Contribution Request : OSCAL example that points to MITRE and describes tests using Gherkin

[mcleo-d]

Description

During #5 the following requests were raised by the CCC MITRE working group.

• [ ] Can Citi contribute an existing OSCAL example that can be used as a reference by the MITRE working group?

  • This example could be used to inform further MITRE contributions through OSCAL.
  • Can this contribution be raised as a PR into the CCC repo?

• [ ] The work related to Storage ( object storage ) [AWS S3, gcp storage, azure object storage] is complete and ready to be contributed into the FINOS CCC repo

  • https://github.com/finos/common-cloud-controls/issues/11#issuecomment-1729746032

--- Update ---

The following item has been moved into its own separate issue as it creates a larger scope.

• Gherkin should be used as a Behaviour Test rather than a Configuration Test.
  • Can an example of this type of test be expanded upon during a relevant future call?

[mcleo-d]

Example that was worked through with @git-hub-forwork1 and MITRE team on #24

Storage ( object storage ) [AWS S3, gcp storage, azure object storage]

Encryption

• Support for native encryption (platform KMS/HSM)
• Algo supported
• FIPS-140 compliance for module
• In-transit at rest
• TLS-MA

RBAC

• Service Specific policy
• IAM policy
• Other special policy (CORS, etc..)
• Network scope restriction
• Data perimeter

Network boundaries

• How do I restrict service to specific implementation (expected network) ( VPC, account, etc…)

IAM boundaries PAM Activity Logging

[jonmuk]

confirming with legal that we can contribute, will report back

[mcleo-d]

The following is work done by @smendis-scottlogic in the Taxonomy working group to provide @eddie-knight with Common Features in RDS across AWS, Azure & GCP.

• https://github.com/finos/common-cloud-controls/pull/39#discussion_r1356880413

Common Features in RDS across AWS, Azure & GCP by @smendis-scottlogic

1. Supports SQL queries.
2. Options for vertical scaling (Increase/Decrease size of the database)
3. Read replicas to improve scalability.
4. Geo-replication for high availability and fault tolerance
5. Capability for deploying databases in multiple regions.
6. Automated backup options
7. Point-in-time recovery options.
8. Data encryption at rest
9. Data encryption in transit
10. Identity based access control.
11. Logging capabilities.
12. Ability to monitor/alert base on metrics.

[rowan-baker]

Not sure of the best way to collaborate on this but a brief set of examples below, with some gherkin for discussion around whether this contains the right content. cc @smendis-scottlogic @eddie-knight

Happy to take guidance as to how to continue, the level of depth needed and the correct use of gherkin syntax.

Common Features in RDS across AWS, Azure & GCP by @smendis-scottlogic

1. Supports SQL queries.

Scenario: T1190 Exploit Public Facing application ~~Scenario: T1059 Command and Scripting Interpreter~~ Given: SQL query access to an RDS instance When: An attacker is able to input data that features a meta character And: Can craft the injection of a SQL Query Then: SQL injection attack is successful And: the confidentiality, integrity, availability of the database is affected.

Scenario: T1078 Valid Accounts Given: An RDS Instance And: Authentication credentials And: SQL Query Interface When: Authentication Credential is compromised Then: Attacker gains unauthorised access to the RDS Instance

3. Options for vertical scaling (Increase/Decrease size of the database)
4. Read replicas to improve scalability.
5. Geo-replication for high availability and fault tolerance
6. Capability for deploying databases in multiple regions.
7. Automated backup options

Scenario: T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Given: An RDS Instance And: An RDS administrator Role When: An on Demand Backup/Snapshot is requested by the administrator And: The backup destination is in a cloud storage resource outside of the organisations control And: the request is successful Then: Database data has been exfiltrated from the organisation.

9. Point-in-time recovery options.

10. Data encryption at rest

11. Data encryption in transit

12. Identity based access control.

13. Logging capabilities.

14. Ability to monitor/alert base on metrics.

Will start adding other examples for discussion later

[eddie-knight]

I took a stab at the taxonomy specific elements in #72. I'm hoping that's a good place for us to compile some of this discussion now that we're getting into execution mode.

[AdrianHammond]

@eddie-knight - this look good.

@mark-rushing @moematar @simonzhangbmo @vicenteherrera - what do you think? Are you okay with this and should we merge #72 ?

[mark-rushing]

It looks great! Think it would be good to run services/database/relational/rdms-taxonomy.feature past the other two working groups <- @jonmuk @git-hub-forwork1

[AdrianHammond]

@mark-rushing @jonmuk @git-hub-forwork1 - @eddie-knight has resubmitted new PR #82 as original PR closed and could not be reopened. Are you okay if I merge this PR and then we iterate on it? Eddie is presenting in NYC next week and it would be useful to have the initial view of the taxonomy in the repo. Thanks

[mcleo-d]

In #91 the working group agreed to review pull request https://github.com/finos/common-cloud-controls/pull/89 to close this issue as part of milestone https://github.com/finos/common-cloud-controls/milestone/4

The definition of done to answer is ...

• Can Citi contribute an existing OSCAL example that can be used as a reference by the MITRE working group?
  • This example could be used to inform further MITRE contributions through OSCAL.
  • Can this contribution be raised as a PR into the CCC repo?

[rgriffiths-scottlogic]

Is Gherkin the only contender here? Or are there other options?

[github-actions[bot]]

This issue will be closed as stale in 7 days. Please update this issue if it is still needed.

[github-actions[bot]]

Closed as stale. An update may reopen this issue.