You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please have Consul emit a log entry when ACL processing is stopped. This is one of several other conditions which require a security log output for SOC operations. Others conditions include the Consul Agent configuration file containing settings which turn off TLS verification:
Most large enterprises have a SOC (Security Operations Center) that runs 24x7 to monitor and respond to anomalous issues identified by various monitoring systems. When, in production, processing (enforcement) of ACLs is turned off, that's something they should know about right away. This is both for customers and Consul HCP Operations.
This feature may be a utility like Terraform Sentinel/OPA/TfSec which analyzes configuration settings and issues alerts. This would provide the alerts to be identified under a different security context, in case of compromised access to the Consul server.
This issue concerns ensuring that there are procedures and systems available to prove that the above works for dev, QA, pre-sales engineers, etc. within HashiCorp, and that proven instructions and training are given to customers on this topic.
Use Case(s)
This is one of several conditions in answer to the question "Are accountable parties immediately notified about anomalies and failures?" which is item LOG-13.2 - Failures and Anomalies Reporting - in the CAIQ v4 which HashiCorp customers must fill out to provide their auditors. See https://cloudsecurityalliance.org/download/artifacts/star-level-1-security-questionnaire-caiq-v4/
BTW the CAIQ (Consensus Assessment Initiative Questionnaire) is called "consensus" because it was defined for use by all cloud service providers and the Q&A is applicable to 40 audit programs (SOC2, ISO 27000, FedRamp, etc.). A public example draft for Consul is at https://wilsonmar.github.io/CAIQ4.0.1.consul/
The text was updated successfully, but these errors were encountered:
Please have Consul emit a log entry when ACL processing is stopped. This is one of several other conditions which require a security log output for SOC operations. Others conditions include the Consul Agent configuration file containing settings which turn off TLS verification:
Feature Description
Most large enterprises have a SOC (Security Operations Center) that runs 24x7 to monitor and respond to anomalous issues identified by various monitoring systems. When, in production, processing (enforcement) of ACLs is turned off, that's something they should know about right away. This is both for customers and Consul HCP Operations.
This feature may be a utility like Terraform Sentinel/OPA/TfSec which analyzes configuration settings and issues alerts. This would provide the alerts to be identified under a different security context, in case of compromised access to the Consul server.
This issue concerns ensuring that there are procedures and systems available to prove that the above works for dev, QA, pre-sales engineers, etc. within HashiCorp, and that proven instructions and training are given to customers on this topic.
Use Case(s)
This is one of several conditions in answer to the question "Are accountable parties immediately notified about anomalies and failures?" which is item LOG-13.2 - Failures and Anomalies Reporting - in the CAIQ v4 which HashiCorp customers must fill out to provide their auditors. See https://cloudsecurityalliance.org/download/artifacts/star-level-1-security-questionnaire-caiq-v4/
BTW the CAIQ (Consensus Assessment Initiative Questionnaire) is called "consensus" because it was defined for use by all cloud service providers and the Q&A is applicable to 40 audit programs (SOC2, ISO 27000, FedRamp, etc.). A public example draft for Consul is at https://wilsonmar.github.io/CAIQ4.0.1.consul/
The text was updated successfully, but these errors were encountered: