Open rajkrishnamurthy opened 2 years ago
Need to review OSCAL method for authorization boundaries The existing YAML has a method implied The Threagile method might be worth looking at as well
Here is the JSON format reference for authorization boundary in OSCAL: https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/json-reference/#/system-security-plan/system-characteristics/authorization-boundary
Here is a list of github issues on authorization boundary in the OSCAL project: https://github.com/usnistgov/OSCAL/issues?q=is%3Aissue+%22authorization+boundary%22
Two methods for this kinda exist in the current examples:
For the prometheus/grafana integration I set a tag for the authorization boundary as per raj's suggestion above. See example code that generates the pom file. Here I set the authorization_boundary to "foo". Presumably one would pass a tag like this down into everything (scripts) that collect measures etc and at the far side this tag would go into the output as shown here:
func GeneratePomMetrics(metricsVO *MetricsVO) (err error) {
// fmt.Printf("hello world\n")
// fmt.Printf("%+v\n", metricsVO.Metrics)
rand.Seed(time.Now().UTC().UnixNano())
for i := 0; i < len(metricsVO.Metrics); i++ {
a := 950 + (rand.Intn(100) - 50)
b := 1000 + (rand.Intn(10) - 5)
fmt.Println("csacam_"+metricsVO.Metrics[i].MetricID+
" {authorization_boundary=\"foo\"} ", int(100*(float32(a)/float32(b))))
fmt.Println("csacam_"+metricsVO.Metrics[i].MetricID+"_measureA"+
" {authorization_boundary=\"foo\"} ", a)
fmt.Println("csacam_"+metricsVO.Metrics[i].MetricID+"_measureB"+
" {authorization_boundary=\"foo\"} ", b)
}
return
}
So where would this be stored internally? Within the example code provided by Raj we see:
func GenerateMetricsRuntime() (metricsRuntimeVO MetricsRuntimeVO, err error) {
contains:
metricsRuntimeVO.Measures = make([]MeasureRuntimeVO, 0)
metricsRuntimeVO.CustomerDomain.Domain = "continube.com"
metricsRuntimeVO.CustomerDomain.Org = "IT"
metricsRuntimeVO.CustomerDomain.Group = "security"
@rajkrishnamurthy, I think these are intended to be equivalent fields?
My sense is we could settle on a single field name and expect to pass that through the entire process.
We need to know how we will handle the Authorization Boundary "problem" without "trying to solve the problem".
Can we "tag" multiple authorization boundaries for a given measure or metric?