- Geo security review (Q&A)
- Geo security review (Q&A)
- Business Model
- Data Essentials
- End-Users
- Administrators
- Network
- Systems
- Infrastructure Monitoring
- Virtualization and Externalization
- What virtualization requirements have been defined for the application?
- If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?
- Environment
- What frameworks and programming languages have been used to create the application?
- What process, code, or infrastructure dependencies have been defined for the application?
- What databases and application servers support the application?
- How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?
- Data Processing
- What data entry paths does the application support?
- What data output paths does the application support?
- How does data flow across the application’s internal components?
- What data input validation requirements have been defined?
- What data does the application store and how?
- What data is or may need to be encrypted and what key management requirements have been defined?
- What capabilities exist to detect the leakage of sensitive data?
- What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?
- Access
- What user privilege levels does the application support?
- What user identification and authentication requirements have been defined?
- What user authorization requirements have been defined?
- What session management requirements have been defined?
- What access requirements have been defined for URI and Service calls?
- Application Monitoring
Geo security review (Q&A)
原文:https://docs.gitlab.com/ee/administration/geo/replication/security_review.html
- Business Model
- Data Essentials
- End-Users
- Administrators
- Network
- Systems
- Infrastructure Monitoring
- Virtualization and Externalization
- What virtualization requirements have been defined for the application?
- If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?
- Environment
- What frameworks and programming languages have been used to create the application?
- What process, code, or infrastructure dependencies have been defined for the application?
- What databases and application servers support the application?
- How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?
- Data Processing
- What data entry paths does the application support?
- What data output paths does the application support?
- How does data flow across the application’s internal components?
- What data input validation requirements have been defined?
- What data does the application store and how?
- What data is or may need to be encrypted and what key management requirements have been defined?
- What capabilities exist to detect the leakage of sensitive data?
- What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?
- Access
- What user privilege levels does the application support?
- What user identification and authentication requirements have been defined?
- What user authorization requirements have been defined?
- What session management requirements have been defined?
- What access requirements have been defined for URI and Service calls?
- Application Monitoring
Geo security review (Q&A)
以下对地理功能集的安全性审查集中于该功能的安全性方面,因为它们适用于运行自己的 GitLab 实例的客户. 复习题部分基于owasp.org的OWASP 应用程序安全验证标准项目 .
Business Model
What geographic areas does the application service?
- 这因客户而异. Geo 使客户可以部署到多个区域,然后他们可以选择自己的位置.
- 区域和节点选择完全是手动的.
Data Essentials
What data does the application receive, produce, and process?
- Geo 几乎在站点之间流传输 GitLab 实例保存的所有数据. 这包括完整的数据库复制,大多数文件(用户上传的附件等)以及存储库+ Wiki 数据. 在典型的配置中,这将在公共 Internet 上发生,并经过 TLS 加密.
- PostgreSQL 复制是 TLS 加密的.
- 另请参阅: 仅应支持 TLSv1.2
How can the data be classified into categories according to its sensitivity?
- GitLab’s model of sensitivity is centered around public vs. internal vs. private projects. Geo replicates them all indiscriminately. “Selective sync” exists for files and repositories (but not database content), which would permit only less-sensitive projects to be replicated to a secondary node if desired.
- 另请参阅: GitLab 数据分类策略 .
What data backup and retention requirements have been defined for the application?
- Geo 旨在提供应用程序数据的某些子集的复制. 它是解决方案的一部分,而不是问题的一部分.
End-Users
Who are the application’s end‐users?
- 辅助节点在是遥远(在互联网延迟而言)从主 GitLab 安装( 主节点)区创建. 打算由通常使用主节点的任何人使用它们,他们发现辅助节点距离它们更近(就 Internet 延迟而言).
How do the end‐users interact with the application?
- 辅助节点提供了主节点执行的所有接口(特别是 HTTP / HTTPS Web 应用程序以及 HTTP / HTTPS 或 SSH Git 存储库访问),但仅限于只读活动. 设想主要用例是从辅助节点克隆 Git 存储库以支持主节点,但是最终用户可以使用 GitLab Web 界面查看项目,问题,合并请求,摘要等.
