Controls implemented by authservice for inheritance by applications
implemented-requirements:
-uuid:1822457D-461B-482F-8564-8929C85C04DB
control-id:ac-3
description:>-
Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these
policies.
-uuid:D7717A9B-7604-45EF-8DCF-EE4DF0417F9C
control-id:ac-4
description:>-
All HTTP(S) connections into the system via Istio ingress gateways
and throughout the system with Istio sidecars.
-uuid:1D1E8705-F6EB-4A21-A24F-1DF7427BA491
control-id:ac-4.4
description:>-
All encrypted HTTPS connections are terminated at the istio ingress
gateway.
-uuid:CD1315BF-91FE-490A-B6A6-5616690D78A8
control-id:ac-6.3
description:>-
Can be configured with an "admin" gateway to restrict access
to applications that only need sysadmin access. Not standard in BB itself
though.
-uuid:6109E09A-8279-44AB-8CA4-2051AF895648
control-id:ac-14
description:>-
Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
-uuid:9B6BA674-E6ED-4FB6-B216-3C8733F36411
control-id:au-2
description:>-
Istio provides access logs for all HTTP network requests, including
mission applications.
-uuid:D3CBC898-F938-4FAA-B1B1-2597A69B5600
control-id:au-3
description:>-
By default, Istio uses the Common Log Format with additional information for access logs.
The default configuration does not include the identity of individuals associated with the event.
-uuid:D01F6B2D-F18E-47E9-94DC-95C0B5675E13
control-id:cm-5
description:>-
Configured via Kubernetes resources. Inherited from cluster and
flux/ArgoCD.
-uuid:6370B2DA-1E35-4916-8591-91FB9EDBE72B
control-id:cm-8
description:>-
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali.
-uuid:AB9189FF-34E2-4D7E-8018-EB346C7AE967
control-id:cm-8.1
description:>-
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali. The inventory is automatically and
continuously updated.
-uuid:A740C741-23B4-4ED9-937C-E0276A9B92EE
control-id:cm-8.2
description:>-
Provides an inventory of all workloads (including mission apps)
in the service mesh, viewable in Kiali. The inventory is automatically and
continuously updated.
-uuid:61615706-5395-4168-8AD0-5C4ACBCC5D7E
control-id:ia-2
description:>-
Istio RequestAuthentication and AuthorizationPolicies are applied
after Authservice. Istio is configured to only allow access to applications
if they have a valid JWT, denying access by default. Applications that do
not use Authservice do not have these policies.
-uuid:3004BB1D-0F50-48F1-ABFE-40CC522B1C15
control-id:ia-4
description:>-
Istio uses Kubernetes namespaces and resource names to identifiy
workloads in the service mesh. This provides management of identifiers for
all services in the cluster.
-uuid:FE110D6B-CCB5-41E8-B2DE-287ED843D417
control-id:ia-9
description:>-
Istio registers all workload identities in the service mesh.
The identity is transmitted in the mTLS certificate when establishing communication
between services, and is validated by Istio sidecars.
-uuid:50EE9EB1-0DA4-411C-8771-AA1725B27E22
type:software
title:Jaeger
...
...
@@ -361,24 +266,6 @@ component-definition:
control-id:au-9.4
description:Kibana provides ability to use Role Based Access Control to allow
for the indexes that store audit logs to be restricted to just cluster administrators
-uuid:50EE9EB1-0DA4-411C-A771-AA1725B27E22
type:software
title:ECK Operator
description:|
Operator for managing Elasticsearch and Kibana
purpose:Managing Elasticsearch and Kibana instances
