Scan system for malicious code

[theathorn]

..according to SI-3. This is only run by ITS on Windows and Mac OS operating machines.

Open questions:
What about Linux machines not managed by ITS?

Assignee should focus on Azul measures.

[theathorn]

Per the Information Integrity Procedure, SI-03:

Configures malicious code protection mechanisms to: Perform periodic scans of the information system [FedRAMP Assignment: at least weekly] and real-time scans of files from external sources at [FedRAMP Assignment: to include endpoints] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [FedRAMP Assignment: to include alerting administrator or defined security personnel] in response to malicious code detection.

[melainalegaspi]

@hannes-ucsc to spike for design.

[melainalegaspi]

@hannes-ucsc : "PR #3672 for #3614 partially implements this. Need to figure out what else we need to do."

[hannes-ucsc]

• 4031

  moves primary Docker images (those used used on the GitLab host) to ECR

• 4032

  ensures that the build in the GitLab web app and runner containers only use images from ECR or the built-in GitLab registry, but not DockerHub

• 4033

  makes sure that all Python dependencies are part of the source tree and are not pulled from PyPI during CI/CD builds on GitLab

• 3614

  scans the GitLab instance file system with ClamAV

• 4189

  Additionally scans the GitLab instance using Amazon Inspector and the SSM agent running on the instance

• 4177

  Scans the Docker images in ECR using Amazon Inspector

• 4400

  scans the source code and the final Lambda package ZIP (the deployed code) for malicious code

[nolunwa-ucsc]

@hannes-ucsc Malware protection is now a feature of Amazon GuardDuty this was introduced last week during re-invent. sharing the blog post and youtube video for team to investigate. https://www.youtube.com/watch?v=9wCxAZtrjpw&t=835s

[nolunwa-ucsc]

Blog Post https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html

[melainalegaspi]

@hannes-ucsc :"I will review this blog post and decide whether it requires additional changes to our implementation plan."

[hannes-ucsc]

Reviewed blog post and created #4401 to track scanning with GuardDuty. A spike on that ticket will evaluate feasibility. If it works, we can close #4189 as obsolete.

[hannes-ucsc]

Moved remaining children to the parent epic.