mirantis / compliance Goto Github PK
View Code? Open in Web Editor NEWDocker Enterprise Edition Security Controls for Compliance
Home Page: https://docs.docker.com/compliance/
License: Creative Commons Zero v1.0 Universal
Docker Enterprise Edition Security Controls for Compliance
Home Page: https://docs.docker.com/compliance/
License: Creative Commons Zero v1.0 Universal
Guidance for DoD RMF per DODI 8510.1.
Reference: http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf
Update CS Engine component narratives to reflect latest guidance in CIS Docker Benchmark
Find a way to include Docker EE screenshots
Since both UCP and DTR share the same authentication and authorization service, rather than having duplicate narratives for both components, merge them in to a single UCP Authentication and Authorization Service component
Document DFARS guidance for Docker EE systems processing CUI per 800-171 using applicable NIST 800-53<->DFARS mappings (Appendix D).
With the release of DTR 2.2, Docker Security Scanning has been made available. An additional component should be created with appropriate security control mappings
Include Control Correlation Identifier (CCI) mappings
UCP 2.2.0 nor DTR 2.3.0 display explicit logout message to users. Dependent on https://github.com/docker/orca/issues/5986
Auto generate user-friendly NIST 800-53 control reference docs from the component.yaml
files and publish on docs.docker.com.
Include references to safeguards provided by Windows Server 2016 where appropriate
Existing component narratives should be updated to reflect content in the DDC Security Reference Architecture
Map remainder of controls to InSpec profiles for FedRAMP Moderate and High baselines
Once more information for Docker Content Scanning is made available, the RA-5 component narratives will need to be updated. Mostly geared towards the DTR component
Update sample SSP project to include parameters
Review AC controls for UCP, DTR and CS Engine components
Update narratives for EE 2.0 release
Per DOD SRG, map L4 controls to NIST 800-53. Refer to https://iasecontent.disa.mil/cloud/SRG/index.html and https://iasecontent.disa.mil/cloud/SRG/index.html#_Tbl2. Depends on opencontrol/schemas#48.
Tracking development of GDPR guidance
Update component narratives to include least privilege information for CM-7
Explore the use of NLP tools (e.g. Microsoft Cognitive Services) to ensure component narratives match that of the expected implementation requirements of the NIST-800-53 control descriptions themselves
Per Table H-3: Mapping ISO/IEC 27001 and 15408 to NIST SP 800-53 in Appendix H of NIST SP 800-53 rev 4, the control narratives should be enhanced to reflect the CC Security Targets for Docker EE-supported host OS's. The list of Docker EE-supported host OS's with CC certs is as follows:
Add Docker EE for X components.
Include PCI DSS component narratives using OpenControl-formatted spec
Incorporate the InSpec (http://inspec.io/) audit/testing framework in to the project.
UCP 2.2.0 supports login session timeouts in minutes, but per https://github.com/docker/orca/issues/8904, this can only be accomplished via the UCP config TOML
Many of the controls need to be updated to reflect the correct implementation statuses and control origins.
CIS CSC-03 (Secure Configurations for Mobile Devices, Workstations, Servers) can be mapped to the following NIST 800-53 controls:
For each of the controls listed above, enhance the existing DEE narratives to reflect the recommendations dictated by the latest CIS Docker Benchmark.
Satisfies #17
Review AU component controls
Including @alexmavr in the review process since AU refers to the auditing capabilities of DDC. Most of the narratives direct the end-user to configure a remote logging stack
Active sessions cannot be disconnected from UCP nor DTR. Current workaround is to use host OS firewall or drain/pause a node. Dependent on https://github.com/docker/orca/issues/4020.
Update the docs to reflect InSpec profile usage instructions
Need to update links in components to point to the updated docs
Update components to reflect FedRAMP High Baseline
Update circle.yml
to leverage CircleCI 2.0 features ... namely better Docker support -> https://circleci.com/docs/2.0/building-docker-images/
Per https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf and http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf, include mappings to HIPAA Security Rule
The nlp tool should leverage the existing compliance-masonry lib package for parsing of components and controls
Update narratives to reflect EE 17.06 (DTR 2.3/UCP 2.2)
Review IA component controls
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.