nimbus icon indicating copy to clipboard operation
nimbus copied to clipboard

Published 20 hours ago verified publisher icon 5GSEC

5gSec BluePrints

Open daemon1024 opened this issue 1 year ago • 3 comments

5G Deployment Systems Security BluePrint Network Security BluePrint Admission Controller BluePrint
Open5gs Link TODO TODO
OAI RIC
OAI RAN
Free5GC
SDRAN
SMO

  • Network BluePrint - Check Internet
  • RIC/RAN
  • Operationalise through ArtifactHub

Doc: https://docs.google.com/spreadsheets/d/1dQoqE3OoSIb2mUKtGFdFdlcl6CMEu0AFgG95qnaXBqQ/edit?gid=0#gid=0

daemon1024 avatar Sep 04 '24 03:09 daemon1024

Design + POC as a NIMBUS Report

PrimalPimmy avatar Nov 11 '24 04:11 PrimalPimmy

5G Blue print details and layout: https://docs.google.com/spreadsheets/d/1zYeOVeaiILnIg1U08mu69ZqhVmlrGnmM-QGV4-tjeb8/edit?usp=sharing

We are going to be using Kubescape CLI and regolibrary to generate blueprint checks. Action items:

  • [ ] Add in rego rules for the checkpoints (only first two for demo):
    • [x] Network Policy for Ingress and Egress pods
    • [x] Kubearmor Policies
    • [ ] TLS (more on this later)
    • [ ] Kyverno Policies
  • [x] Modify Kubescape fork to add SERAN logo and change control documentation link
  • [x] Find a way to input workload and sensitive asset input yaml through the CI into the regolibrary

PrimalPimmy avatar Dec 09 '24 12:12 PrimalPimmy

  • [x] Add in rego rules/controls for all necessary security checks:
    • [x] Network Policy for Ingress and Egress pods, including checking of the the to/from pod names defined in the WorkloadConfig
    • [x] Kubearmor Policies including the checks that all sensitive assets are protected.
    • [ ] TLS (K8tls will need a feature to generate report as a K8s resource)
    • [x] Kyverno Policies
  • [ ] Network Micro-Segmentation demo for Network Policies. Including Multi Cluster Network Policies
  • [ ] Actions Items for Kubescape and Regolibrary:
    • [x] Change name of the project Kubescape to something related to SERAN.
    • [ ] Automate blueprint controls generation and usage within the CLI instead of manually exporting it.
    • [ ] Add in whitelisting feature so that we can only focus on OAI RAN and CORE workloads (currently we can only blacklist using exceptions)
    • [ ] Better Report UI (?)
    • [ ] Change project name to SERAN related
  • [ ] Deploy reports generator as a controller/job (?)

PrimalPimmy avatar Dec 23 '24 13:12 PrimalPimmy