Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dashboard/analysis for state of confidentiality #2787

Open
1 task
hpvd opened this issue Jan 2, 2024 · 3 comments
Open
1 task

Dashboard/analysis for state of confidentiality #2787

hpvd opened this issue Jan 2, 2024 · 3 comments

Comments

@hpvd
Copy link

hpvd commented Jan 2, 2024
edited

Use case

making state of confidentiality really transparent / have a good chance to optimize it

inspired from

Describe your solution

Since confidentiality is the main selling point of constellation,
are there already any plans to make this visible via something like
a Dashboard or analyzing script showing the state of confidentiality?

depending on

  • Constellations version
  • Config
  • Hardware type
  • supported hardware features (CPU/Platform)
  • Cloud providers features (subset of Hardware features)
  • kernel versions used
  • Firmware version (Patches)
  • ...

This is not only about the current state but also to give concrete advice, how its possible to optimize confidentiality, e.g.

  • move to Azure
  • use instances with newer hardware gens
  • update Constellation
  • change config to
    ...

Would you be willing to implement this feature?

  • Yes, I could contribute this feature.
@hpvd
Copy link
Author

hpvd commented Jan 2, 2024
edited

Maybe this could be thought as tool not only running in constellation but also other standard kubernetes environments like other checks do (e.g. kubebench)
In this case it could give (in addition to core value) a great marketing tool, if the result of a scan is "there is only minor confidentiality, to optimize this you have to move to constellation" :-)

@hpvd
Copy link
Author

hpvd commented Jan 2, 2024
edited

if not standalone / on the long run:
one idea could be, to add this kind of analysis to trivy security operator https://github.com/aquasecurity/trivy-operator which e.g. includes also kubebench

@derpsteb
Copy link
Member

Hey,
thank you for the suggestion.
Currently we include large parts of the information you are looking for in our attestation statements. You can learn about what specifically is included in our attestation docs. The Runtime measurements section will be of particular interest to you I assume.

The evidence of the attestation can always be viewed using the verify command. And the underlying code that gathers the evidence can be found here.

So in case you want to take a swing at this we would be happy to support. The idea sounds very nice. Realistically it is not the highest priority in our backlog, right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hpvd @derpsteb