-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A few tests suggestions to see if I'm on the right track #321
base: main
Are you sure you want to change the base?
Conversation
|
Hey @shoffman-percona, thanks for this PR! Damien and Michael are approvers for this domain, but I'd like to help from a steering perspective. It occurred to me while reviewing your changes that the best place to invest time may be the threat or control definitions themselves. The current progress on the RDMS entry is iterative, and I expect it needs strong revisions before we can create accurate behaviors/steps. Would you like to contribute to the RDMS threat or control definition refinement? I don't mind spending a cycle to help create runway here, if you're interested in picking it up! |
@eddie-knight, Absolutely...I just started where Lori pointed me but let me comb through the threats materials. I assume this is where you'd want some help building out? It may end up being a 1:x mapping of threats to controls so likely will end up coming up with them together. |
Yes! Although the RDMS iteration is in need of an update to match the finalized guidelines (yaml). Feel free to drop me an email ([email protected]) or message me on the FINOS slack if I can help with implementation details. |
@CCC.RDMS.C8.TR01.T02 | ||
Scenario: Ensure ability to audit for any users who have connected using an insecure protocol | ||
Given a user connection has been established to the database | ||
When an admin establishes an admin connection to a database server and runs from mysql.user where ssl_type='' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For our controls, we try to keep them as abstract as possible. we should remove the mysql.user where ssl_type='' from this statement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense! If I'm otherwise on track, I'll push a few more over in addition to threats/controls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also remember to keep an eye on the new ID format. Most notably the Ts... threats are now TH00
, Test requirements are TR00
and Tests are TE00
Co-authored-by: Damien Burks <[email protected]>
Co-authored-by: Damien Burks <[email protected]>
@CCC.RDMS.C8.TR01.T02 | ||
Scenario: Ensure ability to audit for any users who have connected using an insecure protocol | ||
Given a user connection has been established to the database | ||
When an admin establishes an admin connection to a database server and runs from mysql.user where ssl_type='' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also remember to keep an eye on the new ID format. Most notably the Ts... threats are now TH00
, Test requirements are TR00
and Tests are TE00
Ok, accepted proposed changes, reworked the one that was too technology specific and also converted threats.md to threats.yaml. hopefully this is in acceptable form (just let me know if it's not) and I'll start adding threats and converting controls.md @eddie-knight @damienjburks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some comments that I hope help accelerate your progress.
Happy to help contribute to the gherkin writing, perhaps in something like google docs so that we can have faster iterations— these things are hard to get right!
@@ -0,0 +1,49 @@ | |||
title: Relational Database Management Systems Threats |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this file may be following an older schema. The latest guidance on this topic can be found in the project governance directory.
ref:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to the new schema although I left description at the highest level as it made sense to keep to me. No worries if it gets dropped.
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Google would be easier to co-edit but staying in the repo is helping me learn where all the relevant docs are located. I was guessing a bit earlier but now and seeing how to find definitions and templates and such. |
Lori Larusso mentioned you were looking for help building out the criteria for the CCC project. We happen to have pretty deep expertise in the DB realm so I can certainly contribute more items along these lines but before I went to far I figured I'd do just a few to get feedback.
If there's a particular area you'd like focus on, please just let me know!