1
description:Keycloak manages remote access to other applications through
IAM.
-uuid:3e901895-d5da-48a0-8317-56b456371243
control-id:ac-17.2
description:Through EventListeners Keycloak can either ship logs to a SIEM
which could alert on remote session events, or with custom SPIs Keycloak
can perform an action directly on events. A VPN client would need to use
Keycloak as an SSO to generate these events.
-uuid:66bc3835-8369-48ec-b54f-ca5ca034e2fd
control-id:ac-17.3
description:Keycloak can restrict access to control points through IAM, but
a VPN solution like Appgate would be better suited working with Keycloak.
-uuid:f6e0f2a4-c729-4335-97f4-b16fb49d27f9
control-id:ac-17.4
description:Keycloak can support a VPN or other remote management system
as its IAM to support remote access control.
-uuid:6a948220-d3ef-4357-989a-38e25f27eb3f
control-id:au-2
description:Keycloak captures user and admin events and can ship them out
to a logging server for analysis or trigger an action on specific event
via customizable EventListeners.
-uuid:4b4d19b0-b8e1-4fdd-b57b-448f4e163342
control-id:au-3
description:Keycloak events contain what, when, where, source, and objects/entities
for policy violations.
-uuid:35b33698-d3c5-496e-9cb4-4524c63e2fac
control-id:au-3.1
description:Keycloak event logs include Time, Event Type, Details (Client,
User, IP Address). Events are shipped to logging.
-uuid:ab565bfa-78a5-43e6-98cc-ba801a16b980
control-id:au-4
description:Keycloak events can be both saved to database and shipped to
logging server. Both systems are external to Keycloaks application server.
-uuid:24b14c71-b4bd-402f-aba6-80056e1b6fec
control-id:au-7
description:Keycloak provides audit records for compliance that qualify for
this control.
-uuid:e528b2ec-6895-432d-acf1-b33e0f8455f5
control-id:au-7.1
description:Within Keycloak records, sorting and searching are supported.
-uuid:ed7026d7-4257-44e6-919c-73e5f8a86be5
control-id:au-8
description:Keycloak saves timestamps in event logs
-uuid:92b5e2c1-cb7c-4f38-ba5b-22b617b15020
control-id:au-9
description:Keycloak provides RBAC to restrict management of logs.
-uuid:71c0d1c7-f9a5-4439-829b-8976749481eb
control-id:au-9.4
description:Keycloak provides RBAC to restrict management of logs.
-uuid:0b7b466e-e33c-4fa0-8979-a82da5fadc32
control-id:ia-2
description:Keycloak supports control through its IAM/SSO service.
-uuid:ff98831e-de87-4f0d-b42f-3af08a6caff6
control-id:ia-2.1
description:Keycloak supports MFA using mobile and x509 mTLS for both privileged
and non-privileged account management.
-uuid:e0fbd222-d6ae-4729-a262-7c795dd6a628
control-id:ia-2.2
description:Keycloak supports MFA using mobile and x509 mTLS for both privileged
and non-privileged account management.
-uuid:441d2bbd-b7ee-46e9-8110-f0fda67a2c90
control-id:ia-2.5
description:Keycloak provides build-in functionality to support control.
-uuid:5c163729-a954-43ca-a035-6040b0526ccd
control-id:ia-2.12
description:Keycloak supports PIV credentials
-uuid:084779e8-542d-4def-936b-69fd1fb7f266
control-id:ia-3
description:Keycloak provides built-in functionality to support control.
-uuid:7a4c2837-a205-4b9c-b850-a8afec580275
control-id:ia-4
description:Keycloak provides built-in functionality to support control.
-uuid:ce397926-ec86-491c-82f6-db7e2e164a0d
control-id:ia-4.4
description:Keycloak provides built-in functionality to support control.
-uuid:7cee87f8-165f-4631-96f5-b2876df0e88a
control-id:ia-5.1
description:Keycloak provides password-policies to support control. https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/authentication/password-policies.adoc
-uuid:56d5209f-e279-4f67-b6e9-9a814695dda9
control-id:ia-5.2
description:Keycloak supports OCSP checking, and truststore/chain validation
for x509 PKI access.
-uuid:8d858e85-710e-46aa-b6fd-98013480c2b6
control-id:ia-8.1
description:Keycloak supports authenicating non-orgaizational users through
supporting mTLS signed by external certificate authorities.
-uuid:c2976939-842a-4efc-afd3-11dc9892fb86
control-id:ia-11
description:Keycloak supports OIDC/SAML which support expiration dates in
