complianceascode / auditree-arboretum Goto Github PK
View Code? Open in Web Editor NEWThe Auditree common fetchers, checks and harvest reports library.
Home Page: https://auditree.github.io/
License: Apache License 2.0
The Auditree common fetchers, checks and harvest reports library.
Home Page: https://auditree.github.io/
License: Apache License 2.0
We need to migrate over the Python Packages fetchers and checks.
TBD
N/A
Provide a check to control the access to Github repositories containing source code. Permission access should be done at the team level, and not by adding single collaborators outside of team membership.
This can be done through a check that alerts if there are single collaborators instead of teams and also alerts about forks of the source code repos.
For each Github repo containing source code :
Implement a permissions check which includes a report template to render the results. Each single collaborator found in a repo will be considered a failure and reported with the following information grouped by repository:
The permissions check reports on each fork found in a repo. Each fork found in a repo will be considered as a warning and reported with the following information grouped by repository:
As additional information the permissions check also lists the organization teams as successes.
N/A
TBD
Add a fetcher that will gather Github (Enterprise) issues as evidence given a repo and search criteria.
issues/fetchers/github
TBD
N/A
TBD
Add check results summary harvest report and python packages summary harvest report.
N/A
tbd
#20 unit tests were neglected for new evidence classes. They need to be added.
Add unit tests for:
See req.
N/A
unit tests should run successfully
We need to simplify the organization of fetchers, checks, and reports folder layout into a more flattened set of categories and removing the notions of "provider" and "technology".
N/A
It would be good to have a report that highlights persistent failures - checks that consistently fail for many days.
check foo has been failing for 8 days, last successful run $TIMESTAMP
)Write a report in https://github.com/ComplianceAsCode/auditree-arboretum/tree/main/arboretum/auditree/reports
N/A
Will need some fake result data to demonstrate persistent failure.
We need to migrate over the evidence locker fetchers and checks.
TBD
N/A
TBD
Provide a harvest report to transform Kubernetes compliance operator evidence from cluster_resource fetcher into a NIST OSCAL Assessment Results collection of Observations in JSON format.
Rationale: standardized version of evidence for multi-cloud and to facilitate creation of NIST OSCAL Assessment Results.
Write a harvest report that consumes cluster_resource evidence and optional oscal-metadata.yaml to produce compliance_oscal_observations.json.
Steps:
N/A
Employ unit tests comprising representative cluster_resource.json and oscal-metadata.yaml.
As evidence can be placed in the locker with plant we should have some checks, beyond abandoned evidence, against that. I think something like warnings when within a certain time period of the evidence ttl & errors when within a shorter period would be a good start.
Provide a detailed approach to satisfy all of the requirements listed in the
previous section. This level of detail may not be available at the time of
issue creation and can be completed at a later time.
Provide the impact on security and privacy as it relates to the completion of
this issue. This level of detail may not be available at the time of
issue creation and can be completed at a later time. N/A if not applicable.
Provide the test process that will be followed to adequately verify that the
approach above satisfies the requirements provided. This level of detail may
not be available at the time of issue creation and can be completed at a later
time.
Compliance Operator is a tool to validate that a cluster infrastructure complies with standard such as NIST SP 800-53, HIPAA or CIS Benchmark. It performs openscap
command, and the command generates result report in XML format. Compliance Operator embeds the reoprt into .spec.data
of a ConfigMap
resource in the cluster, and therefore a consumer of the validation result needs to parse the XML data in the ConfigMap
resource to show the details of the validation result.
This issue focuses on a check which generates a report by analyzing the XML report of Compliance Operator stored in a ConfigMap
resource.
CA-3(5)
if all of the following tests are PASS
: xccdf_org.ssgproject.content_rule_set_firewalld_default_zone
, xccdf_org.ssgproject.content_rule_configure_firewalld_ports
The check consumes ConfigMap
resources fetched by cluster resource fetcher. The check extracts XML data from the ConfigMap
resources, and then parses the XML to enumerate the result of each XCCDF test. Finally, the check decides whether a control is compliant or not by mapping the XCCDF results in XML to the control specified in an auditree config.
TBD
The test will be done against one public cluster service both for vanilla kube logic and public cloud logic.
As of v1.14.0 of the framework the filtered_content
attribute was added to all RawEvidence. RepoMetadataEvidence happens to have a property defined as filtered_content
. This is causing the fetcher to error with AttributeError: can't set attribute
.
