Skip to content

Latest commit

 

History

History
196 lines (139 loc) · 14.5 KB

mitigations.md

File metadata and controls

196 lines (139 loc) · 14.5 KB

Mitigation Strategies Analysis for goharbor/harbor

Mitigation Strategy: Regularly Update Harbor

  • Mitigation Strategy: Regularly Update Harbor

    • Description:

      1. Monitor: Subscribe to Harbor's release announcements (GitHub, mailing lists). Set up calendar reminders to check for new releases (e.g., monthly).
      2. Test: Before updating production, deploy the new Harbor version to a staging environment that mirrors production as closely as possible. This staging environment should also be a Harbor instance.
      3. Backup: Back up the current Harbor database and configuration files using Harbor's supported methods before applying any updates.
      4. Update: Follow the official Harbor upgrade instructions (specific to your deployment method - Docker Compose, Helm, etc.).
      5. Verify: After the update, thoroughly test all core Harbor functionalities (pushing, pulling, scanning, replication, user management, project creation, etc.).
      6. Rollback (if necessary): If issues arise, have a documented rollback plan to revert to the previous version using the backups and Harbor's rollback procedures.

    • Threats Mitigated:

      • Remote Code Execution (RCE) Vulnerabilities (Critical): Exploits targeting known vulnerabilities in Harbor itself could allow attackers to execute arbitrary code.
      • Authentication Bypass (Critical): Vulnerabilities within Harbor's authentication logic could allow attackers to bypass authentication.
      • Data Disclosure (High): Vulnerabilities in Harbor's data handling could lead to the exposure of sensitive information.
      • Denial of Service (DoS) (High): Attackers could exploit vulnerabilities specific to Harbor's services to make it unavailable.

    • Impact:

      • RCE: Risk reduced from Critical to Low (assuming timely updates).
      • Authentication Bypass: Risk reduced from Critical to Low.
      • Data Disclosure: Risk reduced from High to Low.
      • DoS: Risk reduced from High to Low.

    • Currently Implemented: Partially. Updates are performed, but not on a strict schedule. Testing is done in a basic staging environment.

    • Missing Implementation: A formal, documented update process. Automated vulnerability scanning of the Harbor application itself is missing. Rollback plan is not fully documented using Harbor's specific methods.

Mitigation Strategy: Properly Configure Replication Rules (Harbor-to-Harbor or Harbor-to-External)

  • Mitigation Strategy: Properly Configure Replication Rules (Harbor-to-Harbor or Harbor-to-External)

    • Description:

      1. Identify Needs: Determine precisely which images/repositories need to be replicated and to which target registries using Harbor's replication feature.
      2. Create Specific Rules: Within the Harbor UI or API, create individual replication rules for each specific need. Avoid using wildcard rules.
      3. Use Filters: Utilize Harbor's built-in filters (tag, label, repository name) within each rule to further restrict the scope.
      4. Test Replication: After creating a rule, use Harbor's interface to test it and ensure it replicates only the intended images.
      5. Regular Audit: Schedule regular audits (e.g., quarterly) of all replication rules within the Harbor UI.
      6. Secure Target: If replicating to another Harbor instance, ensure that instance is also securely configured. If replicating to an external registry, ensure credentials used by Harbor's replication mechanism are strong.

    • Threats Mitigated:

      • Data Leakage (High): Overly broad Harbor replication rules could expose sensitive images.
      • Unauthorized Access (High): Replication to an insecure target registry via a misconfigured Harbor rule could allow access.
      • Compliance Violations (Medium): Replicating images to non-compliant environments using Harbor's replication could violate regulations.

    • Impact:

      • Data Leakage: Risk reduced from High to Low.
      • Unauthorized Access: Risk reduced from High to Low.
      • Compliance Violations: Risk reduced from Medium to Low.

    • Currently Implemented: Basic replication rules are in place within Harbor, but they are not granular enough.

    • Missing Implementation: Use of Harbor's built-in filters within replication rules. Regular audits of rules within Harbor.

Mitigation Strategy: Securely Configure and Utilize Harbor's Notary Integration (Content Trust)

  • Mitigation Strategy: Securely Configure and Utilize Harbor's Notary Integration (Content Trust)

    • Description:

      1. Enable Notary: Ensure Notary integration is enabled within Harbor's configuration.
      2. Secure Communication: Configure TLS for all communication between Harbor and the Notary server as specified in Harbor's documentation.
      3. Harbor Configuration: In Harbor, configure content trust settings to require signed images for specific projects or repositories. This is a critical Harbor-specific setting.
      4. Policy Enforcement: Actively use Harbor's UI or API to enforce policies that prevent the pulling or deployment of unsigned images.
      5. Regularly check signing status: Use Harbor's UI or API to check the signing status.

    • Threats Mitigated:

      • Supply Chain Attacks (Critical): A compromised Notary server could allow signing of malicious images, but Harbor's enforcement of signed images mitigates this.
      • Image Tampering (Critical): Harbor's reliance on Notary signatures prevents the use of tampered images.

