首頁 探索 說明
註冊 登入
AFS
/
infrastructure-notes
2
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: b9c6d3b6da
分支列表 標籤列表
infrastructure-...
/
MDR FedRAMP.txt

MDR FedRAMP.txt 2.6 KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243 
  1. AWS artifacts provide insight into AWS fedramp package. 
    2. 

  2. Okta fedRAMP notes:
    3. 

  3. https://www.okta.com/resources/whitepaper/configuring-okta-for-fedramp-compliance/
    4. 

  4. 

  5. 

  6.  
    7. 

  7. 

  8. CM-6(a)-2 CIS SCAP Checklist
    9. 

  9. Update parameter field to indicate the the CIS QA checklist is stored in Qualys and is SCAP compatible. 
    10. 

  10. MDR employs configuration scanning software (Qualys) that, using SCAP compliant checklists, produces SCAP compliant output. 
    11. 

  11. MDR employs c
    12. 

  12. 

  13. Do we have an alternative to github? is gitlab FIPS certified? It doesn't look like it. 
    14. 

  14. https://gitlab.com/gitlab-org/gitlab-foss/issues/41463
    15. 

  15. 

  16. 

  17. Use Qualys as the CIS QA Checklist- input deviations to CIS
    18. 

  18. 

  19. CM-6(c)-1 CIS deviations
    20. 

  20. Add link to the CIS deviations wiki page to the SSP? Provide access to customers upon request. Copy and paste the wiki page into the SSP?    Need to ask clarifing question. All Info sys components could have deviations, should we list every server? These are handled in the Qualys scanning tool. 
    21. 

  21. 

  22. 

  23. FIPS Certificate numbers
    24. 

  24. Red Hat SSH: 3538
    25. 

  25. Red Hat GnuTLS: 3571
    26. 

  26. Red Hat kernel: 3565
    27. 

  27. Okta mobile: 3344
    28. 

  28. Okta: 3353
    29. 

  29. Splunk: 3126
    30. 

  30. 

  31. 

  32. Whitelisting Applications Process
    33. 

  33. 

  34. New applications are introduced into the production environment after they have been approved by at least two MDR engineers through the change management process. Only members of the MDR engineers are able to approve new software. Before the change to add the new software is approved, a hash of the software should be generated and documented. The hash should be compared to the vendors documented hash. To ensure the hash of the software doesn’t change, the Splunk app Process List Whitelisting is used to gather and verify the hashes have not changed. In the event that an unapproved hash is detected an email alert is sent.
    35. 

  35. 

  36. 

  37. DNSSEC
    38. 

  38. https://nvd.nist.gov/800-53/Rev4/control/SC-20
    39. 

  39. https://nvd.nist.gov/800-53/Rev4/control/SC-21
    40. 

  40.  
    41. 

  41. SC-20 says (roughly) that your authoritative name servers should be publishing DNS records that are cryptographically signed using DNSSEC all the way back to the root.  DNSSEC attempts to protect DNS data from being tampered in transit.  Having a set of robust digital signatures on “my” DNS records, and on those of “my parent” and on those of “my grandparent” all the way back to the root of the DNS tree makes it possible to cryptographically “prove” that when someone looks up my domain – say www.accenturefederal.com – that there was no tampering with the responses to that query. 
    42. 

  42.  
    43. 

  43. SC-21 says (roughly) that when your clients do a DNS lookup that those lookups are done in a way that the DNSSEC signatures are checked and validated, and if the results cannot be cryptographically validated they are not used.
    44.