diff --git a/.github/workflows/ci-verify.yml b/.github/workflows/ci-verify.yml new file mode 100644 index 0000000..7af5764 --- /dev/null +++ b/.github/workflows/ci-verify.yml @@ -0,0 +1,22 @@ +name: CI-Verify + +on: + push: + branches: [ main] + pull_request: + branches: [ main ] + +jobs: + check-readme-updated: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v2 + + - name: Do Make + run: make + - name: Check if README.md is updated + run: | + git diff | cat + val=$(git diff | wc -l) && [[ $val -ne 0 ]] && echo "Changes not updated. Run make and raise PR with any modified/added files" && exit 1 + echo "All Good" && exit 0 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..948884b --- /dev/null +++ b/Makefile @@ -0,0 +1,2 @@ +all: + @./tools/gendoc.sh diff --git a/README.md b/README.md index b21e7f5..907d861 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ + + # Security Intents for Intent Driven Security +![CI status](https://github.com/5GSEC/security-intents/actions/workflows/ci-verify.yml/badge.svg) Repository to hold Security Intents in standard template format. @@ -6,14 +9,31 @@ Repository to hold Security Intents in standard template format. ## Security Intent Template -| Threat Scenario | (Scenario title) | -|:---------------:|------------------------| -| **Description** | (Detailed description of the scenario) | -| **Severity** | High/Medium/Low | -| **O-RAN Threat ID** | (mapping to Threat IDs defined in O-RAN WG11 Threat Model document) | -| **Detection Methods** | Mechanisms to detect the threat | -| **Mitigation Methods** | Mechanisms to mitigate the threat | -| **Security Intent** | YAML | -| **Security Intent Binding** | (Set of labels, annotations describing workloads who would be impacted by this threat) | -| **Pre-Deployment considerations** | (Anything that can be done in CI/CD pipelines that can alleviate this threat) | -| **References** | | +| Threat Scenario | (Scenario title) | +|:---------------------------------:|----------------------------------------------------------------------------------------| +| **Description** | (Detailed description of the scenario) | +| **Severity** | High/Medium/Low | +| **O-RAN Threat ID** | (mapping to Threat IDs defined in O-RAN WG11 Threat Model document) | +| **Detection Methods** | Mechanisms to detect the threat | +| **Mitigation Methods** | Mechanisms to mitigate the threat | +| **Security Intent** | YAML | +| **Security Intent Binding** | (Set of labels, annotations describing workloads who would be impacted by this threat) | +| **Pre-Deployment considerations** | (Anything that can be done in CI/CD pipelines that can alleviate this threat) | +| **References** | | + +## Security Intents +| Title | Description | Severity | O-RAN Threat ID | Detection Methods | Mitigation Methods | Security Intent | Security Intent Binding | Pre-Deployment considerations | References | +|:-----:|-------------|----------|-----------------|-------------------|--------------------|-----------------|-------------------------|-------------------------------|------------| + +## Contributions welcome... + +### Adding a new Security Intent + +1. Fork and clone this repository +2. Create `security-intent-name.yaml` and `security-intent-binding-name.yaml` files +3. Copy the `intent.example` file and update it accordingly + ```shell + cp intent.example intent + ``` +4. Run `make` +5. Raise a PR diff --git a/intent.example b/intent.example new file mode 100644 index 0000000..03b3b26 --- /dev/null +++ b/intent.example @@ -0,0 +1,10 @@ +TITLE="Scenario-title" +DESCRIPTION="Detailed description of the scenario" +SEVERITY=High/Medium/Low +THREAT_ID="mapping to Threat IDs defined in O-RAN WG11 Threat Model document" +DETECTION_METHODS="Mechanisms to detect the threat" +MITIGATION_METHODS="Mechanisms to mitigate the threat" +SI_FILE=sample-si.yaml +SIB_FILE=sample-si-binding.yaml +PRE_DEPLOYMENT_CONSIDERATIONS="Anything that can be done in CI/CD pipelines that can alleviate this threat" +REFERENCES="ref1, ref2" diff --git a/tools/footer.md b/tools/footer.md new file mode 100644 index 0000000..d4b731b --- /dev/null +++ b/tools/footer.md @@ -0,0 +1,12 @@ +## Contributions welcome... + +### Adding a new Security Intent + +1. Fork and clone this repository +2. Create `security-intent-name.yaml` and `security-intent-binding-name.yaml` files +3. Copy the `intent.example` file and update it accordingly + ```shell + cp intent.example intent + ``` +4. Run `make` +5. Raise a PR diff --git a/tools/gendoc.sh b/tools/gendoc.sh new file mode 100755 index 0000000..2c2e2b7 --- /dev/null +++ b/tools/gendoc.sh @@ -0,0 +1,82 @@ +#!/usr/bin/env bash + +INTENTS_DIR=res/intents +HDR_MD=$(dirname $0)/header.md +FTR_MD=$(dirname $0)/footer.md +MD="README.md" + +statusLine() { + ORANGE="\033[0;33m" + RED="\033[0;31m" + GREEN="\033[0;32m" + NC="\033[0m" # No Color + + status=$1 + shift + [[ $status == AOK ]] || [[ $status == "0" ]] && + { + printf "[${GREEN}OK${NC}] $*\n" + return + } + [[ $status == WARN ]] && + { + printf "[${ORANGE}WARN${NC}] $*\n" + return + } + printf "[${RED}FAIL${NC}] $*\n" + exit 1 +} + +cleanup() { + if [[ -f intent ]]; then + . intent + rm -f intent $SI_FILE $SIB_FILE + statusLine AOK "done with processing" + fi +} + +copyContents() { + [[ -f intent ]] && { + . intent + mkdir -p $INTENTS_DIR/$TITLE + cp intent $SI_FILE $SIB_FILE $INTENTS_DIR/$TITLE + } +} + +addCommonEntries() { + CUR_INTENT_DIR=$INTENTS_DIR/$TITLE + cat >>${MD} <$MD < + +$(cat $HDR_MD) + +## Security Intents +| Title | Description | Severity | O-RAN Threat ID | Detection Methods | Mitigation Methods | Security Intent | Security Intent Binding | Pre-Deployment considerations | References | +|:-----:|-------------|----------|-----------------|-------------------|--------------------|-----------------|-------------------------|-------------------------------|------------| +EOF + copyContents + forEveryIntent addCommonEntries + cat >>"$MD" <