jvanulde
commented
2 years ago One strategy for the release assets might be to generate and add a checksums.txt file.
Open jvanulde opened 2 years ago
jvanulde
commented
2 years ago One strategy for the release assets might be to generate and add a checksums.txt file.
a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected.
https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SI-7
Implement mechanisms verify integrity of software and data that is deployed to the GC Cloud. @anthonyfok I know you've looked into this already for some assets so perhaps there is an issue related to this already. In any case, we need to enumerate the assets that need to have integrity verification and decide how to implement it. In general, this is a good practice. Not sure how to provide integrity verification for release assets, but that could be nice to have.