defenseunicorns / uds-identity-config

https://uds.defenseunicorns.com/core/identity/
GNU Affero General Public License v3.0
0 stars 1 forks source link

Incorporate IDP password STIG rules to uds-core baseline #140

Closed bm54cloud closed 4 months ago

bm54cloud commented 4 months ago

Is your feature request related to a problem? Please describe.

UDS-core incorporates Keycloak as the default IdP. The HNCD team has obtained an Elastic STIG directly from Elastic (not yet available on DoD website) that includes several rules relating to IdP settings, which in our case and UDS-core's case is Keycloak. Of the 66 rules related to Keycloak, we have identified 8 that can be easily incorporated into the UDS-core baseline. The proactive approach of incorporating these rules into the UDS-core baseline ensures the baseline is more secure and STIG compliant. This also decreases the amount of STIG remediation scripts that have to be run after deployment to make our mission deployments STIG compliant.

Describe the solution you'd like

In uds-identity-config/src/realm.json we propose the following changes (see attached PR):

Describe alternatives you've considered

An alternative would be to leave these as is, and the HNCD will incorporate these changes into a post-deployment STIG remediation script. This is our current workflow for making our Ubuntu OS STIG compliant, however, we have found that it adds significant additional startup time and can lead to race conditions.

Additional context

Please see attached files for the STIG acquired directly from Elastic. The .cklb STIG checklist is not able to be attached here due to GitHub file type restrictions, but it can be emailed and then viewed in STIG Viewer 3.

Elasticsearch 8.0 Hardening Guide Application Server SRG V3R1.pdf Elasticsearch 8.0 Hardening Guide Central Log Server SRG V2R1.pdf

UnicornChance commented 4 months ago

Merged into main, will close once incorporated into uds-core baseline.

mjnagel commented 4 months ago

Looks like the identity-config update is lumped into this keycloak renovate PR on core. Might make sense to split off the config image update and get that merged in for the next core release.

UnicornChance commented 4 months ago

Changes now in main, will be in next core release.