-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Self Assessment] Cortex #5692
Comments
It's basically a go binary, the rest you see is only the docs at cortexmetrics.io
No, I don't think committing the SBOM to the assesment is the right way. I inspected the sbom and has all the references to go libraries versions. Maybe we need another cortex issue to add support for SBOM. In the meantime I believe you can just link the go.mod Cortex is mostly a kubernetes service, so most of your proposed threats don't really apply to us.
Out of scope for cortex. Network policies in kubernetes can be configured so that only the components have access to right components. Maybe an issue should be created in the helm chart to allow this more easily
Out of scope for cortex, kubernetes containers are not able to change their configuration files (configmaps).
Out of scope for cortex. There is a number of ways to gather secure logs for kubernetes and preserve logs.
out of scope for cortex again. Using network policies in kubernetes, this becomes a non issue.
a proper configured cortex will not suffer any downtime during DoS attacks. There is plenty of options to configure like rate limiting, limiting series per tenant.
There is no super user or admin user in cortex, this concept doesn't apply. And we do have some security threats around alertmanager that you haven't mention. Which we have already mitigated too |
Hi, Thank you for your feedback. We have updated the self-assessment.
|
Security Self Assessment of Cortex
We are a group of 4 students from New York University, who completed the security assessment of the Cortex project.
We wanted to connect with the maintainers of Cortex(@alanprot @alvinlin123 @yeya24 @friedrichg ) to have some discussions about our self-assessment and receive feedback/suggestions about where we can improve any missing information or vulnerabilities.
Thanks.
The text was updated successfully, but these errors were encountered: