Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control code to ITSG-33 mapping and labels - add code comments and GCP labelling #2

Closed
fmichaelobrien opened this issue Feb 24, 2022 · 10 comments
Closed

Control code to ITSG-33 mapping and labels - add code comments and GCP labelling #2

fmichaelobrien opened this issue Feb 24, 2022 · 10 comments
Assignees
@fmichaelobrien
Labels
2024-pre-tef-v4 compliance compliance documentation Improvements or additions to documentation good first issue Good for newcomers

Comments

@fmichaelobrien
Copy link
Contributor

fmichaelobrien commented Feb 24, 2022
edited
Loading

see canada-ca/accelerators_accelerateurs-gcp#18

We need a way to visually and programmatically link code to controls (in addition to control to code) - for human and IAC validation/reporting

For example which terraform module covers SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

Doc only example:
https://github.com/canada-ca/cloud-guardrails/blob/master/EN/07_Protect-Data-in-Transit.md

link/label to (I need to verify)
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc8
ITSG_33_SC_8
and
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc12
ITSG_33_SC_12

Code example:
https://github.com/canada-ca/cloud-guardrails/blob/master/EN/05_Data-Location.md

and
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/environments/common/main.tf#L84
link/label to ?
SC-7 BOUNDARY PROTECTION
ITSG_33_SC_7
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc7
or
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
ITSG_33_PE_18
https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a311pe18

Additions to PBMM doc
firewall, AC-12, IAM, functions
AU-3(2)
AU-4
AU-5
AU-6(4)
SC-28(1)
SI-3(1)
@fmichaelobrien fmichaelobrien mentioned this issue Feb 24, 2022
Open
@fmichaelobrien fmichaelobrien changed the title Control code to TSG-33 mapping and labels - add code comments and GCP labelling Control code to ITSG-33 mapping and labels - add code comments and GCP labelling Feb 24, 2022
@fkc1e100
Copy link
Collaborator

@fmichaelobrien - these mappings are in the Technical Design Document in the top level of the repo. Please review and let us know if this aligns with the ask.

Document at https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/Technical%20Design%20Document_Canada%20PBMM%20Landing%20Zone_20220211.1.pdf

@fkc1e100 fkc1e100 assigned fkc1e100 and fmichaelobrien and unassigned fkc1e100 Feb 27, 2022
@fkc1e100 fkc1e100 added documentation Improvements or additions to documentation good first issue Good for newcomers labels Feb 27, 2022
@fkc1e100 fkc1e100 pinned this issue Feb 27, 2022
@fmichaelobrien
Copy link
Contributor Author

fmichaelobrien commented Feb 28, 2022
edited
Loading

Meeting with @chris Carty and @chris Daoust on DND/SSC security controls - thanks Guys for the pointer to the 3rd repo - missed (need more scrolling) the 1:n code to control mapping for the guardrails subset of the controls for example. We should be able to add labelling in the TF - https://github.com/canada-ca/cloud-guardrails/blob/master/EN/08_Segmentation.md
ie: AC‑4, SC‑7, SC‑7(5) in https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a31ac4

@obriensystems
Copy link
Collaborator

obriensystems commented Mar 6, 2022
edited by fmichaelobrien
Loading

Ongoing control - service mapping

Screen Shot 2022-03-14 at 2 20 27 PM

@fmichaelobrien fmichaelobrien mentioned this issue Mar 17, 2022
Closed
@fmichaelobrien
Copy link
Contributor Author

security_controls_services_automation_mappings.csv

This was referenced Mar 29, 2022
Closed
Merged
@fmichaelobrien
Copy link
Contributor Author

fmichaelobrien commented Apr 7, 2022
edited
Loading

Ongoing: terraform code to itsg-33 control to gcp service mapping
modules-controls-service-mapping-overview

@fmichaelobrien
Copy link
Contributor Author

modules-controls-service-mapping-overview

@fmichaelobrien fmichaelobrien mentioned this issue Apr 11, 2022
Closed
@fmichaelobrien
Copy link
Contributor Author

modules-controls-service-mapping-overview

@fmichaelobrien fmichaelobrien added the compliance compliance label May 17, 2022
fmichaelobrien added a commit that referenced this issue Jun 22, 2022
@fmichaelobrien
#2 - grid for controls/service mapping
40efb68
fmichaelobrien added a commit that referenced this issue Jun 22, 2022
@fmichaelobrien
Merge pull request #112 from GoogleCloudPlatform/fmichaelobrien
c1df774 
#2 - grid for controls/service mapping
fmichaelobrien added a commit that referenced this issue Jun 22, 2022
@fmichaelobrien
#2 - sec controls mapping linking start
88fe33e
fmichaelobrien added a commit that referenced this issue Jun 22, 2022
@fmichaelobrien
#2 - sec controls
1bb1ed9
fmichaelobrien added a commit that referenced this issue Jun 22, 2022
@fmichaelobrien
#2 - SI-3
33dc7e4
fmichaelobrien added a commit that referenced this issue Jun 22, 2022
@fmichaelobrien
#2 - p1 controls fill out
8d9c45c
wrnu pushed a commit to wrnu/pbmm-on-gcp-onboarding that referenced this issue Jun 22, 2022
@fmichaelobrien @wrnu
GoogleCloudPlatform#2 - grid for controls/service mapping
1e9d05b
wrnu pushed a commit to wrnu/pbmm-on-gcp-onboarding that referenced this issue Jun 22, 2022
@fmichaelobrien @wrnu
GoogleCloudPlatform#2 - sec controls mapping linking start
2da3ca8
wrnu pushed a commit to wrnu/pbmm-on-gcp-onboarding that referenced this issue Jun 22, 2022
@fmichaelobrien @wrnu
GoogleCloudPlatform#2 - sec controls
e7cc530
wrnu pushed a commit to wrnu/pbmm-on-gcp-onboarding that referenced this issue Jun 22, 2022
@fmichaelobrien @wrnu
GoogleCloudPlatform#2 - SI-3
d8c079d
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Nov 23, 2022
@obriensystems
GoogleCloudPlatform#205 - set default policy
b2e63c0 
```
Step GoogleCloudPlatform#2 - "tf plan": Terraform will perform the following actions:
Step GoogleCloudPlatform#2 - "tf plan": 
Step GoogleCloudPlatform#2 - "tf plan":   # module.core-org-policy.google_organization_policy.boolean["constraints/commerceorggovernance.disablePublicMarketplace"] will be created
Step GoogleCloudPlatform#2 - "tf plan":   + resource "google_organization_policy" "boolean" {
Step GoogleCloudPlatform#2 - "tf plan":       + constraint  = "constraints/commerceorggovernance.disablePublicMarketplace"
Step GoogleCloudPlatform#2 - "tf plan":       + etag        = (known after apply)
Step GoogleCloudPlatform#2 - "tf plan":       + id          = (known after apply)
Step GoogleCloudPlatform#2 - "tf plan":       + org_id      = "959133349631"
Step GoogleCloudPlatform#2 - "tf plan":       + update_time = (known after apply)
Step GoogleCloudPlatform#2 - "tf plan":       + version     = (known after apply)
Step GoogleCloudPlatform#2 - "tf plan": 
Step GoogleCloudPlatform#2 - "tf plan":       + boolean_policy {
Step GoogleCloudPlatform#2 - "tf plan":           + enforced = true
Step GoogleCloudPlatform#2 - "tf plan":         }
Step GoogleCloudPlatform#2 - "tf plan":     }
```
fmichaelobrien added a commit that referenced this issue Nov 23, 2022
@fmichaelobrien
Merge pull request #209 from obriensystems/patch-44
9385743 
#2 - GR 12 disable public marketplace
fmichaelobrien added a commit that referenced this issue Nov 25, 2022
@fmichaelobrien
#2 - domain adjust not create for org onboarding
476ae6c
fmichaelobrien added a commit that referenced this issue Nov 27, 2022
@fmichaelobrien
#2 - SCC API access
5e26cea
fmichaelobrien added a commit that referenced this issue Nov 27, 2022
@fmichaelobrien
#2 - scc gcloud
2496bda
fmichaelobrien added a commit that referenced this issue Nov 29, 2022
@fmichaelobrien
#2 - gitops cloud build example on fwl change
41d1299
fmichaelobrien added a commit that referenced this issue Nov 30, 2022
@fmichaelobrien
#2 - GR 2
48dde4f
fmichaelobrien added a commit that referenced this issue Dec 7, 2022
@fmichaelobrien
#2 - Provisional authorization for IL5
83be318
fmichaelobrien added a commit that referenced this issue Dec 8, 2022
@fmichaelobrien
#2 - LZ links
af6da1e
fmichaelobrien added a commit that referenced this issue Dec 19, 2022
@fmichaelobrien
#2 - MFA alternatives
02d6e3d
fmichaelobrien added a commit that referenced this issue Dec 23, 2022
@fmichaelobrien
#2 - update org deletion/re-associate procedures
4e8f5ef
fmichaelobrien added a commit that referenced this issue Dec 23, 2022
@fmichaelobrien
#2 - deletion scenarios
33159db
fmichaelobrien added a commit that referenced this issue Dec 23, 2022
@fmichaelobrien
#2 - delete/re-create scenarios
9c0054a
fmichaelobrien added a commit that referenced this issue Jan 9, 2023
@fmichaelobrien
#2 - IDS packet inspect/blocking via static routes
622a107
fmichaelobrien added a commit that referenced this issue Jan 20, 2023
@fmichaelobrien
#2 - Guardrail hyperlinking
aa63dbe
obriensystems added a commit that referenced this issue Feb 1, 2023
@obriensystems
#2 - access context manager NA example
7a45f9d
obriensystems added a commit that referenced this issue Feb 1, 2023
@obriensystems
#2 - identity - access level
c856a7c
obriensystems added a commit that referenced this issue Feb 1, 2023
@obriensystems
#2 - ACM
6fa80c0
obriensystems added a commit that referenced this issue Feb 1, 2023
@obriensystems
#2 - VPC SC
e82474b
fmichaelobrien added a commit that referenced this issue Feb 2, 2023
@fmichaelobrien
#2 - SCC-P payg released
5b11aea
fmichaelobrien added a commit that referenced this issue Mar 13, 2023
@fmichaelobrien
#2 - GR 11 - logging/alterting event generation
67007ac
jacyang2010 pushed a commit to yw-liftandshift/pbmm-on-gcp-onboarding that referenced this issue Aug 17, 2023
@udaykakkar
Merge pull request GoogleCloudPlatform#2 from yw-liftandshift/DRDC
0320ab6 
fixes
jacyang2010 added a commit to yw-liftandshift/pbmm-on-gcp-onboarding that referenced this issue Aug 18, 2023
@jacyang2010
Squashed commit of the following:
cb887c6 
commit d28dfcf
Author: StanImprover <[email protected]>
Date:   Tue Aug 15 09:28:39 2023 -0600

    Made changes to COMMIT ID (GoogleCloudPlatform#24)

    Co-authored-by: Stanley Onweni <[email protected]>

commit 5af991c
Author: Jackson Yang <[email protected]>
Date:   Mon May 8 11:48:02 2023 -0400

    GCT-51 Fixed the rego policy test for the GR#11 (GoogleCloudPlatform#23)

    * GCT-51 Fixed the rego policy test for the GR#11

    * GCT-51 Updated the git patch file again

commit a23fe6c
Author: Jackson Yang <[email protected]>
Date:   Wed May 3 14:39:40 2023 -0400

    GCT-44 Built a rego policy for GR#7 (GoogleCloudPlatform#22)

commit 5e2b41c
Author: Jackson Yang <[email protected]>
Date:   Tue Apr 25 12:38:16 2023 -0400

    GCT-45 build rego policy for guardrail 06 protection of data at rest (GoogleCloudPlatform#21)

    * GCT-45 Added rego policy for GR6 validation

    * GCT-45 Fixed some typos

commit 0b0c3a5
Author: Jackson Yang <[email protected]>
Date:   Tue Apr 25 11:11:22 2023 -0400

    GCT-45 Added rego policy for GR6 validation (GoogleCloudPlatform#20)

commit c13855d
Author: Jackson Yang <[email protected]>
Date:   Thu Apr 13 16:10:02 2023 -0400

    GCT-46 mitigate cloud function resource location issues (GoogleCloudPlatform#19)

    * GCT-46 Enabled worker pool for run validation gcf

    * GCT-46 Supported worker pool for validation builds

    * GCT-46 Cleaned up the gcf archive folder

    * GCT-46 Recovered the gcf bucket setter commands

commit 9fb968c
Author: Jackson Yang <[email protected]>
Date:   Tue Apr 11 11:45:04 2023 -0400

    GCT-20 run cloud builds from required location (GoogleCloudPlatform#18)

    * GCT-20 Specified the required location for builds

    * GCT-20 Added private worker pool for cloud builds

    * GCT-20 Fixed the misplaced worker pool option

    * GCT-20 Fixed the workpool user iam condition

    * GCT-20 Fixed the missed project to worker pool bug

    * GCT-20 Assigned worker pool owner role

    * GCT-20 Fixed the cloudbuild trigger location issue

    * GCT-20 Allowed gcf sa to use private worker pool

    * GCT-20 Allowed validation cf sa to use worker pool

    * GCT-20 Disabled worker pool of validation gcf

    * GCT-20 built cloudbuild staging and log buckets

    * GCT-20 Fixed late creation issue of cloudbuild sa

    * GCT-20 Removed the cloud build submit argument

commit 64bce38
Author: Jackson Yang <[email protected]>
Date:   Mon Apr 3 13:40:01 2023 -0400

    GCT-43 mitigate failures from guardrails report (GoogleCloudPlatform#17)

    * GCT-43 Fixed guardrails GoogleCloudPlatform#11 rego policy

    * GCT-43 Mitigated the egress range 0.0.0.0/0 issue

    * GCT-43 Delayed the organization policy application

    * GCT-43 Renamed the guardrails version variable

commit 414ca0b
Author: Jackson Yang <[email protected]>
Date:   Tue Mar 28 14:36:31 2023 -0400

    GCT-38 Fixed unused and misused token issues (GoogleCloudPlatform#16)

commit 88ba3dd
Author: Jackson Yang <[email protected]>
Date:   Thu Mar 23 15:14:37 2023 -0400

    GCT-35 Added service account expiry hours policy (GoogleCloudPlatform#15)

commit 98aae24
Author: Jackson Yang <[email protected]>
Date:   Thu Mar 23 15:14:01 2023 -0400

    GCT-36 Updated cmk rotation period (GoogleCloudPlatform#14)

commit 970c16b
Author: Jackson Yang <[email protected]>
Date:   Thu Mar 23 15:13:37 2023 -0400

    GCT-39 Fixed the missed organization id token bug (GoogleCloudPlatform#13)

commit e98a815
Author: Jackson Yang <[email protected]>
Date:   Thu Mar 23 15:13:15 2023 -0400

    GCT-37 Fixed the rego policy parse error (GoogleCloudPlatform#12)

commit 5e518a4
Author: Jackson Yang <[email protected]>
Date:   Mon Mar 20 14:34:01 2023 -0400

    GCT-29 Enabled bucket logging for buckets (GoogleCloudPlatform#11)

    * GCT-29 Enabled bucket logging for buckets

    * GCT-29 Fixed iam and backward reference issues

commit 1fccfd5
Author: Jackson Yang <[email protected]>
Date:   Thu Mar 16 13:34:29 2023 -0400

    GCT-23 Updated log-based metrics (GoogleCloudPlatform#10)

commit ea0a288
Author: Jackson Yang <[email protected]>
Date:   Fri Mar 3 14:02:12 2023 -0500

    GCT-8 Added function to use another git repo (GoogleCloudPlatform#9)

commit f12ff25
Author: Jackson Yang <[email protected]>
Date:   Wed Mar 1 15:09:38 2023 -0500

    GCT-13 Added gcf artifact repository to functions (GoogleCloudPlatform#8)

commit bcca300
Author: Jackson Yang <[email protected]>
Date:   Tue Feb 28 13:15:29 2023 -0500

    GCT-14 Splitted the REPLACE_FOLDER_ID token and supported token replacement on macOS (GoogleCloudPlatform#7)

commit cf715a7
Author: Jackson Yang <[email protected]>
Date:   Mon Feb 27 15:30:44 2023 -0500

    GCT-12 Reverted the changes removed by Uday (GoogleCloudPlatform#6)

commit aaf08d2
Author: uday kakkar <[email protected]>
Date:   Wed Feb 22 10:01:43 2023 -0500

    Update bootstrap.sh

commit 7dc51e9
Author: uday kakkar <[email protected]>
Date:   Tue Feb 21 13:46:18 2023 -0500

    folder - org switch (GoogleCloudPlatform#5)

    Co-authored-by: root <[email protected]>

commit 43f772e
Author: root <[email protected]>
Date:   Fri Feb 17 19:27:44 2023 +0000

    fixing the tfvars tokens

commit 14c1380
Author: Jackson Yang <[email protected]>
Date:   Thu Feb 16 16:29:15 2023 -0500

    Improved writeids-mod.sh to match all auto.tfvars

commit 171fe14
Author: Jackson Yang <[email protected]>
Date:   Thu Feb 16 11:52:26 2023 -0500

    Reduced bucket retention period to ease test

commit 7a09624
Author: JacksonYang <[email protected]>
Date:   Thu Feb 16 06:39:23 2023 +0000

    Fixed the duplicated map key issue.

commit c0ea79b
Author: JacksonYang <[email protected]>
Date:   Wed Feb 15 21:25:38 2023 +0000

    Refactored logging module and fixed some bugs found.

commit 2583469
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:49:05 2023 -0500

    Update nonp-network.auto.tfvars

commit ca981f3
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:48:40 2023 -0500

    Update prod-network.auto.tfvars

commit 533f8cf
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:43:46 2023 -0500

