{"component-definition":{"uuid":"4DEDC09C-B2ED-407B-82C6-229F77DDDC8C","metadata":{"title":"Big Bang","parties":[{"name":"Platform One","type":"organization","uuid":"72134592-08C2-4A77-ABAD-C880F109367A","links":[{"rel":"website","href":"https://p1.dso.mil"}]}],"version":"1.39.0","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"593b5506-332e-4b47-bece-3140a5b314bb"}],"last-modified":"2022-06-06T15:26:59.676009+00:00","oscal-version":"1.0.4"},"components":[{"type":"software","uuid":"81F6EC5D-9B8D-408F-8477-F8A04F493690","title":"Istio Controlplane","purpose":"Istio Service Mesh","description":"Istio Service Mesh\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-8BAD-C880F109367A"]}],"control-implementations":[{"uuid":"06717F3D-CE1E-494C-8F36-99D1316E0D13","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"1822457D-461B-482F-8564-8929C85C04DB","control-id":"ac-3","description":"Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice.  Istio is configured to only allow access to applications if they have a valid JWT,  denying access by default. Applications that do not use Authservice do not have these policies."},{"uuid":"D7717A9B-7604-45EF-8DCF-EE4DF0417F9C","control-id":"ac-4","description":"All HTTP(S) connections into the system via Istio ingress gateways and throughout the system with Istio sidecars."},{"uuid":"1D1E8705-F6EB-4A21-A24F-1DF7427BA491","control-id":"ac-4.4","description":"All encrypted HTTPS connections are terminated at the istio ingress gateway."},{"uuid":"CD1315BF-91FE-490A-B6A6-5616690D78A8","control-id":"ac-6.3","description":"Can be configured with an \"admin\" gateway to restrict access to applications that only need sysadmin access. Not standard in BB itself though."},{"uuid":"6109E09A-8279-44AB-8CA4-2051AF895648","control-id":"ac-14","description":"Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these policies."},{"uuid":"9B6BA674-E6ED-4FB6-B216-3C8733F36411","control-id":"au-2","description":"Istio provides access logs for all HTTP network requests, including mission applications."},{"uuid":"D3CBC898-F938-4FAA-B1B1-2597A69B5600","control-id":"au-3","description":"By default, Istio uses the Common Log Format with additional information for access logs. The default configuration does not include the identity of individuals associated with the event."},{"uuid":"D01F6B2D-F18E-47E9-94DC-95C0B5675E13","control-id":"cm-5","description":"Configured via Kubernetes resources. Inherited from cluster and flux/ArgoCD."},{"uuid":"6370B2DA-1E35-4916-8591-91FB9EDBE72B","control-id":"cm-8","description":"Provides an inventory of all workloads (including mission apps) in the service mesh, viewable in Kiali."},{"uuid":"AB9189FF-34E2-4D7E-8018-EB346C7AE967","control-id":"cm-8.1","description":"Provides an inventory of all workloads (including mission apps) in the service mesh, viewable in Kiali. The inventory is automatically and continuously updated."},{"uuid":"A740C741-23B4-4ED9-937C-E0276A9B92EE","control-id":"cm-8.2","description":"Provides an inventory of all workloads (including mission apps) in the service mesh, viewable in Kiali. The inventory is automatically and continuously updated."},{"uuid":"61615706-5395-4168-8AD0-5C4ACBCC5D7E","control-id":"ia-2","description":"Istio RequestAuthentication and AuthorizationPolicies are applied after Authservice. Istio is configured to only allow access to applications if they have a valid JWT, denying access by default. Applications that do not use Authservice do not have these policies."},{"uuid":"3004BB1D-0F50-48F1-ABFE-40CC522B1C15","control-id":"ia-4","description":"Istio uses Kubernetes namespaces and resource names to identifiy workloads in the service mesh. This provides management of identifiers for all services in the cluster."},{"uuid":"FE110D6B-CCB5-41E8-B2DE-287ED843D417","control-id":"ia-9","description":"Istio registers all workload identities in the service mesh. The identity is transmitted in the mTLS certificate when establishing communication between services, and is validated by Istio sidecars."}]}]},{"type":"software","uuid":"50EE9EB1-0DA4-411C-8771-AA1725B27E22","title":"Jaeger","purpose":"Implementation of Service Mesh","description":"An open source, end-to-end distributed tracing system\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-8542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by jaeger for inheritance by applications","implemented-requirements":[{"uuid":"1822457D-461B-482F-8564-8929C85C04DA","control-id":"si-4.4","description":"Jaeger is used, in conjunction with Istio configurations, to collect and aggregate network communications within the system.  This allows the moniotiring of inbound/outbound traffic and payloads within the deployed environment."}]}]},{"type":"software","uuid":"A97D1364-BA7F-46AA-ADE6-1998E846E125","title":"Kiali","purpose":"Observibility into Istio Service Mesh","description":"A management console for Istio Service Mesh\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-A542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"6EC9C476-9C9D-4EF6-854B-A5B799D8AED1","control-id":"si-4.10","description":"Kiali provides visibility into mTLS settings of all Istio traffic in the cluster."}]}]},{"type":"software","uuid":"4045FB97-C11A-4F3B-A021-FD94538F0356","title":"Cluster Auditor","purpose":"Display policy violations","description":"Aggregator of policy violtions in environment\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-A542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"FD81FE18-FF28-4150-B05D-8001488282BC","control-id":"ac-6.9","description":"Cluster Auditor provides a record of policy violiations identified by OPA Gatekeeper to the Monitoring stack"},{"uuid":"CDA82D9B-70DC-469A-BE63-43DDA26DE6F2","control-id":"au-2","description":"Cluster Auditor has identified policy violations as events that are recorded."},{"uuid":"B381423A-46E9-4E39-8B72-3ABBC46DE4B9","control-id":"ca-7","description":"Continuous monitoring of controls/violations of the system in accordance with the Control Assessment Plan "}]}]},{"type":"software","uuid":"8078c070-2d5b-44b8-8fd1-47797fa12c6d","title":"OPA Gatekeeper","purpose":"Monitors existing clusters, detects policy violations, and also acts as a customizable Kubernetes Admission Webhook","description":"An application which assists in enforcing, monitoring, and remediating policies in Kubernetes while strengthening governance of an environment. \n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-A542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by <component> for inheritance by applications","implemented-requirements":[{"uuid":"c89a52f1-4d60-4d4e-9c4c-7c5eb04fe21a","control-id":"au-2","description":"OPA Gatekeeper provides policy violations events to Cluster Auditor for event logging.   The list of policies being audited is/will be captured by the Policy Document in Gatekeeper's chart"},{"uuid":"c38f765f-b706-4810-96b6-2971f37122df","control-id":"au-3","description":"Gatekeeper provides the policy being violated, the timestamp of when it occured, the location (cluster/namespace), the object causing the violation and whether it was in warn or deny mode. "},{"uuid":"f856dc53-1c3a-428e-83ff-65723c325dac","control-id":"au-8","description":"Gatekeeper policies have timestamps assoicated to when the violation was found and identified.   By logging policy violations into log messages (via logDenies=true ),  these logs are also available in the logging framework"},{"uuid":"41b6ce08-5827-4e08-8ff4-1a61a2e378f8","control-id":"au-9","description":"Access to the Gatekeeper violations are managed by/inherited from the Kubernetes cluster"},{"uuid":"da7ff1f0-2a16-491c-8854-788cc46cef3c","control-id":"cm-1","description":"Provides enforcement of configuration management policy"},{"uuid":"ffb9f4b5-0bfe-4053-9e12-5657a1ceb0b9","control-id":"cm-7.5","description":"OPA Gatekeeper can prevent by default unauthorized changes to the system."},{"uuid":"07a4e16a-944b-4989-a6d8-057b545748d0","control-id":"cm-11","description":"Gatekeeper can provide the ability for end users to control the policies that allow for the installation of end-user software. It also provides the enforcement and monitoring"},{"uuid":"72d2434e-0dac-4267-8594-d2df5da6b22a","control-id":"sa-9","description":"Gatekeeper can ensure applications installed on the kubernetes cluster meet policy requirements for manfiests"}]}]},{"type":"software","uuid":"BE039F48-F418-4D86-BD5F-8CE8CBEAD91E","title":"Elasticsearch and Kibana","purpose":"Provides storage and UI for log aggregation in the cluster","description":"Deployment of Elasticsearch and Kibana for logging stack\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-A542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"31ED9374-C146-4B40-ABD5-537B24DBDCEF","control-id":"ac-6.9","description":"Elasticsearch stores and aggregates privilege function calls collected by fluentbt."},{"uuid":"373074CC-F1EA-40CB-AD17-DB8F199D0600","control-id":"au-4","description":"Underlying log storage is elastically scaleable."},{"uuid":"90FFF3BA-3E88-47AD-88B7-B50A92833A45","control-id":"au-5","description":"Kibana has the ability to alert based on events discovered in Elastic indecies"},{"uuid":"3230D443-A18C-4F9B-A0DE-DC89CE5D01C8","control-id":"au-5.1","description":"Authservice allows the use of an extenrral idtntiy OIDC provider for application login by configuring filter chain matching for hostname (headers) for applications.  This control can then be inherited by the Identity Provider"},{"uuid":"98DE555D-1B90-475F-9C2E-954438172B39","control-id":"au-9","description":"Kibana provides ability to use Role Based Access Control to allow for the indexes that store audit logs to be restricted to just cluster administrators"},{"uuid":"6ED4D692-F65F-40AB-AC3F-C056C2F41BD9","control-id":"au-9.4","description":"Kibana provides ability to use Role Based Access Control to allow for the indexes that store audit logs to be restricted to just cluster administrators"}]}]},{"type":"software","uuid":"BE039F48-F418-4D86-BD5F-8CE8CBEAD91E","title":"Fluentbit","purpose":"Collects logs from the cluster","description":"Log collector\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"6358159C-2710-46EF-ACC5-39FD3117391D","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"D9D09567-C4C7-4DEA-921C-6318DF2F9331","control-id":"ac-6.9","description":"Fluentbit can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls."},{"uuid":"373074CC-F1EA-40CB-AD17-DB8F199D0600","control-id":"au-2","description":"Logging daemons are present on each node that BigBang is installed on.  Out of the box, the following events are captured:\n* all containers emitting to STDOUT or STDERR (captured  by container runtime translating container logs to /var/log/containers) * all kubernetes api server requests  * all events emitted by the kubelet"},{"uuid":"90FFF3BA-3E88-47AD-88B7-B50A92833A45","control-id":"au-3","description":"Records captured by the logging daemon are enriched to  ensure the following are always present:\n* time of the event (UTC) * source of event (pod, namespace, container id)\nApplications are responsible for providing all other information."},{"uuid":"3230D443-A18C-4F9B-A0DE-DC89CE5D01C8","control-id":"au-8","description":"Records captured by the logging daemon are enriched to  ensure the following are always present:\n* time of the event (UTC) * source of event (pod, namespace, container id)\nApplications are responsible for providing all other information."}]}]},{"type":"software","uuid":"4045FB97-C11A-4F3B-A021-FD94538F0356","title":"Monitoring","purpose":"Display policy violations","description":"Aggregator of policy violtions in environment\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-A542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"B5B39044-B02A-4655-B466-7586B24963A1","control-id":"ac-6.9","description":"Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana "},{"uuid":"8AE237CE-E7FF-42FE-B79F-2DF106B0CC09","control-id":"au-2","description":"API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers.  In addition, system and cluster level metrics are emitted by containers with read only access to host level information.\nMetrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format.  Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. "},{"uuid":"F2FFC2FD-6826-43EE-9922-705A76FE63CC","control-id":"au-3.1","description":"Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus."},{"uuid":"B958C179-EE1F-40FC-BA2A-03B0072B20E6","control-id":"au-4","description":"Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor.  The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention complioance with the org-defined audit-log retention requirements"},{"uuid":"01975AD9-8F46-48EB-81F1-1DDEB6DB0882","control-id":"au-5","description":"Grafana and Alertmanager can both alert on prometheus metrics and alerts can be created in either to support this control"},{"uuid":"FA95745B-E13E-4153-ABEE-1970C315A381","control-id":"au-5.1","description":"Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage"},{"uuid":"5D45F4A3-A37F-451D-9670-8FA9DFD1355F","control-id":"au-5.2","description":"Alertmanager has pre-build alerts for failed pods that would show when ClusterAuditor is not processeing events, or  prometheus is unable to scrape events.\nPrometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration"},{"uuid":"603A45C9-E730-4321-B8AE-60D048E14BAB","control-id":"au-6.1","description":"Cluster Audtitor Events/Alerts could be exported from Prometheus to an external system.  Integration for specific tooling would need to be completed by end user"},{"uuid":"92D322C1-B4D3-4842-8B06-538218AECA7D","control-id":"au-6.3","description":"Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana"},{"uuid":"BB0DF859-827F-4E3A-8C61-DEDCE4A9B3EB","control-id":"au-6.5","description":"Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity"},{"uuid":"77C00727-4195-45A8-8BB6-534AE5889E71","control-id":"au-6.6","description":"Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics."},{"uuid":"6F291DF6-5613-46DF-9D9A-AC7CEDFF4A7B","control-id":"au-7","description":"Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor"},{"uuid":"54D583CE-DB4A-4C03-902D-9A37949F4820","control-id":"au-7.1","description":"Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor"},{"uuid":"91D9D559-1666-420B-9F2B-240BC7CD1A3E","control-id":"au-8","description":"Prometheus stores all data as timeseries data, so the timestamps of when those violitions were present is part of the datastream"},{"uuid":"2D7AB4A4-1AE7-45A6-BC56-9FBB6402AD98","control-id":"au-9","description":"Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider.  Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Acces Control when using Grafana Enterprise."},{"uuid":"58B88EBD-ABAD-4505-9243-809D8DEFAEF7","control-id":"au-9.2","description":"Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio"},{"uuid":"8178202C-6E6C-415A-8B0D-C486AAC85B3A","control-id":"au-9.4","description":"Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider.  Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Acces Control when using Grafana Enterprise."},{"uuid":"A471F648-C22C-4217-A3BA-1063E80B4BA3","control-id":"au-12.1","description":"Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected"}]}]},{"type":"software","uuid":"660B7C27-2997-4EB7-BA61-C66FEC2D1602","title":"ArgoCD","purpose":"GitOps continuous delivery","description":"A declarative GitOps continuous delivery tool for Kubernetes\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"909C0D05-5BF7-4D89-B82F-38488A02CC85","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by ArgoCD for inheritance by applications","implemented-requirements":[{"uuid":"4F924345-FED4-496B-91E3-5361F2B2F2DA","control-id":"AC-5","description":"ArgoCD can be configured for granular user access to certain application deployments."},{"uuid":"27C176A6-BF99-4BE9-9748-63C99C75328E","control-id":"AC-6","description":"ArgoCD can be configured per user with the least privilige needed."},{"uuid":"EC3BC1CA-4E31-4130-A246-D15857F1A6E7","control-id":"AU-2","description":"ArgoCD logs events related to the applicaction state itself, i.e. start/stop failures."},{"uuid":"ACC00F83-5C88-44FA-A6CA-0AD68AD9E09F","control-id":"AU-3","description":"ArgoCD has a natural audit log for what changes were made to an applications configuration,  when they were made, and by who. This is provided by the Git commit history in the GitOps workflow."},{"uuid":"C4E89AE2-3959-4828-B15F-7D4AD1BDB4BC","control-id":"AC-7","description":"ArgoCD rejects login attemps after too many failed in order to prevent passsword brute-forcing.  Proceted by the following components, max fail count, failure window, max entry cache size, and max concurrent login requests."},{"uuid":"8B181052-6E36-4A12-A58B-4049F035021D","control-id":"CM-2.2","description":"ArgoCD provides the configuration management engine to ensure CM-2 is met"},{"uuid":"48DBC6A1-28E4-4AF0-95F1-CB70EB818B3C","control-id":"CM-2.3","description":"ArgoCD / Git provides history for releases"},{"uuid":"21F72DBE-EA11-4E27-9AE3-82B08C4E16EA","control-id":"CM-3","description":"ArgoCD / Git enable teams to do this as part of their workflow"},{"uuid":"A89D4C6B-C885-43A4-85A0-7BB1B33E20DF","control-id":"CM-3.1","description":"ArgoCD / Git provide automation of documentation, notifications of upgrades to BB"},{"uuid":"E3C277C6-A058-4595-B034-3BEE1D74AE51","control-id":"CM-3.2","description":"ArgoCD allows for workflows to be created by end users to deploy exact configurations  into stage/dev environment that mirror production."},{"uuid":"ADF0F06E-F773-43A2-BA91-109D4C3B8AF5","control-id":"CM-4","description":"BB/Git provides changelogs which identify changes to system via upgrades"},{"uuid":"A202F34E-1689-47A2-A55C-406C0437C7DD","control-id":"CM-4.2","description":"This current effort will provide controls explicitly as part of the product to track how controls will change with upgrades"},{"uuid":"373DC91F-E590-44B5-B4B1-8DF8453EB9B9","control-id":"CM-5.1","description":"Use of ArgoCD/GitOps allows this to be inherited by management in GitLab"},{"uuid":"D2B04238-01DB-49B0-A787-069BE6D962C7","control-id":"CM-6","description":"ArgoCD manages application configuration settings controlled in GitLab and ensures they match the expected state."},{"uuid":"4EC8B133-3118-4429-A4F7-A1AF3737F5AD","control-id":"CM-6.1","description":"ArgoCD manages/applies and verifies configuration as code"},{"uuid":"8B027EED-6484-473A-B4F6-BADF9F55978D","control-id":"CM-8","description":"ArgoCD provides visualization of the deployed application and configurations."},{"uuid":"0323639F-85B3-4858-99A8-C69C0D6DA16F","control-id":"CM-8.1","description":"ArgoCD automatically updates its inventory when changes occur to cluster resources."},{"uuid":"53E65314-43DB-4464-B9B8-6075AA6B96AB","control-id":"CM-8.2","description":"ArgoCD maintains the currency, completeness, accuracy, and availability of cluster resources by  continuously reconciling the desired state in Git to the actual state in Kubernetes."},{"uuid":"593D198A-E5DF-429F-9BCB-EE5561B50522","control-id":"CM-8.4","description":"ArgoCD displays the name of an individual who made a Git commit that resulted in changes to the system component inventory"},{"uuid":"6379A5B5-C5AC-4A30-AAC1-A40BB7AAABFC","control-id":"CP-2","description":"ArgoCD will restore applications it manages to the known GitOps state in GitLab"},{"uuid":"4753C850-EC7C-47F2-AE55-541B73D3D957","control-id":"CP-10","description":"ArgoCD will restore applications it manages to the known GitOps state in GitLab"},{"uuid":"CBCC3D5C-03FE-4F6F-A587-6776813AA87B","control-id":"CP-10.2","description":"ArgoCD will restore applications it manages to the known GitOps state in GitLab"},{"uuid":"28D7704A-7859-4A7E-9967-4E564D94BA93","control-id":"CP-10.4","description":"ArgoCD will restore applications it manages to the known GitOps state in GitLab"}]}]},{"type":"software","uuid":"E70A5057-3BA4-4E62-8C74-ED19122BBA9E","title":"Authservice","purpose":"Provides authn/authz capabilites to applications via Istio Service Mesh","description":"an implementation of thee Envoy External Authorization focused on handling AuthN/AuthZ \nfor Istio and Kubernetes.\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-A542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by authservice for inheritance by applications","implemented-requirements":[{"uuid":"6EC9C476-9C9D-4EF6-854B-A5B799D8AED1","control-id":"ac-2.1","description":"Authservice allows the use of an extenrral idtntiy OIDC provider for application login by configuring filter chain matching for hostname (headers) for applications.  This control can then be inherited by the Identity Provider"},{"uuid":"373074CC-F1EA-40CB-AD17-DB8F199D0600","control-id":"ac-2.2","description":"Authservice allows the use of an extenrral idtntiy OIDC provider for application login by configuring filter chain matching for hostname (headers) for applications.  This control can then be inherited by the Identity Provider"},{"uuid":"90FFF3BA-3E88-47AD-88B7-B50A92833A45","control-id":"ac-2.3","description":"Authservice allows the use of an extenrral idtntiy OIDC provider for application login by configuring filter chain matching for hostname (headers) for applications.  This control can then be inherited by the Identity Provider"},{"uuid":"3230D443-A18C-4F9B-A0DE-DC89CE5D01C8","control-id":"ac-2.4","description":"Authservice allows the use of an extenrral idtntiy OIDC provider for application login by configuring filter chain matching for hostname (headers) for applications.  This control can then be inherited by the Identity Provider"},{"uuid":"98DE555D-1B90-475F-9C2E-954438172B39","control-id":"ac-8","description":"Authservice allows the use of an extenrral idtntiy OIDC provider for application login by configuring filter chain matching for hostname (headers) for applications.  This control can then be inherited by the Identity Provider"},{"uuid":"6ED4D692-F65F-40AB-AC3F-C056C2F41BD9","control-id":"ac-10","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain  matching hostname for application.\nBy restricting the lifetime of the JWT, Authservice will reauthenticate the user when it expires. The  IdP can then implement concurrent session control, enforced during reauthentication. This control can  then be inherited from the IdP. "},{"uuid":"5D737AC5-0841-480E-87C0-DBBDE4F61F8E","control-id":"ac-12","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain  matching hostname for application.\nBy restricting the lifetime of the JWT, Authservice will reauthenticate the user when it expires. The  IdP can then implement concurrent session control, enforced during reauthentication. This control can  then be inherited from the IdP. "},{"uuid":"CBBAA8D3-276F-40C2-8E55-02C883201123","control-id":"ac-14","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain  matching hostname for application.\nBy restricting the lifetime of the JWT, Authservice will reauthenticate the user when it expires. The  IdP can then implement concurrent session control, enforced during reauthentication. This control can  then be inherited from the IdP. "},{"uuid":"085E711D-A3E8-4CC2-B2E4-F1F0D1E9CE87","control-id":"ia-2","description":"Authservice maps user sessions to user identities in an IdP."},{"uuid":"FB487DED-D360-4988-BD1B-4FCFA351258A","control-id":"ia-2.1","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain  matching hostname for application. The IdP can enforce multi-factor authentication for the client used  by authservice. This control can then be inherited from the IdP. "},{"uuid":"EC6FF902-2E29-4FEC-A5B7-F3DD1573F61A","control-id":"ia-2.2","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain  matching hostname for application. The IdP can enforce multi-factor authentication for the client used  by authservice. This control can then be inherited from the IdP. "},{"uuid":"B41B29FF-131D-4CD8-9275-9E0391BA35C5","control-id":"ia-2.8","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain matching hostname for application. The IdP and OIDC protocol use \"nonce\" and \"state\" fields for replay resistance. This control can then be inherited from the IdP. "},{"uuid":"8BD41F8B-3072-4AAD-A7E2-1DFC24F6D0C5","control-id":"ia-3","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain matching hostname for application. The IdP can be configured to uniquely idenfify and authenticate devices before establishing connections. This control can then be inherited from the IdP. "},{"uuid":"2519BEBB-327B-4E03-BA47-423D96114EE4","control-id":"ia-4","description":"Authservice retreives JWT identfiers from the IdP which include various \"claims\" including the username of individuals, and a list of \"groups\" (roles) the user has access to. This control can then be inherited from the IdP. "},{"uuid":"F391AA9E-5EDB-483E-8EC2-60CA9602B1EF","control-id":"ia-4.4","description":"Authservice retreives JWT identfiers from the IdP, which include various \"claims\" and such as  a list of \"groups\" (status) that apply to the user. This control can then be inherited from the IdP. "},{"uuid":"59AECD61-0244-4930-897C-EAFA9D423F7F","control-id":"ia-5","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"FF69FC29-C3E0-4B02-948E-CF375F93AF05","control-id":"ia-5.1","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. \nAuthservice does NOT use the OAuth Resource Owner Password Credentials Flow, no passwords are transmitted by Authservice."},{"uuid":"1489616B-8A08-437A-8EE8-E86E10C64D94","control-id":"ia-5.2","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"2B01945F-2793-4CA1-BD40-B236A190EE66","control-id":"ia-5.6","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"B48BD91F-5A89-4653-89C5-45EC55267049","control-id":"ia-6","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"BC78A59A-7E43-4F27-8961-7DD8957499D7","control-id":"ia-8.1","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"13E81A49-24C1-4E05-8E5F-F50402FEEE54","control-id":"ia-8.2","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"475636F6-74AC-4E12-938C-BA92999A34AF","control-id":"ia-8.5","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"63130DA3-52C8-402A-9CB9-1DE9AF62DE5E","control-id":"ia-10","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"9DA88C51-E81D-4D02-8B51-33CF15F5C46C","control-id":"ia-11","description":"Allows the use of an external identiy OIDC provider for application login by configuring filter chain matching hostname for application.\nBy restricting the lifetime of the JWT, Authservice will reauthenticate the user when it expires. The IdP can then implement concurrent session control, enforced during reauthentication. This control can then be inherited from the IdP. "},{"uuid":"86C613C9-D6AC-4DF1-B8A2-5C51654CB933","control-id":"ia-12","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"FA83073D-77E5-4DAA-A1A3-88FAD126ED50","control-id":"ia-12.2","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"AFA5160F-11C1-471E-94E0-8B8E5D2C9050","control-id":"ia-12.3","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"4284CA32-4CB9-484B-A769-34D6C1364F22","control-id":"ia-12.4","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"1906F9E4-6E82-46A5-A575-70FA0F2E131E","control-id":"ia-12.4","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "},{"uuid":"C9C67A58-CBA4-4F9D-92A6-B73068C7F3AD","control-id":"ia-12.5","description":"Authservice does not manage authenticators, they are managed by the IdP. This control can then be inherited from the IdP. "}]}]},{"type":"software","uuid":"3127D34A-517B-473B-83B0-6536179ABE38","title":"Velero","purpose":"Provides backup and restore capabilities to a Kubernetes cluster","description":"Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"5108E5FC-C45F-477B-8542-9C5611A92485","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by velero for inheritance by applications","implemented-requirements":[{"uuid":"2ADA7512-E0D5-4CAE-81BC-C889C640AF93","control-id":"cp-6","description":"Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location."