SSB Security Scans - Githubissues

jbrown-xentity commented 2 years ago

User Story

In order to get on SSB, need to perform a compliance scan for stock AWS AMI and evaluate how far away we are

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

[ ] GIVEN [a contextual precondition] \ [AND optionally another precondition] \ WHEN [a triggering event] happens \ THEN [a verifiable outcome] \ [AND optionally another verifiable outcome]

Background

Leverage work previously done here: https://github.com/GSA/data.gov/issues/3776

Security Considerations (required)

Report scans here

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

[ ] Run the CIS Linux-level Benchmark on the following hosts,
- [x] EC2 node using the Stock Amazon Linux 2 EKS-optimized AMI (no workload)
- [ ] ~EC2 node using the Stock Amazon Linux 2 EKS-optimized AMI (solr)~
- [x] EC2 node using the GSA ISE-Hardened AMI (v2022-05-08) (no workload)
- [x] EC2 node using the GSA ISE-Hardened AMI (v2022-05-08) (solr)
[x] Copy the results to secure location to do analysis (e.g. private S3 Bucket)
[x] Aggregate the results
[x] Report somewhere

Useful commands/scripts:

To install Inspec and download benchmark,

curl -L https://github.com/dev-sec/cis-dil-benchmark/archive/refs/heads/master.zip > cis.zip
unzip cis.zip
# Official install docs: https://mitre-inspec-developer.netlify.app/installation/linuxinstall.html#option-1-package-installer
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
# Output to json
inspec exec cis-dil-benchmark-master --reporter json:/tmp/output.json
# Output to html
inspec exec cis-dil-benchmark-master --reporter html:/tmp/output.html

To aggregate Level 1 vs. Level 2 (pass vs. fail)

import json
import sys

if len(sys.argv) < 2:
    print(("Usage: python ami_results.py <json-to-anayze> \n"
           "    e.g. python ami_results.py stock_ami.json"))
    sys.exit(1)

results = open(sys.argv[1], "r")
results_json = json.load(results)
results.close()

level_1_pass = []
level_1_fail = []
level_2_pass = []
level_2_fail = []
unknown = []

for i in results_json['profiles'][0]['controls']:
    if i['tags']['level'] == 1:
        for determination in i['results']:
            if determination['status'] == 'passed':
                level_1_pass.append(i)
            else:
                level_1_fail.append(i)
    elif i['tags']['level'] == 2:
        for determination in i['results']:
            if determination['status'] == 'passed':
                level_2_pass.append(i)
            else:
                level_2_fail.append(i)
    else:
        unknown.append(i)

level_1_grade = len(level_1_pass)/(len(level_1_pass)+len(level_1_fail))*100
level_2_grade = len(level_2_pass)/(len(level_2_pass)+len(level_2_fail))*100
total_grade = (len(level_1_pass)+len(level_2_pass))/(len(level_1_pass)+len(level_1_fail)+len(level_2_pass)+len(level_2_fail))*100

print("Level 1 (pass): %d" % (len(level_1_pass)))
print("Level 1 (fail): %d" % (len(level_1_fail)))
print("Level 1 grade: %.2f%%" % (level_1_grade))
print("Level 2 (pass): %d" % (len(level_2_pass)))
print("Level 2 (fail): %d" % (len(level_2_fail)))
print("Level 2 grade: %.2f%%" % (level_2_grade))
print("Total grade: %.2f%%" % (total_grade))
assert len(unknown) == 0

nickumia-reisys commented 2 years ago

Aggregate Results in Google Drive.

AMI Scan in S3 Bucket on cloud.gov, management:ami-scans

nickumia-reisys commented 2 years ago

The result from this is the creation of the following two issues,

We have submitted upstream tickets for deviations from the current benchmark settings,

We think we will be able to accept the GSA ISE-Hardened AMI if we figure out where our performance hits are coming from. It was determined that the deviation from the Amazon Stock AMI was too much to be able to use it.

hkdctol commented 2 years ago

Sprint 05262022

GSA / data.gov

SSB Security Scans #3827