    Update locals.tf

commit 0a3bc15
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:42:59 2023 -0500

    Update main.tf

commit a593a21
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:42:11 2023 -0500

    Update main.tf

commit 9966dcb
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:41:40 2023 -0500

    Update locals.tf

commit c764438
Author: uday kakkar <[email protected]>
Date:   Wed Feb 15 00:30:24 2023 -0500

    Update main.tf

commit 729b499
Author: uday kakkar <[email protected]>
Date:   Tue Feb 14 23:56:05 2023 -0500

    Update outputs.tf

commit f499580
Author: uday kakkar <[email protected]>
Date:   Tue Feb 14 23:55:35 2023 -0500

    Update locals.tf

commit 77933f1
Author: uday kakkar <[email protected]>
Date:   Tue Feb 14 23:54:58 2023 -0500

    Update main.tf

commit cd2fa85
Author: Jackson Yang <[email protected]>
Date:   Mon Feb 13 22:53:22 2023 -0500

    Added waitings to centralized logging

commit b1f8aa0
Merge: f33a6cc f10657c
Author: uday kakkar <[email protected]>
Date:   Mon Feb 13 16:29:18 2023 -0500

    Merge pull request GoogleCloudPlatform#4 from yw-liftandshift/testing-cleanups

    Testing cleanups

commit f10657c
Author: root <[email protected]>
Date:   Mon Feb 13 21:28:12 2023 +0000

    cleanup changes

commit f33a6cc
Author: Jackson Yang <[email protected]>
Date:   Mon Feb 13 16:27:57 2023 -0500

    Added   nat_config = [] to network host projects

commit 980261e
Author: root <[email protected]>
Date:   Mon Feb 13 21:24:40 2023 +0000

    cleanup changes

commit 43aef4c
Author: root <[email protected]>
Date:   Mon Feb 13 21:17:49 2023 +0000

    cleanup changes

commit 8863533
Author: Jackson Yang <[email protected]>
Date:   Mon Feb 13 14:21:31 2023 -0500

    Uncommented orgnization monitoring center in common

commit 88f9cb4
Author: Jackson Yang <[email protected]>
Date:   Mon Feb 13 10:57:51 2023 -0500

    Removed workloads from nonprod and prod

commit 0320ab6
Merge: e0ac5af ef57045
Author: uday kakkar <[email protected]>
Date:   Sat Feb 11 00:13:03 2023 -0500

    Merge pull request GoogleCloudPlatform#2 from yw-liftandshift/DRDC

    fixes

commit ef57045
Author: root <[email protected]>
Date:   Sat Feb 11 05:11:20 2023 +0000

    fixes

commit e0ac5af
Merge: c416c6d c0048c7
Author: uday kakkar <[email protected]>
Date:   Sat Feb 11 00:00:31 2023 -0500

    Merge pull request #1 from yw-liftandshift/DRDC

    adding automation

commit c416c6d
Author: Jackson Yang <[email protected]>
Date:   Wed Feb 8 17:02:40 2023 -0500

    Removed project-specific prefix from folder name

commit c0048c7
Author: udaykakkar <[email protected]>
Date:   Wed Feb 8 16:39:55 2023 -0500

    adding automation

commit 53f69cc
Author: JacksonYang <[email protected]>
Date:   Wed Feb 8 10:02:04 2023 -0500

    Added feature to find all auto.tfvars files

commit 2791bbc
Author: JacksonYang <[email protected]>
Date:   Wed Feb 8 00:06:13 2023 -0500

    reinitiated  2023-02-08.0002
obriensystems added a commit that referenced this issue Nov 13, 2023
@obriensystems
#2 - Update google-cloud-security-controls.md
e04042e
obriensystems added a commit that referenced this issue Nov 13, 2023
@obriensystems
#2 - Update google-cloud-security-controls.md
bddf026
@obriensystems
Copy link
Collaborator

See exercise
GoogleCloudPlatform/pubsec-declarative-toolkit#560

at compliance dashboard and automated security control mapping extract - so we don't have to manually create one of these

Screenshot 2023-11-12 at 19 22 33

or the wiki based editing of

Screenshot 2023-11-12 at 19 24 11

@svershin svershin unpinned this issue Mar 20, 2024
@obriensystems
Copy link
Collaborator

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards
This issue may participate in the LZ refactor after rebase
Query on all issues related to the older V1 version via the tag
2024-pre-tef-v4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmichaelobrien fmichaelobrien

Labels
2024-pre-tef-v4 compliance compliance documentation Improvements or additions to documentation good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@obriensystems @fkc1e100 @fmichaelobrien