Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update relational database controls from markdown to yaml #540

Open
wants to merge 7 commits into
base: main
Choose a base branch
from

Conversation

dogle-scottlogic
Copy link
Contributor

@dogle-scottlogic dogle-scottlogic commented Nov 15, 2024

Migrate the relational database controls file from .md to .yaml.
This addresses open issue #494
As far as I can tell this is the only file requiring migration to markdown.

TODO (@sshiells-scottlogic):

  • Need to clarify if there are any common controls which need inclusion.
  • Need to clarify the tlp_levels for test requirements.
  • Need to check the threats as the codes provided don't match our current patterns

@dogle-scottlogic dogle-scottlogic requested review from a team as code owners November 15, 2024 08:47
@dogle-scottlogic dogle-scottlogic added the community structure Work related to the Community Structure WG label Nov 15, 2024
@mlysaght2017
Copy link
Contributor

mlysaght2017 commented Nov 15, 2024

@dogle-scottlogic - thanks for picking this one up.

Comparing this to the common controls for object storage, I think the common controls list may well be the same for RDMS:
common_controls:

  • CCC.C01 # Prevent unencrypted requests
  • CCC.C02 # Ensure data encryption at rest for all stored data
  • CCC.C03 # Implement multi-factor authentication (MFA) for access
  • CCC.C04 # Log all access and changes
  • CCC.C05 # Prevent access from untrusted entities
  • CCC.C06 # Prevent deployment in restricted regions
  • CCC.C07 # Alert on non-human enumeration
  • CCC.C09 # Prevent tampering, deletion, or unauthorized access to access logs
  • CCC.C10 # Prevent data replication to destinations outside of defined trust perimeter

That would then leave the following RDMS specific controls as:

  • id: CCC.RDMS.C1
    title: Enforce Role-Based Access Control
    objective: Ensure only authorized roles can access database resources.

@eddie-knight @damienjburks @vrabotka @ianwalkersmithciticom - I reckon RBAC control should be converted to a common control?

Also:

  • id: CCC.RDMS.C2
    title: Disable Access with Default Credentials
    objective: |
    Ensure that default credentials are disabled and only authorized
    roles can access database resources.

Is this unique to RDMS? Seems more...common...?

Also:

  • id: CCC.RDMS.C3
    title: Restrict Snapshot Collection To Trusted Roles
    objective: Limit snapshot collection capabilities to trusted roles.

Don't quite understand this one?

Also,

  • id: CCC.RDMS.C4
    title: Enforce Logging & Monitoring
    objective: Ensure logging and monitoring cannot be disabled by users.

Is now covered by the common controls and can be removed.

@eddie-knight - I know RDMS started in the early stages of the project - were there any threats/controls specific to RDMS that we may have dropped along the way?

@damienjburks
Copy link
Contributor

@mlysaght2017 converting RBAC to a common control makes sense to me.

@mlysaght2017
Copy link
Contributor

@dogle-scottlogic @ianwalkersmithciticom - it looks like you're both working on this via separate PRs - see #573

@dogle-scottlogic - if you're ok with this, I'm happy to merge this PR in its current state and then have @ianwalkersmithciticom work on additions/mappings/fixes as part of #554

@dogle-scottlogic
Copy link
Contributor Author

@dogle-scottlogic @ianwalkersmithciticom - it looks like you're both working on this via separate PRs - see #573

@dogle-scottlogic - if you're ok with this, I'm happy to merge this PR in its current state and then have @ianwalkersmithciticom work on additions/mappings/fixes as part of #554

@mlysaght2017 that's fine with me 👍

mlysaght2017
mlysaght2017 previously approved these changes Dec 5, 2024
@mlysaght2017
Copy link
Contributor

@dogle-scottlogic @damienjburks - do we know what the issue with the yaml checker is on this one?

@dogle-scottlogic
Copy link
Contributor Author

@mlysaght2017 - The branch needs a rebase to bring it up to date which might be the issue - I'll try and sort out today

@dogle-scottlogic
Copy link
Contributor Author

rebased - just need to check if we want to keep in C02 and C03 or remove them for now

@eddie-knight
Copy link
Contributor

@dogle-scottlogic seems like we should include those so as to not lose any progress

@mlysaght2017
Copy link
Contributor

@dogle-scottlogic - just that linting check to pass and then we should be good - thanks

eddie-knight
eddie-knight previously approved these changes Dec 6, 2024
services/database/relational/controls.yaml Outdated Show resolved Hide resolved
services/database/relational/controls.yaml Outdated Show resolved Hide resolved
services/database/relational/controls.yaml Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community structure Work related to the Community Structure WG
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants