497.md 22.8 KB
Newer Older
Lab机器人's avatar
readme  
Lab机器人 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266
# Geo security review (Q&A)

> 原文:[https://docs.gitlab.com/ee/administration/geo/replication/security_review.html](https://docs.gitlab.com/ee/administration/geo/replication/security_review.html)

*   [Business Model](#business-model)
    *   [What geographic areas does the application service?](#what-geographic-areas-does-the-application-service)
*   [Data Essentials](#data-essentials)
    *   [What data does the application receive, produce, and process?](#what-data-does-the-application-receive-produce-and-process)
    *   [How can the data be classified into categories according to its sensitivity?](#how-can-the-data-be-classified-into-categories-according-to-its-sensitivity)
    *   [What data backup and retention requirements have been defined for the application?](#what-data-backup-and-retention-requirements-have-been-defined-for-the-application)
*   [End-Users](#end-users)
    *   [Who are the application’s end‐users?](#who-are-the-applications-endusers)
    *   [How do the end‐users interact with the application?](#how-do-the-endusers-interact-with-the-application)
    *   [What security expectations do the end‐users have?](#what-security-expectations-do-the-endusers-have)
*   [Administrators](#administrators)
    *   [Who has administrative capabilities in the application?](#who-has-administrative-capabilities-in-the-application)
    *   [What administrative capabilities does the application offer?](#what-administrative-capabilities-does-the-application-offer)
*   [Network](#network)
    *   [What details regarding routing, switching, firewalling, and load‐balancing have been defined?](#what-details-regarding-routing-switching-firewalling-and-loadbalancing-have-been-defined)
    *   [What core network devices support the application?](#what-core-network-devices-support-the-application)
    *   [What network performance requirements exist?](#what-network-performance-requirements-exist)
    *   [What private and public network links support the application?](#what-private-and-public-network-links-support-the-application)
*   [Systems](#systems)
    *   [What operating systems support the application?](#what-operating-systems-support-the-application)
    *   [What details regarding required OS components and lock‐down needs have been defined?](#what-details-regarding-required-os-components-and-lockdown-needs-have-been-defined)
*   [Infrastructure Monitoring](#infrastructure-monitoring)
    *   [What network and system performance monitoring requirements have been defined?](#what-network-and-system-performance-monitoring-requirements-have-been-defined)
    *   [What mechanisms exist to detect malicious code or compromised application components?](#what-mechanisms-exist-to-detect-malicious-code-or-compromised-application-components)
    *   [What network and system security monitoring requirements have been defined?](#what-network-and-system-security-monitoring-requirements-have-been-defined)
*   [Virtualization and Externalization](#virtualization-and-externalization)
    *   [What aspects of the application lend themselves to virtualization?](#what-aspects-of-the-application-lend-themselves-to-virtualization)
*   [What virtualization requirements have been defined for the application?](#what-virtualization-requirements-have-been-defined-for-the-application)
    *   [What aspects of the product may or may not be hosted via the cloud computing model?](#what-aspects-of-the-product-may-or-may-not-be-hosted-via-the-cloud-computing-model)
*   [If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?](#if-applicable-what-approaches-to-cloud-computing-will-be-taken-managed-hosting-versus-pure-cloud-a-full-machine-approach-such-as-aws-ec2-versus-a-hosted-database-approach-such-as-aws-rds-and-azure-etc)
*   [Environment](#environment)
    *   [What frameworks and programming languages have been used to create the application?](#what-frameworks-and-programming-languages-have-been-used-to-create-the-application)
    *   [What process, code, or infrastructure dependencies have been defined for the application?](#what-process-code-or-infrastructure-dependencies-have-been-defined-for-the-application)
    *   [What databases and application servers support the application?](#what-databases-and-application-servers-support-the-application)
    *   [How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?](#how-will-database-connection-strings-encryption-keys-and-other-sensitive-components-be-stored-accessed-and-protected-from-unauthorized-detection)
*   [Data Processing](#data-processing)
    *   [What data entry paths does the application support?](#what-data-entry-paths-does-the-application-support)
    *   [What data output paths does the application support?](#what-data-output-paths-does-the-application-support)
    *   [How does data flow across the application’s internal components?](#how-does-data-flow-across-the-applications-internal-components)
    *   [What data input validation requirements have been defined?](#what-data-input-validation-requirements-have-been-defined)
    *   [What data does the application store and how?](#what-data-does-the-application-store-and-how)
    *   [What data is or may need to be encrypted and what key management requirements have been defined?](#what-data-is-or-may-need-to-be-encrypted-and-what-key-management-requirements-have-been-defined)
    *   [What capabilities exist to detect the leakage of sensitive data?](#what-capabilities-exist-to-detect-the-leakage-of-sensitive-data)
    *   [What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?](#what-encryption-requirements-have-been-defined-for-data-in-transit---including-transmission-over-wan-lan-secureftp-or-publicly-accessible-protocols-such-as-http-and-https)
*   [Access](#access)
    *   [What user privilege levels does the application support?](#what-user-privilege-levels-does-the-application-support)
    *   [What user identification and authentication requirements have been defined?](#what-user-identification-and-authentication-requirements-have-been-defined)
    *   [What user authorization requirements have been defined?](#what-user-authorization-requirements-have-been-defined)
    *   [What session management requirements have been defined?](#what-session-management-requirements-have-been-defined)
    *   [What access requirements have been defined for URI and Service calls?](#what-access-requirements-have-been-defined-for-uri-and-service-calls)
*   [Application Monitoring](#application-monitoring)
    *   [What application auditing requirements have been defined? How are audit and debug logs accessed, stored, and secured?](#what-application-auditing-requirements-have-been-defined-how-are-audit-and-debug-logs-accessed-stored-and-secured)

# Geo security review (Q&A)[](#geo-security-review-qa-premium-only "Permalink")

以下对地理功能集的安全性审查集中于该功能的安全性方面,因为它们适用于运行自己的 GitLab 实例的客户. 复习题部分基于[owasp.org](https://owasp.org/)[OWASP 应用程序安全验证标准项目](https://owasp.org/www-project-application-security-verification-standard/) .

## Business Model[](#business-model "Permalink")

### What geographic areas does the application service?[](#what-geographic-areas-does-the-application-service "Permalink")

*   这因客户而异. Geo 使客户可以部署到多个区域,然后他们可以选择自己的位置.
*   区域和节点选择完全是手动的.

## Data Essentials[](#data-essentials "Permalink")

### What data does the application receive, produce, and process?[](#what-data-does-the-application-receive-produce-and-process "Permalink")

*   Geo 几乎在站点之间流传输 GitLab 实例保存的所有数据. 这包括完整的数据库复制,大多数文件(用户上传的附件等)以及存储库+ Wiki 数据. 在典型的配置中,这将在公共 Internet 上发生,并经过 TLS 加密.
*   PostgreSQL 复制是 TLS 加密的.
*   另请参阅: [仅应支持 TLSv1.2](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/2948)

### How can the data be classified into categories according to its sensitivity?[](#how-can-the-data-be-classified-into-categories-according-to-its-sensitivity "Permalink")

*   GitLab’s model of sensitivity is centered around public vs. internal vs. private projects. Geo replicates them all indiscriminately. “Selective sync” exists for files and repositories (but not database content), which would permit only less-sensitive projects to be replicated to a **secondary** node if desired.
*   另请参阅: [GitLab 数据分类策略](https://about.gitlab.com/handbook/engineering/security/data-classification-policy.html) .

### What data backup and retention requirements have been defined for the application?[](#what-data-backup-and-retention-requirements-have-been-defined-for-the-application "Permalink")

*   Geo 旨在提供应用程序数据的某些子集的复制. 它是解决方案的一部分,而不是问题的一部分.

## End-Users[](#end-users "Permalink")

### Who are the application’s end‐users?[](#who-are-the-applications-endusers "Permalink")

*   **辅助**节点在是遥远(在互联网延迟而言)从主 GitLab 安装( **主**节点)区创建. 打算由通常使用**主**节点的任何人使用它们,他们发现**辅助**节点距离它们更近(就 Internet 延迟而言).

### How do the end‐users interact with the application?[](#how-do-the-endusers-interact-with-the-application "Permalink")

*   **辅助**节点提供了**主**节点执行的所有接口(特别是 HTTP / HTTPS Web 应用程序以及 HTTP / HTTPS 或 SSH Git 存储库访问),但仅限于只读活动. 设想主要用例是从**辅助**节点克隆 Git 存储库以支持**主**节点,但是最终用户可以使用 GitLab Web 界面查看项目,问题,合并请求,摘要等.

### What security expectations do the end‐users have?[](#what-security-expectations-do-the-endusers-have "Permalink")

*   复制过程必须是安全的. 例如,在整个公共 Internet 上以纯文本格式传输整个数据库内容或所有文件和存储库通常是不可接受的.
*   **辅助**节点必须对其内容具有与**主**节点相同的访问控制-未经身份验证的用户不能通过查询**辅助**节点来获得对**主**节点上特权信息的访问.
*   攻击者必须不能将**辅助**节点模拟为**主要**节点,从而不能访问特权信息.

## Administrators[](#administrators "Permalink")

### Who has administrative capabilities in the application?[](#who-has-administrative-capabilities-in-the-application "Permalink")

*   没有特定于地理位置的信息. 在数据库中设置了`admin: true`任何用户都被视为具有超级用户特权的 admin.
*   另请参阅: [更详细的访问控制](https://gitlab.com/gitlab-org/gitlab/-/issues/18242) (不是特定于地理位置的).
*   Geo 的许多集成(例如,数据库复制)必须由应用程序配置,通常由系统管理员配置.

### What administrative capabilities does the application offer?[](#what-administrative-capabilities-does-the-application-offer "Permalink")

*   具有管理访问权限的用户可以添加,修改或删除**辅助**节点.
*   复制过程可以通过 Sidekiq 管理控件进行控制(启动/停止).

## Network[](#network "Permalink")

### What details regarding routing, switching, firewalling, and load‐balancing have been defined?[](#what-details-regarding-routing-switching-firewalling-and-loadbalancing-have-been-defined "Permalink")

*   Geo 要求**主要**节点和**次要**节点能够通过 TCP / IP 网络相互通信. 特别是, **辅助**节点必须能够访问**主**节点上的 HTTP / HTTPS 和 PostgreSQL 服务.

### What core network devices support the application?[](#what-core-network-devices-support-the-application "Permalink")

*   因客户而异.

### What network performance requirements exist?[](#what-network-performance-requirements-exist "Permalink")

*   **主**节点和**辅助**节点之间的最大复制速度受到站点之间可用带宽的限制. 没有硬性要求-完成复制的时间(以及跟上**主**节点的更改的能力)取决于数据集的大小,对延迟的容忍度以及可用的网络容量.

### What private and public network links support the application?[](#what-private-and-public-network-links-support-the-application "Permalink")

*   客户选择自己的网络. 由于打算将站点在地理位置上分开,因此可以设想,复制流量将在典型部署中通过公共 Internet 传递,但这不是必需的.

## Systems[](#systems "Permalink")

### What operating systems support the application?[](#what-operating-systems-support-the-application "Permalink")

*   Geo 对操作系统没有任何其他限制(有关更多详细信息,请参见[GitLab 安装](https://about.gitlab.com/install/)页面),但是我们建议您使用[Geo 文档中](index.html#requirements-for-running-geo)列出的操作系统.

### What details regarding required OS components and lock‐down needs have been defined?[](#what-details-regarding-required-os-components-and-lockdown-needs-have-been-defined "Permalink")

*   受支持的安装方法(Omnibus)打包了大多数组件本身.
*   系统安装的 OpenSSH 守护程序(Geo 要求用户设置自定义身份验证方法)和 omnibus 或系统提供的 PostgreSQL 守护程序(必须配置为侦听 TCP,必须添加其他用户和复制插槽)之间存在很大的依赖关系,等等).
*   处理安全更新的过程(例如,如果 OpenSSH 或其他服务中存在重大漏洞,并且客户希望在 OS 上修补这些服务)与非 Geo 情况相同:对 OpenSSH 的安全更新为通过通常的分发渠道提供给用户. Geo 在那里没有延迟.

## Infrastructure Monitoring[](#infrastructure-monitoring "Permalink")

### What network and system performance monitoring requirements have been defined?[](#what-network-and-system-performance-monitoring-requirements-have-been-defined "Permalink")

*   没有特定于 Ge​​o 的内容.

### What mechanisms exist to detect malicious code or compromised application components?[](#what-mechanisms-exist-to-detect-malicious-code-or-compromised-application-components "Permalink")

*   没有特定于 Ge​​o 的内容.

### What network and system security monitoring requirements have been defined?[](#what-network-and-system-security-monitoring-requirements-have-been-defined "Permalink")

*   没有特定于 Ge​​o 的内容.

## Virtualization and Externalization[](#virtualization-and-externalization "Permalink")

### What aspects of the application lend themselves to virtualization?[](#what-aspects-of-the-application-lend-themselves-to-virtualization "Permalink")

*   All.

## What virtualization requirements have been defined for the application?[](#what-virtualization-requirements-have-been-defined-for-the-application "Permalink")

*   没有特定于地理位置的信息,但是在这样的环境中,GitLab 中的所有内容都需要具有完整的功能.

### What aspects of the product may or may not be hosted via the cloud computing model?[](#what-aspects-of-the-product-may-or-may-not-be-hosted-via-the-cloud-computing-model "Permalink")

*   GitLab 是"云原生"的,这不仅适用于 Geo,还适用于产品的其余部分. 在云中进行部署是常见且受支持的方案.

## If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus “Pure” Cloud, a “full machine” approach such as AWS-EC2 versus a “hosted database” approach such as AWS-RDS and Azure, etc)?[](#if-applicable-what-approaches-to-cloud-computing-will-be-taken-managed-hosting-versus-pure-cloud-a-full-machine-approach-such-as-aws-ec2-versus-a-hosted-database-approach-such-as-aws-rds-and-azure-etc "Permalink")

*   由我们的客户根据他们的运营需求来决定.

## Environment[](#environment "Permalink")

### What frameworks and programming languages have been used to create the application?[](#what-frameworks-and-programming-languages-have-been-used-to-create-the-application "Permalink")

*   Ruby on Rails,Ruby.

### What process, code, or infrastructure dependencies have been defined for the application?[](#what-process-code-or-infrastructure-dependencies-have-been-defined-for-the-application "Permalink")

*   没有特定于 Ge​​o 的内容.

### What databases and application servers support the application?[](#what-databases-and-application-servers-support-the-application "Permalink")

*   PostgreSQL> = 11,Redis,Sidekiq,Puma.

### How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?[](#how-will-database-connection-strings-encryption-keys-and-other-sensitive-components-be-stored-accessed-and-protected-from-unauthorized-detection "Permalink")

*   有一些特定于地理位置的值. 有些是共享机密,必须在设置时将其从**主**节点安全地传输到**辅助**节点. 我们的文档建议通过 SSH 将它们从**主**节点传输到系统管理员,然后以相同方式回传到**辅助**节点. 特别是,这包括 PostgreSQL 复制凭证和一个秘密密钥( `db_key_base` ),该密钥用于解密数据库中的某些列. `db_key_base`秘密与其他许多秘密一起未加密地存储在文件系统中的`/etc/gitlab/gitlab-secrets.json` . 他们没有休息保护.

## Data Processing[](#data-processing "Permalink")

### What data entry paths does the application support?[](#what-data-entry-paths-does-the-application-support "Permalink")

*   数据是通过 GitLab 本身公开的 Web 应用程序输入的. 使用 GitLab 服务器上的系统管理命令(例如`gitlab-ctl set-primary-node` )也输入了一些数据.
*   **辅助**节点还通过 PostgreSQL 流复制从**主**节点接收输入.

### What data output paths does the application support?[](#what-data-output-paths-does-the-application-support "Permalink")

*   **主**节点通过 PostgreSQL 流复制输出到**辅助**节点. 否则,主要是通过 GitLab 本身公开的 Web 应用程序以及最终用户启动的 SSH `git clone`操作.

### How does data flow across the application’s internal components?[](#how-does-data-flow-across-the-applications-internal-components "Permalink")

*   **辅助**节点和**主**节点通过 HTTP / HTTPS(受 JSON Web 令牌保护)和 PostgreSQL 流复制进行交互.
***主**节点或**辅助**节点内,SSOT 是文件系统和数据库(包括**辅助**节点上的 Geo 跟踪数据库). 精心安排了各种内部组件以对这些存储进行更改.

### What data input validation requirements have been defined?[](#what-data-input-validation-requirements-have-been-defined "Permalink")

*   **辅助**节点必须忠实地复制**主**节点的数据.

### What data does the application store and how?[](#what-data-does-the-application-store-and-how "Permalink")

*   Git 存储库和文件,与它们相关的跟踪信息以及 GitLab 数据库内容.

### What data is or may need to be encrypted and what key management requirements have been defined?[](#what-data-is-or-may-need-to-be-encrypted-and-what-key-management-requirements-have-been-defined "Permalink")

*   **主**节点或**辅助**节点都不会加密静态的 Git 存储库或文件系统数据. 数据库列的子集使用`db_otp_key`加密.
*   在 GitLab 部署中的所有主机之间共享的静态机密.
*   在传输过程中,尽管应用程序确实允许通信以未加密的方式进行,但是数据应该被加密. 两个主要过程是 PostgreSQL 和 Git 存储库/文件的**辅助**节点复制过程. 两者均应使用 TLS 保护,并通过现有配置通过 Omnibus 管理该密钥,以供最终用户访问 GitLab.

### What capabilities exist to detect the leakage of sensitive data?[](#what-capabilities-exist-to-detect-the-leakage-of-sensitive-data "Permalink")

*   存在全面的系统日志,跟踪与 GitLab 和 PostgreSQL 的每个连接.

### What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?[](#what-encryption-requirements-have-been-defined-for-data-in-transit---including-transmission-over-wan-lan-secureftp-or-publicly-accessible-protocols-such-as-http-and-https "Permalink")

*   数据必须具有在传输过程中进行加密的选项,并且必须能够抵抗被动和主动攻击(例如,不可能进行 MITM 攻击).

## Access[](#access "Permalink")

### What user privilege levels does the application support?[](#what-user-privilege-levels-does-the-application-support "Permalink")

*   Geo 添加了一种类型的特权: **辅助**节点可以访问特殊的 Geo API,以通过 HTTP / HTTPS 下载文件,以及使用 HTTP / HTTPS 克隆存储库.

### What user identification and authentication requirements have been defined?[](#what-user-identification-and-authentication-requirements-have-been-defined "Permalink")

*   **辅助**节点基于共享数据库(HTTP 访问)或 PostgreSQL 复制用户(用于数据库复制)通过 OAuth 或 JWT 身份验证向 Geo **主**节点标识. 数据库复制还需要定义基于 IP 的访问控制.

### What user authorization requirements have been defined?[](#what-user-authorization-requirements-have-been-defined "Permalink")

*   **辅助**节点只能*读取*数据. 他们当前无法对**主**节点上的数据进行突变.

### What session management requirements have been defined?[](#what-session-management-requirements-have-been-defined "Permalink")

*   地理 JWT 被定义为仅持续两分钟,然后需要重新生成.
*   Geo JWT 是为以下特定范围之一生成的:
    *   Geo API 访问.
    *   Git 访问.
    *   LFS 和文件 ID.
    *   上传和文件 ID.
    *   作业工件和文件 ID.

### What access requirements have been defined for URI and Service calls?[](#what-access-requirements-have-been-defined-for-uri-and-service-calls "Permalink")

*   **辅助**节点对**主**节点的 API 进行了许多调用. 例如,这就是文件复制的进行方式. 只能使用 JWT 令牌访问此端点.
*   **主**节点还调用**辅助**节点以获取状态信息.

## Application Monitoring[](#application-monitoring "Permalink")

### What application auditing requirements have been defined? How are audit and debug logs accessed, stored, and secured?[](#what-application-auditing-requirements-have-been-defined-how-are-audit-and-debug-logs-accessed-stored-and-secured "Permalink")

*   结构化 JSON 日志将写入文件系统,也可以将其提取到 Kibana 安装中以进行进一步分析.