A few tests suggestions to see if I'm on the right track #321
Conversation
|
|
|
Hey @shoffman-percona, thanks for this PR! Damien and Michael are approvers for this domain, but I'd like to help from a steering perspective. It occurred to me while reviewing your changes that the best place to invest time may be the threat or control definitions themselves. The current progress on the RDMS entry is iterative, and I expect it needs strong revisions before we can create accurate behaviors/steps. Would you like to contribute to the RDMS threat or control definition refinement? I don't mind spending a cycle to help create runway here, if you're interested in picking it up! |
|
@eddie-knight, Absolutely...I just started where Lori pointed me but let me comb through the threats materials. I assume this is where you'd want some help building out? It may end up being a 1:x mapping of threats to controls so likely will end up coming up with them together. |
|
Yes! Although the RDMS iteration is in need of an update to match the finalized guidelines (yaml). Feel free to drop me an email ([email protected]) or message me on the FINOS slack if I can help with implementation details. |
| @CCC.RDMS.C8.TR01.T02 | ||
| Scenario: Ensure ability to audit for any users who have connected using an insecure protocol | ||
| Given a user connection has been established to the database | ||
| When an admin establishes an admin connection to a database server and runs from mysql.user where ssl_type='' |
There was a problem hiding this comment.
For our controls, we try to keep them as abstract as possible. we should remove the mysql.user where ssl_type='' from this statement.
There was a problem hiding this comment.
Makes sense! If I'm otherwise on track, I'll push a few more over in addition to threats/controls.
There was a problem hiding this comment.
Also remember to keep an eye on the new ID format. Most notably the Ts... threats are now TH00, Test requirements are TR00 and Tests are TE00
Co-authored-by: Damien Burks <[email protected]>
Co-authored-by: Damien Burks <[email protected]>
| @CCC.RDMS.C8.TR01.T02 | ||
| Scenario: Ensure ability to audit for any users who have connected using an insecure protocol | ||
| Given a user connection has been established to the database | ||
| When an admin establishes an admin connection to a database server and runs from mysql.user where ssl_type='' |
There was a problem hiding this comment.
Also remember to keep an eye on the new ID format. Most notably the Ts... threats are now TH00, Test requirements are TR00 and Tests are TE00
|
Ok, accepted proposed changes, reworked the one that was too technology specific and also converted threats.md to threats.yaml. hopefully this is in acceptable form (just let me know if it's not) and I'll start adding threats and converting controls.md @eddie-knight @damienjburks |
| @@ -0,0 +1,49 @@ | |||
| title: Relational Database Management Systems Threats | |||
There was a problem hiding this comment.
I think this file may be following an older schema. The latest guidance on this topic can be found in the project governance directory.
ref:
There was a problem hiding this comment.
Updated to the new schema although I left description at the highest level as it made sense to keep to me. No worries if it gets dropped.
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
Co-authored-by: Eddie Knight <[email protected]>
|
Google would be easier to co-edit but staying in the repo is helping me learn where all the relevant docs are located. I was guessing a bit earlier but now and seeing how to find definitions and templates and such. |
Lori Larusso mentioned you were looking for help building out the criteria for the CCC project. We happen to have pretty deep expertise in the DB realm so I can certainly contribute more items along these lines but before I went to far I figured I'd do just a few to get feedback.
If there's a particular area you'd like focus on, please just let me know!