Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ITSG-33 Security controls - Implement yaml tagging/labelling for automatic reporting/generation of compliance #151

Open
fmichaelobrien opened this issue Sep 26, 2022 · 2 comments
Assignees

Comments

@fmichaelobrien
Copy link
Contributor

fmichaelobrien commented Sep 26, 2022

Implement security control tagging/labeling inside the kubernetes yaml files
Add a control stub for the unknown case - If the developer is not able to figure out the exact security control from the list in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/google-cloud-security-controls.md
then add a child issue to adjust the yaml in the next commit

Examples

To be filled out...

Work Item:
Discussion with Dave, Aaron, Craig
There may be an issue around security control tagging already in the queue
Adding ITSG/NIST label into the yaml with git pre-commit readme section auto-generation on commits to extract out a report per commit

See for example the manually created Code to Controls mapping for one evidence around SC-7 in
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/google-cloud-security-controls.md#05-data-location

It would be better if we maintained a tag in the yaml around the code
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone/environments/common/guardrails-policies/05-data-location/constraint.yaml#L24

where we can run either a pre-commit and/or a automatic generation of our security control posture via either in-line github actions workflow https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/.github/workflows/landing-zone-validation.yaml or offline report generation - similar to what is generated in Security Command Center Premium (compliance and vulnerabilities)
security/command-center/vulnerabilities?organizationId

September 26, 2022 at 8:59:04 AM GMT-4 | Open RDP port | Firewall rules should not allow connections from all IP addresses on TCP or UDP port 3389 | 179 |   | CIS 1.0 : 3.7CIS 1.1 : 3.7CIS 1.2 : 3.7PCI : 1.2.1NIST : SC-7ISO : A.13.1.1
-- | -- | -- | -- | -- | --

September 26, 2022 at 8:59:04 AM GMT-4	
[Open RDP port]()	[Firewall rules should not allow connections from all IP addresses on TCP or UDP port 3389]()	[179]()		
CIS 1.0 : 3.7CIS 1.1 : 3.7CIS 1.2 : 3.7PCI : 1.2.1NIST : SC-7ISO : A.13.1.1

see TF reference GoogleCloudPlatform/pbmm-on-gcp-onboarding#180

@fmichaelobrien
Copy link
Contributor Author

Answer question on GR 8 network segmentation

canada-ca/cloud-guardrails#96

@fmichaelobrien
Copy link
Contributor Author

fmichaelobrien commented Mar 3, 2023

refer to security control automation in #301

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants