Attention Iron Bank Customers: On March 27, 2025, we are moving SBOM artifacts from the Anchore Scan job to the Build job to streamline the container hardening pipeline. If you currently download SBOMs from the Anchore Scan job, you can still get them from the Build job and from other sources, including IBFE and image attestations.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
## [6.60.6-bb.4] - 2023-12-07
### Added
- Adding OSCAL Component File.
## [6.60.6-bb.3] - 2023-11-13
### Added
-`docs/DEVELOPMENT_MAINTENANCE.md` with upstream helm deviations
Controls implemented by Grafana for inheritance by applications.
implemented-requirements:
-uuid:3bfac64c-3d7d-4425-87da-82397e6e3a8e
control-id:ac-6.9
description:>-
Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana.
-uuid:4bedfe60-c66a-4621-b4f2-3369f1b248ad
control-id:au-2
description:>-
API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers.
In addition, system and cluster level metrics are emitted by containers with read only access to host level information.
Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format.
Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:bada0000-35e1-4060-ac83-a5014ca05831
control-id:au-3.1
description:>-
Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus.
-uuid:3cbc2461-6042-4c9a-9a71-f65983ce5bb6
control-id:au-5.1
description:>-
Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:09340803-8f1a-45ae-affc-63caf7466ded
control-id:au-5.2
description:>-
Alertmanager has pre-build alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events.
Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration.
Data can be displayed through a Grafana dashboard for visualization.
-uuid:182dfcc7-af14-4d2a-a47c-d8add373809c
control-id:au-6.1
description:>-
Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:abe67aa0-e3fc-4b87-a003-515fac323014
control-id:au-6.3
description:>-
Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana.
-uuid:BB0DF859-827F-4E3A-8C61-DEDCE4A9B3EB
control-id:au-6.5
description:>-
Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:22ae84f6-a0f3-4d30-b537-305bdee64eb3
control-id:au-6.6
description:>-
Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:9976cc27-5ff2-46e4-9c34-d3bc8981e56b
control-id:au-7
description:>-
Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor.
-uuid:19c54dd1-f5d3-4cb4-8ebc-25489799e468
control-id:au-7.1
description:>-
Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor.
-uuid:d2c6aa6d-39fa-453c-8daf-942b34e93025
control-id:au-8
description:>-
Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:263c1161-2aed-4532-8e8e-b2e6f9d3f0a4
control-id:au-9
description:>-
Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an
identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control
when using Grafana Enterprise.
-uuid:8a55aac8-3772-4686-9356-557b11629fe3
control-id:au-9.2
description:>-
Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of
the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio.
Metrics data can be displayed through a Grafana dashboard for visualization.
-uuid:6842544b-5a7c-4526-adbc-af0f95d000c8
control-id:au-9.4
description:>-
Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an
identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control
when using Grafana Enterprise.
-uuid:c083069f-ddac-4c5e-829b-b4367cdbaad7
control-id:au-12.1
description:>-
Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps
