diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000000000000000000000000000000000000..64a2c68c3ababda8d526d6cd995f02cd36f837ab --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000000000000000000000000000000000000..1a7b224d6ccdad95fef69b5c8be1ce2b543f338e --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000000000000000000000000000000000000..9f3b5fe4d8d43ae9f82411a391b200d4b43f2668 --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000000000000000000000000000000000000..6594a0580b941815c0c7c6264cdfc42e28231f57 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000000000000000000000000000000000000..caebb3e9aab279c7f109ec0fbfa246b8add6d972 --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000000000000000000000000000000000000..1427a0caed1833bccd3b1e5f8c5f6eafde05266c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000000000000000000000000000000000000..a0e2f195dc66e4187264381c5e96e8aa96db8a09 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000000000000000000000000000000000000..4674f82f930085f34f51b4ecbb4d396519f53192 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000000000000000000000000000000000000..068d029d89cb62dd4d4da5e03924c608172d97d6 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000000000000000000000000000000000000..77dea11e56c87d3fb65a1cf2ce7901621058f970 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000000000000000000000000000000000000..28b82a9454358a542efaa4b9c1c99542e3487fd6 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 0aee5b2037d3e2ea2ea3625bf2ea2484c614d0e3..80cac2d8070c4d20a979706b61ddd0a7327c1f1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,9 @@ # Build stage 0 # Extract Kibana and make various file manipulations. ################################################################################ -ARG BASE_REGISTRY=nexus-docker-secure.levelup-nexus.svc.cluster.local:18082 +ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=redhat/ubi/ubi8 -ARG BASE_TAG=8.2 +ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as prep_files @@ -14,8 +14,8 @@ RUN yum update --setopt=tsflags=nodocs -y && \ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana -COPY --chown=1000:0 kibana-7.9.2-linux-x86_64.tar.gz . -RUN tar --strip-components=1 -zxf kibana-7.9.2-linux-x86_64.tar.gz +COPY --chown=1000:0 kibana-7.10.0-linux-x86_64.tar.gz . +RUN tar --strip-components=1 -zxf kibana-7.10.0-linux-x86_64.tar.gz # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. # OpenShift does this, for example. @@ -31,7 +31,7 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} EXPOSE 5601 RUN yum update --setopt=tsflags=nodocs -y && \ - yum install -y fontconfig freetype shadow-utils && \ + yum install -y fontconfig freetype shadow-utils libnss3.so && \ yum clean all COPY LICENSE /licenses/elastic-kibana @@ -66,7 +66,7 @@ RUN find / -xdev -perm -4000 -exec chmod u-s {} + RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana USER kibana -LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="7.9.2" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" +LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="7.10.0" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] diff --git a/Jenkinsfile b/Jenkinsfile index 1913f297efbd8756880d0822c8e35b8a05723b79..f60d67a16f97c28d8a3e13b718cf7462a86748c8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: '7.9.2') +dccscrPipeline(version: '7.10.0') diff --git a/LICENSE b/LICENSE index 29121f22277b1df76a8c63363127ce95d59930b4..632c3abe22e9be309ca4e51cc57da447f9487bc6 100644 --- a/LICENSE +++ b/LICENSE @@ -222,26 +222,59 @@ SOFTWARE 6.11 "Subscription" means the right to receive Support Services and a License to the Commercial Software. + GOVERNMENT END USER ADDENDUM TO THE ELASTIC LICENSE AGREEMENT -This ADDENDUM TO THE ELASTIC LICENSE AGREEMENT (this “Addendum”) applies only to U.S. Federal Government, State Government, and Local Government entities (“Government End Users”) of the Elastic Software. This Addendum is subject to, and hereby incorporated into, the Elastic License Agreement, which is being entered into as of even date herewith, by Elastic and You (the “Agreement”). This Addendum sets forth additional terms and conditions related to Your use of the Elastic Software. Capitalized terms not defined in this Addendum have the meaning set forth in the Agreement. - -1. LIMITED LICENSE TO DISTRIBUTE (DSOP ONLY). Subject to the terms and conditions of the Agreement (including this Addendum), Elastic grants the Department of Defense Enterprise DevSecOps Initiative (DSOP) a royalty-free, non-exclusive, non-transferable, limited license to reproduce and distribute the Elastic Software solely through a software distribution repository controlled and managed by DSOP, provided that DSOP: (i) distributes the Elastic Software complete and unmodified, inclusive of the Agreement (including this Addendum) and (ii) does not remove or alter any proprietary legends or notices contained in the Elastic Software. - -2. CHOICE OF LAW. The choice of law and venue provisions set forth shall prevail over those set forth in Section 5 of the Agreement. - -For U.S. Federal Government Entity End Users. This Agreement and any non-contractual obligation arising out of or in connection with it, is governed exclusively by U.S. Federal law. To the extent permitted by federal law, the laws of the State of Delaware (excluding Delaware choice of law rules) will apply in the absence of applicable federal law. - -For State and Local Government Entity End Users. This Agreement and any non-contractual obligation arising out of or in connection with it, is governed exclusively by the laws of the state in which you are located without reference to conflict of laws. Furthermore, the Parties agree that the Uniform Computer Information Transactions Act or any version thereof, adopted by any state in any form (‘UCITA’), shall not apply to this Agreement and, to the extent that UCITA is applicable, the Parties agree to opt out of the applicability of UCITA pursuant to the opt-out provision(s) contained therein. - -3. ELASTIC LICENSE MODIFICATION. Section 5 of the Agreement is hereby amended to replace - -“This Agreement may be modified by Elastic from time to time, and any such modifications will be effective upon the "Posted Date" set forth at the top of the modified Agreement.” - -with: - -“This Agreement may be modified by Elastic from time to time; provided, however, that any such modifications shall apply only to Elastic Software that is installed after the “Posted Date” set forth at the top of the modified Agreement.” - - -V100620.0 - + This ADDENDUM TO THE ELASTIC LICENSE AGREEMENT (this "Addendum") applies +only to U.S. Federal Government, State Government, and Local Government +entities ("Government End Users") of the Elastic Software. This Addendum is +subject to, and hereby incorporated into, the Elastic License Agreement, +which is being entered into as of even date herewith, by Elastic and You (the +"Agreement"). This Addendum sets forth additional terms and conditions +related to Your use of the Elastic Software. Capitalized terms not defined in +this Addendum have the meaning set forth in the Agreement. + + 1. LIMITED LICENSE TO DISTRIBUTE (DSOP ONLY). Subject to the terms and +conditions of the Agreement (including this Addendum), Elastic grants the +Department of Defense Enterprise DevSecOps Initiative (DSOP) a royalty-free, +non-exclusive, non-transferable, limited license to reproduce and distribute +the Elastic Software solely through a software distribution repository +controlled and managed by DSOP, provided that DSOP: (i) distributes the +Elastic Software complete and unmodified, inclusive of the Agreement +(including this Addendum) and (ii) does not remove or alter any proprietary +legends or notices contained in the Elastic Software. + + 2. CHOICE OF LAW. The choice of law and venue provisions set forth shall +prevail over those set forth in Section 5 of the Agreement. + + "For U.S. Federal Government Entity End Users. This Agreement and any + non-contractual obligation arising out of or in connection with it, is + governed exclusively by U.S. Federal law. To the extent permitted by + federal law, the laws of the State of Delaware (excluding Delaware choice + of law rules) will apply in the absence of applicable federal law. + + For State and Local Government Entity End Users. This Agreement and any + non-contractual obligation arising out of or in connection with it, is + governed exclusively by the laws of the state in which you are located + without reference to conflict of laws. Furthermore, the