security-baseline/baseline/OSPS-AC.yaml at df4eef99005c40cf7d7a1f83f58105454ec6a8db · eddie-knight/security-baseline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
category: Access Control
description: |
  Access Control focuses on the mechanisms and
  policies that control access to the project's version
  control system and CI/CD pipelines. These controls help
  ensure that only authorized users can access sensitive
  data, modify repository settings, or execute build and
  release processes.
controls:
  - id: OSPS-AC-01
    title: |
      Protect against unauthorized access to sensitive areas of the project's
      repository
    objective: |
      Reduce the risk of account compromise or insider threats by requiring
      multi-factor authentication for collaborators modifying the project
      repository settings or accessing sensitive data.
    family: Access Control
    mappings:
      - reference-id: BPB
        identifiers:
          - CC-G-1
      - reference-id: CRA
        identifiers:
          - 1.2d
          - 1.2e
          - 1.2f
      - reference-id: SSDF
        identifiers:
          - PO3.2
          - PS1
      - reference-id: CSF
        identifiers:
          - PR.A-02
      - reference-id: OCRE
        identifiers:
          - 486-813
          - 124-564
          - 347-352
          - 333-858
          - 152-725
          - 201-246
    assessment-requirements:
      - id: OSPS-AC-01.01
        text: |
          The project's version control system MUST require multi-factor
          authentication for collaborators modifying the project repository
          settings or accessing sensitive data.
        applicability:
          - Maturity Level 1
          - Maturity Level 2
          - Maturity Level 3
        recommendation: |
          Enforce multi-factor authentication for the project's version
          control system, requiring collaborators to provide a second form of
          authentication when accessing sensitive data or modifying repository
          settings. Passkeys are acceptable for this control.

  - id: OSPS-AC-02
    title: |
      Limit the permissions granted to collaborators by default
    objective: |
      Reduce the risk of unauthorized access to the project's repository by
      limiting the permissions granted to new collaborators.
    family: Access Control
    mappings:
      - reference-id: CRA
        identifiers:
          - 1.2f
      - reference-id: SSDF
        identifiers:
          - PO3.2
          - PS1
      - reference-id: CSF
        identifiers:
          - PR:AA-02
      - reference-id: OCRE
        identifiers:
          - 486-813
          - 124-564
          - 802-056
          - 368-633
          - 152-725
    assessment-requirements:
      - id: OSPS-AC-02.01
        text: |
          The project's version control system MUST restrict collaborator
          permissions to the lowest available privileges by default.
        applicability:
          - Maturity Level 1
          - Maturity Level 2
          - Maturity Level 3
        recommendation: |
          Most public version control systems are configured in this manner.
          Ensure the project's version control system always assigns the lowest
          available permissions to collaborators by default when added, granting
          additional permissions only when necessary.

  - id: OSPS-AC-03
    title: |
      Protect the primary branch from unintentional or unauthorized changes
    objective: |
      Reduce the risk of accidental changes or deletion of the primary branch
      of the project's repository by preventing unintentional modification.
    family: Access Control
    mappings:
      - reference-id: CRA
        identifiers:
          - 1.2f
      - reference-id: SSDF
        identifiers:
          - PO3.2
          - PS1
      - reference-id: CSF
        identifiers:
          - PR.A-02
      - reference-id: OCRE
        identifiers:
          - 486-813
          - 124-564
          - 123-124
          - 152-725
    assessment-requirements:
      - id: OSPS-AC-03.01
        text: |
          The project's version control system MUST prevent unintentional direct
          commits against the primary branch.
        applicability:
          - Maturity Level 1
          - Maturity Level 2
          - Maturity Level 3
        recommendation: |
          If the VCS is centralized, set branch protection on the primary branch
          in the project's VCS. Alternatively, use a decentralized approach,
          like the Linux kernel's, where changes are first proposed in another
          repository, and merging changes into the primary repository requires a
          specific separate act.
      - id: OSPS-AC-03.02
        text: |
          The project's version control system MUST prevent unintentional
          deletion of the primary branch.
        applicability:
          - Maturity Level 1
          - Maturity Level 2
          - Maturity Level 3
        recommendation: |
          Set branch protection on the primary branch in the project's version
          control system to prevent deletion.

  - id: OSPS-AC-04
    title: |
      Restrict the project's permissions in CI/CD pipelines based on context
    objective: |
      Reduce the risk of unauthorized access to the project's build and release
      processes by limiting the permissions granted to steps within the CI/CD
      pipelines.
    family: Access Control
    mappings:
      - reference-id: CRA
        identifiers:
          - 1.2d
          - 1.2e
          - 1.2f
      - reference-id: SSDF
        identifiers:
          - PO2
          - PO3.2
          - PS1
      - reference-id: CSF
        identifiers:
          - PR.AA-02
          - PR.AA-05
      - reference-id: OCRE
        identifiers:
          - 486-813
          - 124-564
          - 347-507
          - 263-284
          - 123-124
    assessment-requirements:
      - id: OSPS-AC-04.01
        text: |
          The project's settings for CI/CD pipelines MUST restrict permissions
          to the lowest available privileges by default.
        applicability:
          - Maturity Level 2
          - Maturity Level 3
        recommendation: |
          Configure the project's settings to assign the lowest available
          permissions to new pipelines by default, granting additional
          permissions only when necessary for specific tasks.
      - id: OSPS-AC-04.02
        text: |
          The project's permission assignments in CI/CD pipelines MUST use the
          lowest available privileges except when explicitly elevated.
        applicability:
          - Maturity Level 3
        recommendation: |
          Configure the project's CI/CD pipelines to assign the lowest available
          permissions to users and services by default, elevating permissions
          only when necessary for specific tasks. In some version control
          systems, this may be possible at the organizational or repository
          level. If not, set permissions at the top level of the pipeline.