adborden
commented
3 years ago I suggest we treat this as a 3 day research story.... although it already looks bigger than 3 days of research.
Open mogul opened 4 years ago
adborden
commented
3 years ago I suggest we treat this as a 3 day research story.... although it already looks bigger than 3 days of research.
User Story
In order to satisfy the requirements of NIST 800-53 Rev4 SI-3 for data.gov components running in cloud.gov, the data.gov team wants to achieve malicious code detection at the application instance level by implementing a malware-detection sidecar buildpack.
Acceptance Criteria
cf run-task\ THEN we see the malware-detection definitions file get updated in the instancecf run-task\ THEN we see detection of the EICAR sample in the application logs \ AND we see an alert in the #datagov-alerts Slack channelBackground
Sidecar buildpacks enable the implementation of application level detection of malicious code in Cloud Foundry apps. We should use this capability to fill this compliance gap for data.gov and potentially many other cloud.gov tenants.
Security Considerations (required)
This change implements the description from control SI-3 in the data.gov SSP.
Sketch/options to consider
Options for malware detection:
Try out LMD by hand...
A sidecar would be the ideal way to configure Monit+LMD for apps. We can make a malware-detection sidecar buildpack which would enable any team to add this capability just by prepending it to their buildpack list.
Here's the bare-minimum sidecar buildpack example. Stark and Wayne provided a great sidecar buildpack sample to build upon.
Use Monit to invoke the actual scan and alert the #datagov-alerts channel via email if problems are found.
Also take the opportunity to evaluate including AIDE or an equivalent in the sidecar to meet the needs of control SI-4(5), making a new issue if needed.
Contingency/fallback: Stick with restarting apps every X minutes.