What security expectations do the end‐users have?
- 复制过程必须是安全的. 例如,在整个公共 Internet 上以纯文本格式传输整个数据库内容或所有文件和存储库通常是不可接受的.
- 辅助节点必须对其内容具有与主节点相同的访问控制-未经身份验证的用户不能通过查询辅助节点来获得对主节点上特权信息的访问.
- 攻击者必须不能将辅助节点模拟为主要节点,从而不能访问特权信息.
Administrators
Who has administrative capabilities in the application?
- 没有特定于地理位置的信息. 在数据库中设置了
admin: true
任何用户都被视为具有超级用户特权的 admin. - 另请参阅: 更详细的访问控制 (不是特定于地理位置的).
- Geo 的许多集成(例如,数据库复制)必须由应用程序配置,通常由系统管理员配置.
What administrative capabilities does the application offer?
- 具有管理访问权限的用户可以添加,修改或删除辅助节点.
- 复制过程可以通过 Sidekiq 管理控件进行控制(启动/停止).
Network
What details regarding routing, switching, firewalling, and load‐balancing have been defined?
- Geo 要求主要节点和次要节点能够通过 TCP / IP 网络相互通信. 特别是, 辅助节点必须能够访问主节点上的 HTTP / HTTPS 和 PostgreSQL 服务.
What core network devices support the application?
- 因客户而异.
What network performance requirements exist?
- 主节点和辅助节点之间的最大复制速度受到站点之间可用带宽的限制. 没有硬性要求-完成复制的时间(以及跟上主节点的更改的能力)取决于数据集的大小,对延迟的容忍度以及可用的网络容量.
What private and public network links support the application?
- 客户选择自己的网络. 由于打算将站点在地理位置上分开,因此可以设想,复制流量将在典型部署中通过公共 Internet 传递,但这不是必需的.
Systems
What operating systems support the application?
What details regarding required OS components and lock‐down needs have been defined?
- 受支持的安装方法(Omnibus)打包了大多数组件本身.
- 系统安装的 OpenSSH 守护程序(Geo 要求用户设置自定义身份验证方法)和 omnibus 或系统提供的 PostgreSQL 守护程序(必须配置为侦听 TCP,必须添加其他用户和复制插槽)之间存在很大的依赖关系,等等).
- 处理安全更新的过程(例如,如果 OpenSSH 或其他服务中存在重大漏洞,并且客户希望在 OS 上修补这些服务)与非 Geo 情况相同:对 OpenSSH 的安全更新为通过通常的分发渠道提供给用户. Geo 在那里没有延迟.
Infrastructure Monitoring
What network and system performance monitoring requirements have been defined?
- 没有特定于 Geo 的内容.
What mechanisms exist to detect malicious code or compromised application components?
- 没有特定于 Geo 的内容.
What network and system security monitoring requirements have been defined?
- 没有特定于 Geo 的内容.
Virtualization and Externalization
What aspects of the application lend themselves to virtualization?
- All.
What virtualization requirements have been defined for the application?
- 没有特定于地理位置的信息,但是在这样的环境中,GitLab 中的所有内容都需要具有完整的功能.
What aspects of the product may or may not be hosted via the cloud computing model?
- GitLab 是”云原生”的,这不仅适用于 Geo,还适用于产品的其余部分. 在云中进行部署是常见且受支持的方案.
If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?
- 由我们的客户根据他们的运营需求来决定.
Environment
What frameworks and programming languages have been used to create the application?
- Ruby on Rails,Ruby.
What process, code, or infrastructure dependencies have been defined for the application?
- 没有特定于 Geo 的内容.
What databases and application servers support the application?
- PostgreSQL> = 11,Redis,Sidekiq,Puma.
How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?
- 有一些特定于地理位置的值. 有些是共享机密,必须在设置时将其从主节点安全地传输到辅助节点. 我们的文档建议通过 SSH 将它们从主节点传输到系统管理员,然后以相同方式回传到辅助节点. 特别是,这包括 PostgreSQL 复制凭证和一个秘密密钥(
db_key_base
),该密钥用于解密数据库中的某些列.db_key_base
秘密与其他许多秘密一起未加密地存储在文件系统中的/etc/gitlab/gitlab-secrets.json
. 他们没有休息保护.
Data Processing
What data entry paths does the application support?
- 数据是通过 GitLab 本身公开的 Web 应用程序输入的. 使用 GitLab 服务器上的系统管理命令(例如
gitlab-ctl set-primary-node
)也输入了一些数据. - 辅助节点还通过 PostgreSQL 流复制从主节点接收输入.
What data output paths does the application support?
- 主节点通过 PostgreSQL 流复制输出到辅助节点. 否则,主要是通过 GitLab 本身公开的 Web 应用程序以及最终用户启动的 SSH
git clone
操作.
How does data flow across the application’s internal components?
- 辅助节点和主节点通过 HTTP / HTTPS(受 JSON Web 令牌保护)和 PostgreSQL 流复制进行交互.
- 在主节点或辅助节点内,SSOT 是文件系统和数据库(包括辅助节点上的 Geo 跟踪数据库). 精心安排了各种内部组件以对这些存储进行更改.
What data input validation requirements have been defined?
- 辅助节点必须忠实地复制主节点的数据.
What data does the application store and how?
- Git 存储库和文件,与它们相关的跟踪信息以及 GitLab 数据库内容.
What data is or may need to be encrypted and what key management requirements have been defined?
- 主节点或辅助节点都不会加密静态的 Git 存储库或文件系统数据. 数据库列的子集使用
db_otp_key
加密. - 在 GitLab 部署中的所有主机之间共享的静态机密.
- 在传输过程中,尽管应用程序确实允许通信以未加密的方式进行,但是数据应该被加密. 两个主要过程是 PostgreSQL 和 Git 存储库/文件的辅助节点复制过程. 两者均应使用 TLS 保护,并通过现有配置通过 Omnibus 管理该密钥,以供最终用户访问 GitLab.
What capabilities exist to detect the leakage of sensitive data?
- 存在全面的系统日志,跟踪与 GitLab 和 PostgreSQL 的每个连接.
What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?
- 数据必须具有在传输过程中进行加密的选项,并且必须能够抵抗被动和主动攻击(例如,不可能进行 MITM 攻击).
Access
What user privilege levels does the application support?
- Geo 添加了一种类型的特权: 辅助节点可以访问特殊的 Geo API,以通过 HTTP / HTTPS 下载文件,以及使用 HTTP / HTTPS 克隆存储库.
What user identification and authentication requirements have been defined?
- 辅助节点基于共享数据库(HTTP 访问)或 PostgreSQL 复制用户(用于数据库复制)通过 OAuth 或 JWT 身份验证向 Geo 主节点标识. 数据库复制还需要定义基于 IP 的访问控制.
What user authorization requirements have been defined?
- 辅助节点只能读取数据. 他们当前无法对主节点上的数据进行突变.
What session management requirements have been defined?
- 地理 JWT 被定义为仅持续两分钟,然后需要重新生成.
- Geo JWT 是为以下特定范围之一生成的:
- Geo API 访问.
- Git 访问.
- LFS 和文件 ID.
- 上传和文件 ID.
- 作业工件和文件 ID.
What access requirements have been defined for URI and Service calls?
- 辅助节点对主节点的 API 进行了许多调用. 例如,这就是文件复制的进行方式. 只能使用 JWT 令牌访问此端点.
- 主节点还调用辅助节点以获取状态信息.
Application Monitoring
What application auditing requirements have been defined? How are audit and debug logs accessed, stored, and secured?
- 结构化 JSON 日志将写入文件系统,也可以将其提取到 Kibana 安装中以进行进一步分析.