Closed theathorn closed 1 year ago
Per the Information Integrity Procedure, SI-03:
Configures malicious code protection mechanisms to: Perform periodic scans of the information system [FedRAMP Assignment: at least weekly] and real-time scans of files from external sources at [FedRAMP Assignment: to include endpoints] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [FedRAMP Assignment: to include alerting administrator or defined security personnel] in response to malicious code detection.
@hannes-ucsc to spike for design.
@hannes-ucsc : "PR #3672 for #3614 partially implements this. Need to figure out what else we need to do."
moves primary Docker images (those used used on the GitLab host) to ECR
ensures that the build in the GitLab web app and runner containers only use images from ECR or the built-in GitLab registry, but not DockerHub
makes sure that all Python dependencies are part of the source tree and are not pulled from PyPI during CI/CD builds on GitLab
scans the GitLab instance file system with ClamAV
Additionally scans the GitLab instance using Amazon Inspector and the SSM agent running on the instance
Scans the Docker images in ECR using Amazon Inspector
scans the source code and the final Lambda package ZIP (the deployed code) for malicious code
@hannes-ucsc Malware protection is now a feature of Amazon GuardDuty this was introduced last week during re-invent. sharing the blog post and youtube video for team to investigate. https://www.youtube.com/watch?v=9wCxAZtrjpw&t=835s
@hannes-ucsc :"I will review this blog post and decide whether it requires additional changes to our implementation plan."
Reviewed blog post and created #4401 to track scanning with GuardDuty. A spike on that ticket will evaluate feasibility. If it works, we can close #4189 as obsolete.
Moved remaining children to the parent epic.
..according to SI-3. This is only run by ITS on Windows and Mac OS operating machines.
Open questions:
What about Linux machines not managed by ITS?
Assignee should focus on Azul measures.