},{"uuid":"6C3339A0-9636-4E35-8FA8-731CF900B326","control-id":"cp-6.1","description":"Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location."},{"uuid":"2799CCBF-C48D-4451-85BA-EBD9B949C361","control-id":"cp-6.2","description":"Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand."},{"uuid":"0AE59B43-50A7-4420-881B-E0635CCB8424","control-id":"cp-6.3","description":"Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions."},{"uuid":"B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574","control-id":"cp-7","description":"Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand."},{"uuid":"D74C3A8C-E5B0-4F81-895D-FB2A318D723B","control-id":"cp-7.1","description":"Velero supports back-ups to  and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions."},{"uuid":"72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC","control-id":"cp-7.2","description":"Velero supports back-ups to  and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions."},{"uuid":"5B0AA4CB-9C49-4D32-8242-5631788BD941","control-id":"cp-9","description":"\"Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes:\n  - System components/data.\n  - User-level information/application metadata.\n  - User-level storage/data.\n  - Scheduled back-ups with configurable scopes.\n  - Multi-cloud and on-premise support for availability of backup.\""},{"uuid":"8E5917F3-3E45-46C1-8585-48550E19AFFB","control-id":"cp-9.1","description":"Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity."},{"uuid":"51191D0E-0C7B-4D2D-861D-202AC8C505CF","control-id":"cp-9.2","description":"Velero can be configured to restore only certain components of a back-up when necessary."},{"uuid":"C650411C-33FD-4B59-8899-AC34B43C860F","control-id":"cp-9.3","description":"Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments."},{"uuid":"8AB09B17-301B-4836-835B-9CE22A9E2300","control-id":"cp-9.5","description":"Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup."},{"uuid":"7FACB782-C183-4585-8C0B-17824438FEA6","control-id":"cp-9.8","description":"Velero supports encryption of backups via its supported providers' encryption support/mechanisms."},{"uuid":"26B3D98B-0C9D-434B-8DE5-06CBBC46A38C","control-id":"cp-10","description":"Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand."},{"uuid":"3EA444B7-61ED-43DD-8B3D-24B55F286E59","control-id":"cp-10.4","description":"Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup."}]}]},{"type":"software","uuid":"13936e92-24bd-4948-abe6-af88422174aa","title":"Keycloak","purpose":"Provides user federation, strong authentication, user management, fine-grained authorization.","description":"An implementation of a customizable Keycloak for single sign-on (SSO) with Identity and Access Management\n","responsible-roles":[{"role-id":"provider","party-uuids":["72134592-08C2-4A77-ABAD-C880F109367A"]}],"control-implementations":[{"uuid":"44bb0268-355d-455b-be33-7fc6ecc89668","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","description":"Controls implemented by Keycloak for inheritance by applications","implemented-requirements":[{"uuid":"045bbf72-d7d1-4763-a997-caf62785b2aa","control-id":"ac-1","description":"System-level access controls\nKeycloak supports fine-grained authorization policies and is able to combine different access control mechanisms such as:\n\n  - Attribute-based access control (ABAC)\n  - Role-based access control (RBAC)\n  - User-based access control (UBAC)\n  - Context-based access control (CBAC)\n  - Rule-based access control\n  - Using JavaScript\n  - Time-based access control\n  - Support for custom access control mechanisms (ACMs) through a Policy Provider Service Provider Interface (SPI)\n\nKeycloak is based on a set of administrative UIs and a RESTful API, and provides the necessary means to create permissions for your protected resources and scopes, associate those permissions with authorization policies, and enforce authorization decisions in your applications and services.\nResource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request.\nPermissions can be created to protect two main types of objects:\n\n  - Resources: resource-based permission defines a set of one or more resources to protect using a set of one or more authorization policies.\n  - Scopes: scope-based permissions defines a set of one or more scopes to protect using a set of one or more authorization policies. Unlike resource-based permissions, you can use this permission type to create permissions not only for a resource, but also for the scopes associated with it, providing more granularity when defining the permissions that govern your resources and the actions that can be performed on them.\n\n  https://www.keycloak.org/docs/latest/authorization_services/\n\nOrganizational access controls\nOrganizational roles could be broken down into cluster admins, resource owners / administrators, clients / users"},{"uuid":"86815b87-fc12-432b-9d0a-77492186ad6e","control-id":"ac-2","description":"Big Bang implements a custom plugin to handle account managment, found here (https://repo1.dso.mil/big-bang/product/packages/keycloak/-/tree/main/development).  Through this plugin logic is implemented to control automated registration and ties into DoD PKI validation/verification. Additionally, this plugin validates group membership in conjunction with Keycloak Clients to prohibit/allow access to various resources behind the single sign on solution.