Parties agree that + the Uniform Computer Information Transactions Act or any version thereof, + adopted by any state in any form ('UCITA'), shall not apply to this + Agreement and, to the extent that UCITA is applicable, the Parties agree to + opt out of the applicability of UCITA pursuant to the opt-out provision(s) + contained therein." + + 3. ELASTIC LICENSE MODIFICATION. Section 5 of the Agreement is hereby +amended to replace + + "This Agreement may be modified by Elastic from time to time, and any + such modifications will be effective upon the "Posted Date" set forth at + the top of the modified Agreement." + + with: + + "This Agreement may be modified by Elastic from time to time; provided, + however, that any such modifications shall apply only to Elastic Software + that is installed after the "Posted Date" set forth at the top of the + modified Agreement." + +V100820.0 diff --git a/download.json b/download.json index 7885611d39546a673aeaecef702615414011f595..4dc3748b8b3dcb84d33e5b00a283c15e6784ad13 100644 --- a/download.json +++ b/download.json @@ -1,11 +1,11 @@ { "resources": [ { - "url": "https://artifacts.elastic.co/downloads/kibana/kibana-7.9.2-linux-x86_64.tar.gz", - "filename": "kibana-7.9.2-linux-x86_64.tar.gz", + "url": "https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-linux-x86_64.tar.gz", + "filename": "kibana-7.10.0-linux-x86_64.tar.gz", "validation": { "type": "sha512", - "value": "79d7b836a93b496fa9dc58d3d2286ca6f6ad4d5c66558047a24841085b41c8beeae2a4f68a8883013b93e3036e029f76ebcb6e30080fc0b1979377b1f6d2b19a" + "value": "385fe5d875ba074e0931a1e9ebbac8e3d91d300ca478f589da06b01c68e4694c5953a538afd6c385bdccec0f0d3cda1a5dc39f1b56e41d584cdcab8fba466677" } }, { diff --git a/scripts/kibana-docker b/scripts/kibana-docker index b69fd8b70dcbe003f24a0a3b2ef244d24cc4e525..f8d5bd75260a689bb1723adbe0e9f1bd997f532e 100755 --- a/scripts/kibana-docker +++ b/scripts/kibana-docker @@ -8,16 +8,18 @@ # # eg. Setting the environment variable: # -# ELASTICSEARCH_STARTUPTIMEOUT=60 +# ELASTICSEARCH_LOGQUERIES=true # # will cause Kibana to be invoked with: # -# --elasticsearch.startupTimeout=60 +# --elasticsearch.logQueries=true kibana_vars=( console.enabled console.proxyConfig console.proxyFilter + ops.cGroupOverrides.cpuPath + ops.cGroupOverrides.cpuAcctPath cpu.cgroup.path.override cpuacct.cgroup.path.override csp.rules @@ -28,7 +30,6 @@ kibana_vars=( elasticsearch.logQueries elasticsearch.password elasticsearch.pingTimeout - elasticsearch.preserveHost elasticsearch.requestHeadersWhitelist elasticsearch.requestTimeout elasticsearch.shardTimeout @@ -45,7 +46,6 @@ kibana_vars=( elasticsearch.ssl.truststore.path elasticsearch.ssl.truststore.password elasticsearch.ssl.verificationMode - elasticsearch.startupTimeout elasticsearch.username i18n.locale interpreter.enableInVisualize @@ -93,6 +93,7 @@ kibana_vars=( path.data pid.file regionmap + security.showInsecureClusterWarning server.basePath server.customResponseHeaders server.compression.enabled @@ -133,6 +134,7 @@ kibana_vars=( tilemap.url timelion.enabled vega.enableExternalUrls + xpack.actions.proxyUrl xpack.apm.enabled xpack.apm.serviceMapEnabled xpack.apm.ui.enabled @@ -159,6 +161,7 @@ kibana_vars=( xpack.code.security.gitHostWhitelist xpack.code.security.gitProtocolWhitelist xpack.encryptedSavedObjects.encryptionKey + xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys xpack.graph.enabled xpack.graph.canEditDrillDownUrls xpack.graph.savePolicy @@ -235,10 +238,12 @@ kibana_vars=( xpack.security.enabled xpack.security.encryptionKey xpack.security.loginAssistanceMessage + xpack.security.sameSiteCookies xpack.security.secureCookies xpack.security.sessionTimeout xpack.security.session.idleTimeout xpack.security.session.lifespan + xpack.security.session.cleanupInterval xpack.security.loginAssistanceMessage xpack.security.loginHelp xpack.security.public.protocol @@ -283,5 +288,4 @@ umask 0002 # Therefore, we set this value here so that cgroup statistics are # available for the container this process will run in. -exec /usr/share/kibana/bin/kibana --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ ${longopts} "$@" - +exec /usr/share/kibana/bin/kibana --ops.cGroupOverrides.cpuPath=/ --ops.cGroupOverrides.cpuAcctPath=/ ${longopts} "$@" \ No newline at end of file