Fix the collision between the RawEvidence filtered_content
attribute and the RepoMetadataEvidence filtered_content
property.
filtered_content
property in RepoMetadataEvidence to relevant_content
.N/A
I would like collaborator (write) access to this repository, so I can contribute
to the Auditree Arboretum library.
Similar to abandoned evidence, we need a check that flags evidence as being empty.
False
when it loaded via json.loads()
. For example both {}
and []
would be considered empty.N/A
TBD
I would like collaborator (write) access to this repository, so I can contribute
to the Auditree Arboretum library.
Add compliance execution configuration fetcher and checks.
N/A
TBD
Add a fetcher that will gather collaborators, forks and teams list for each repo of a Github organization.
For each Github organization specified, an evidence file is stored in
the locker containing collaborators, forks and teams for the specified repositories in the organization. The default is to
retrieve all forks from all repositories in each specified Github organization. TTL is set to 1
day.
N/A
N/A
This issue suggests the implementation of a check to find direct
repo collaborators in all the repos (or subsets of repos) of a given list of GH organizations.
direct
affiliation
type herecollaborator_types
field contains the value direct
in their configurationImplement a check in permissions, including a report template to render the results.
Each direct collaborator found in a repo will be considered as a failure and reported with the following information:
N/A
TBD
The current behavior of the OrgCollaboratorsCheck is that it skips check processing if an org config does not contain a collaborator_type of direct
. Unfortunately, this can lead to confusion if no org config is provided with a direct
collaborator type. When there are no org configs containing a collaborator_type of direct
the check should ERROR instead.
direct
collaborator_type.direct
collaborator_type.N/A
direct
collaborator_type config the check errorsWe need to migrate the IBM Cloud Databases list and backups list fetchers.
TBD
N/A
Local environment to be set up and evidence fetched
We need to migrate over the current set of repo integrity checks and add additional fetchers and checks as well.
TBD
N/A
TBD
Similar to abandoned evidence, we need a check that flags evidence as being too large.
50MB
N/A
TBD
Kubernetes resources (e.g., kubectl get pod
) can be used as evidence. For example, spec
of Pod
, custom resource of an operator, and ConfigMap
shows whether applications (pod) and kubernetes infrastructure (operator) run with correct (expected) configuration. An enterprise often uses multiple clusters operated by multiple cloud service platform (e.g., EKS of AWS, GKE of GCP, OpenShift of IBM Cloud) for its IT infrastructure. In that situation, it is not straightforward to fetch resources from the multiple clusters because their authentication/authorization mechanisms and cluster management mechanisms differ over the providers.
This issue focuses on fetching resources from multiple clusters of multiple cloud service providers. We plan to implement two fetchers; one is cluster list fetcher (per cloud service provider) and another is cluster resource fetcher.
To support multiple cloud service providers,
eksutil
for EKS, gcloud
for GKE, ibmcloud
for IBM Cloud) will be used to login each cloud provider, and then fetch cluster list from the provider's cluster admin APIkubectl get RESOURCE_TYPE --kubeconfig path/to/kubeconfig
is used to fetch resourceskubectl get RESOURCE_TYPE
(neither --kubeconfig
nor --token
is specified because authorization token is already configured by the login command) is used to fetch resources~/.credential
to login the cluster management API of each provider. User needs to manage ~/.credentials
in secure manner.kubeconfig
file specified in an auditree config file is used to access the cluster. User needs to manage kubeconfig
file as usual.kubeconfig
file which is configured by login command of provider's CLI tool is used to access the cluster as similar to the list fetcher behaviour.The test will be done against one public cluster service both for vanilla kube logic and public cloud logic.
Add a fetcher that will gather pipeline issues in a Zenhub workspace and gh(e) repo.
issues/fetchers/github
TBD
N/A
TBD
Dependency PyYaml is declared as pyyaml<5.4
and the latest version before that upper bound is over 3y old: https://pypi.org/project/PyYAML/5.3.1/
That version also has vulnerabilities GHSA-6757-jp84-gxfx which got only fixed with 5.4.1, see commit message in kubernetes-client/python@cd15076
In general I was wondering why that dependency has an upper bound while all others use a lower bound. Was the PR review suggestion at #54 (comment) maybe a typo and it should have been pyyaml>5.4
? @alfinkel @cletomartin
N/A
N/A
N/A
N/A
Once the ComplianceCheck.get_historical_evidence lands in the framework, we should change all uses of self.locker.get_evidence
in the checks in this repo to self.get_historical_evidence
. This will ensure that historical evidence metadata is stored as part of the report metadata and check_results.json.
Switch uses of self.locker.get_evidence to self.get_historical_evidence
N/A
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.