\n\n  a/c. non-privileged users are prohibited by the keycloak plugin and declarative group structure defined here (https://repo1.dso.mil/big-bang/product/packages/keycloak/-/tree/main/development). Privileged users follow a similar posture combined with other solutions to prohibit access to resources based on group membership.\n  b. Keycloak can be configured for fine grain permissions to assign account managers, additionally the custom plugin allows configuration of groups with specific permissions within the keycloak web UI console.\n  d (1-3). Declarative groups specify authorized users, groups, and roles. Access authorizations and assignment is related to Day 2 operations of keycloak and may vary between organizations.\n  e. Handled by Day 2 operations of keycloak.\n  f. declarative groups assist in the handling of accounts, but ultimate is is a day 2 operation.\n  g. Keycloak web UI has a queryable audit logging feature and backend logs can be monitored.\n  h. Handled by Day 2 operations of keycloak.\n  i. Handled by Day 2 operations of keycloak.\n  j. Mostly, handled by Day 2 operations of keycloak. However, built in registration flow validates and verifies DoD level authorization.\n  k.  Handled by Day 2 operations of keycloak.\n  l.  Handled by Day 2 operations of keycloak."},{"uuid":"477fbb45-8837-4755-a1f2-6d1843b7bedb","control-id":"ac-2.1","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak. There are roughly 30 different event types in keycloak and an event listener can be configured to notify when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred."},{"uuid":"440ef311-2711-4bb0-9dd8-438d196e84e5","control-id":"ac-2.2","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak. There are roughly 30 different event types in keycloak and an event listener can be configured to notify when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred."},{"uuid":"9a76f468-1daa-49ca-9582-7c17751f41bc","control-id":"ac-2.3","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak. There are roughly 30 different event types in keycloak and an event listener can be configured to notify when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred."},{"uuid":"93d0b28b-bcf4-4e45-a5e0-f5d1b0ce9d26","control-id":"ac-2.4","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak. There are roughly 30 different event types in keycloak and an event listener can be configured to notify when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred."},{"uuid":"6c10ca0e-7b91-45ab-b066-949bdfba126a","control-id":"ac-2.5","description":"Keycloak is configured with login timeout, session tokens, etc. and are managed in realm settings/tokens"},{"uuid":"473ce520-ed39-4d88-9433-2a04cc451b16","control-id":"ac-2.12","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak. There are roughly 30 different event types in keycloak and an event listener can be configured and automated via email, external webhook, and logging stack monitored by admins to notify when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred."},{"uuid":"cb4929fc-3685-45e4-8720-405dc5ed9ea3","control-id":"ac-2.13","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak. There are roughly 30 different event types in keycloak and an event listener can be configured and automated via email, external webhook, and logging stack monitored by admins to notify when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred."},{"uuid":"b704526e-e18f-46ec-8072-2e361115265a","control-id":"ac-3","description":"Keycloak allows the creation of clients that provide login to app via Keycloak, allowing account management to be inherited from keycloak and the enforcement of approved authorizaions for logical access to information and system resources."},{"uuid":"ef73dc31-ab9a-4d67-b5b8-c042e47aba25","control-id":"ac-4","description":"Keycloak is designed and recommended to be deployed in a stand-alone BB cluster with TLS passthrough for OIDC/SAML integration. Controls are inherited from istio via network policies, virtual services and gateway configs."},{"uuid":"34ea5ae5-3525-4a81-974f-a73e1999610f","control-id":"ac-4.4","description":"Keycloak is designed and recommended to be deployed in a stand-alone BB cluster with TLS passthrough for OIDC/SAML integration. Controls are inherited from istio via network policies, virtual services and gateway configs."},{"uuid":"25a717a7-3f1f-4d24-9cc1-701be6f97df9","control-id":"ac-5","description":"Keycloak is designed and recommended to be deployed in a stand-alone BB cluster with TLS passthrough for OIDC/SAML integration. Controls are inherited from istio via network policies, virtual services and gateway configs."},{"uuid":"28fba4bc-e1ae-4164-9673-6ed90d93a7c0","control-id":"ac-6","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"2f8de149-d07f-4e8a-8baf-5bdbace0cf8d","control-id":"ac-6.1","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"5a04932c-05cf-489a-932c-cb31b9480b73","control-id":"ac-6.2","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"337a9b7f-71d0-46ef-aaa2-af5367d9b371","control-id":"ac-6.5","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"6de217bb-f767-4af0-b813-b54df9baf173","control-id":"ac-6.7","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"59032e55-f51e-4a0d-9394-7474631005ec","control-id":"ac-6.9","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"ad95419d-4506-48b0-a736-723724acea34","control-id":"ac-6.10","description":"Keycloak as an IDM / IAM provider supports least privilege through user / group management (ABAC / RBAC) service offerings"},{"uuid":"16088314-7668-41a2-9ee1-a7128d6c209e","control-id":"ac-7","description":"Keycloak has brute force protection which has three components: max login failures, quick login check (time between failures) & minimum quick login check wait (time user will be disabled when multiple login failures are detected)"},{"uuid":"35992922-7375-45fc-bac1-1a6b551a76b9","control-id":"ac-8","description":"Keycloak has a standard DOD login banner see https://login.dso.mil"},{"uuid":"2a99e48f-6631-4ff7-b955-b73caafdedac","control-id":"ac-10","description":"Keycloak does not suffice this control natively; however, you can implement a “only one session per user” behavior with an ```EventListenerProvider```. On every LOGIN event, delete all the sessions of a user, except the current one."},{"uuid":"77c2aa64-ab6b-4508-b6f6-fcca929de9ab","control-id":"ac-12","description":"Keycloak does not suffice this control natively; however, you can implement a session behaviors with an ```EventListenerProvider```."},{"uuid":"3b38e765-41f8-4ea6-90dc-b4a1845b62cc","control-id":"ac-14","description":"Keycloak has the ability to allow anonymous access to resource if Client Access Type is set to public."},{"uuid":"9bd24189-a9f7-4ddb-98fb-ba259b46b459","control-id":"ac-17.1","description":"Keycloak manages remote access to other applications through IAM."},{"uuid":"3e901895-d5da-48a0-8317-56b456371243","control-id":"ac-17.2","description":"Through EventListeners Keycloak can either ship logs to a SIEM which could alert on remote session events, or with custom SPIs Keycloak can perform an action directly on events. A VPN client would need to use Keycloak as an SSO to generate these events."},{"uuid":"66bc3835-8369-48ec-b54f-ca5ca034e2fd","control-id":"ac-17.3","description":"Keycloak can restrict access to control points through IAM, but a VPN solution like Appgate would be better suited working with Keycloak."},{"uuid":"f6e0f2a4-c729-4335-97f4-b16fb49d27f9","control-id":"ac-17.4","description":"Keycloak can support a VPN or other remote management system as its IAM to support remote access control."},{"uuid":"6a948220-d3ef-4357-989a-38e25f27eb3f","control-id":"au-2","description":"Keycloak captures user and admin events and can ship them out to a logging server for analysis or trigger an action on specific event via customizable EventListeners."},{"uuid":"4b4d19b0-b8e1-4fdd-b57b-448f4e163342","control-id":"au-3","description":"Keycloak events contain what, when, where, source, and objects/entities for policy violations."},{"uuid":"35b33698-d3c5-496e-9cb4-4524c63e2fac","control-id":"au-3.1","description":"Keycloak event logs include Time, Event Type, Details (Client, User, IP Address). Events are shipped to logging."},{"uuid":"ab565bfa-78a5-43e6-98cc-ba801a16b980","control-id":"au-4","description":"Keycloak events can be both saved to database and shipped to logging server. Both systems are external to Keycloaks application server."},{"uuid":"24b14c71-b4bd-402f-aba6-80056e1b6fec","control-id":"au-7","description":"Keycloak provides audit records for compliance that qualify for this control."},{"uuid":"e528b2ec-6895-432d-acf1-b33e0f8455f5","control-id":"au-7.1","description":"Within Keycloak records, sorting and searching are supported."},{"uuid":"ed7026d7-4257-44e6-919c-73e5f8a86be5","control-id":"au-8","description":"Keycloak saves timestamps in event logs"},{"uuid":"92b5e2c1-cb7c-4f38-ba5b-22b617b15020","control-id":"au-9","description":"Keycloak provides RBAC to restrict management of logs."},{"uuid":"71c0d1c7-f9a5-4439-829b-8976749481eb","control-id":"au-9.4","description":"Keycloak provides RBAC to restrict management of logs."},{"uuid":"0b7b466e-e33c-4fa0-8979-a82da5fadc32","control-id":"ia-2","description":"Keycloak supports control through its IAM/SSO service."},{"uuid":"ff98831e-de87-4f0d-b42f-3af08a6caff6","control-id":"ia-2.1","description":"Keycloak supports MFA using mobile and x509 mTLS for both privileged and non-privileged account management."},{"uuid":"e0fbd222-d6ae-4729-a262-7c795dd6a628","control-id":"ia-2.2","description":"Keycloak supports MFA using mobile and x509 mTLS for both privileged and non-privileged account management."},{"uuid":"441d2bbd-b7ee-46e9-8110-f0fda67a2c90","control-id":"ia-2.5","description":"Keycloak provides build-in functionality to support control."},{"uuid":"5c163729-a954-43ca-a035-6040b0526ccd","control-id":"ia-2.12","description":"Keycloak supports PIV credentials"},{"uuid":"084779e8-542d-4def-936b-69fd1fb7f266","control-id":"ia-3","description":"Keycloak provides built-in functionality to support control."},{"uuid":"7a4c2837-a205-4b9c-b850-a8afec580275","control-id":"ia-4","description":"Keycloak provides built-in functionality to support control."},{"uuid":"ce397926-ec86-491c-82f6-db7e2e164a0d","control-id":"ia-4.4","description":"Keycloak provides built-in functionality to support control."},{"uuid":"7cee87f8-165f-4631-96f5-b2876df0e88a","control-id":"ia-5.1","description":"Keycloak provides password-policies to support control. https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/authentication/password-policies.adoc"},{"uuid":"56d5209f-e279-4f67-b6e9-9a814695dda9","control-id":"ia-5.2","description":"Keycloak supports OCSP checking, and truststore/chain validation for x509 PKI access."},{"uuid":"8d858e85-710e-46aa-b6fd-98013480c2b6","control-id":"ia-8.1","description":"Keycloak supports authenicating non-orgaizational users through supporting mTLS signed by external certificate authorities."},{"uuid":"c2976939-842a-4efc-afd3-11dc9892fb86","control-id":"ia-11","description":"Keycloak supports OIDC/SAML which support expiration dates in tokens/assertions."}]}]}],"back-matter":{"resources":[{"uuid":"C322D234-BD2A-4332-B8A9-54D45E7148B8","title":"Big Bang","rlinks":[{"href":"https://repo1.dso.mil/big-bang/bigbang"}]}]}}}