    • Impact:

      • Supply Chain Attacks: Risk reduced from Critical to Low (when Harbor is configured to require signatures).
      • Image Tampering: Risk reduced from Critical to Low.

    • Currently Implemented: Notary is enabled in Harbor, but enforcement of signed images is not consistent.

    • Missing Implementation: Consistent enforcement of signed images via Harbor's project/repository settings.

Mitigation Strategy: Robot Account Permissions (Principle of Least Privilege within Harbor)

  • Mitigation Strategy: Robot Account Permissions (Principle of Least Privilege within Harbor)

    • Description:

      1. Identify Tasks: Determine the specific tasks each robot account needs to perform within Harbor (push, pull, scan).
      2. Create Specific Accounts: Within the Harbor UI or API, create a separate robot account for each distinct task.
      3. Grant Minimal Permissions: Assign only the necessary Harbor-specific permissions to each robot account. Avoid project/system admin roles.
      4. Regular Review: Schedule regular reviews (e.g., quarterly) of robot account permissions using Harbor's interface.
      5. Disable Unused Accounts: Immediately disable any robot accounts that are no longer needed within Harbor.

    • Threats Mitigated:

      • Unauthorized Access (High): An overly permissive Harbor robot account could be compromised.
      • Data Modification (High): A compromised Harbor robot account with write access could push malicious images.
      • Privilege Escalation (Medium): A compromised Harbor robot account with excessive permissions could be misused.

    • Impact:

      • Unauthorized Access: Risk reduced from High to Low.
      • Data Modification: Risk reduced from High to Low.
      • Privilege Escalation: Risk reduced from Medium to Low.

    • Currently Implemented: Robot accounts are used, but some have broader permissions than necessary within Harbor.

    • Missing Implementation: Strict adherence to the principle of least privilege for Harbor permissions. Regular review within Harbor.

Mitigation Strategy: Vulnerability Scanning Configuration and Remediation Using Harbor's Integrated Scanners

  • Mitigation Strategy: Vulnerability Scanning Configuration and Remediation Using Harbor's Integrated Scanners

    • Description:

      1. Select Scanner: Choose a supported vulnerability scanner from Harbor's list of integrated scanners (e.g., Trivy, Clair).
      2. Update Database: Ensure the scanner's vulnerability database is regularly updated (ideally, automated through Harbor's configuration).
      3. Configure Scanning: Configure Harbor to automatically scan images upon push or on a schedule using Harbor's settings.
      4. Set Thresholds: Define severity thresholds (e.g., Critical, High) within Harbor that will block deployments.
      5. Remediate: Establish a process for reviewing scan results from Harbor's UI or API and remediating vulnerabilities.
      6. Notifications: Configure Harbor's notification system (email, webhooks) to alert about scan results.

    • Threats Mitigated:

      • Deployment of Vulnerable Images (Critical): Harbor's scanning and blocking capabilities prevent deployment of vulnerable images.
      • Zero-Day Exploits (High): While scanning can't catch all zero-days, Harbor's integration with scanners reduces the exposure window.

    • Impact:

      • Deployment of Vulnerable Images: Risk reduced from Critical to Low (with effective remediation and Harbor's blocking enabled).
      • Zero-Day Exploits: Risk reduced.

    • Currently Implemented: Vulnerability scanning is enabled with Trivy within Harbor, but the database update is manual. No blocking thresholds are configured in Harbor.

    • Missing Implementation: Automated vulnerability database updates through Harbor. Deployment blocking based on severity within Harbor.

Mitigation Strategy: Enable and Monitor Harbor's Audit Logging

  • Mitigation Strategy: Enable and Monitor Harbor's Audit Logging

    • Description:

      1. Enable Logging: Ensure audit logging is enabled for all relevant Harbor components within Harbor's configuration.
      2. Log Retention: Define a log retention policy within Harbor that meets your requirements.
      3. Regularly check logs: Use Harbor's UI or API to check logs.

    • Threats Mitigated:

      • Intrusion Detection (Medium): Harbor's audit logs can help detect unauthorized access.
      • Incident Response (Medium): Harbor's audit logs provide information for investigating incidents.
      • Compliance (Medium): Harbor's audit logs are often required for compliance.

    • Impact:

      • Intrusion Detection: Improved detection.
      • Incident Response: Faster response.
      • Compliance: Helps meet requirements.

    • Currently Implemented: Basic audit logging is enabled within Harbor.

    • Missing Implementation: Regularly check logs.

Mitigation Strategy: Secure Webhook Configuration within Harbor

  • Mitigation Strategy: Secure Webhook Configuration within Harbor

    • Description:

      1. Authentication: Use secret tokens within Harbor's webhook configuration to verify request authenticity.
      2. Scope Limitation: Limit the actions triggered by webhooks within Harbor's settings.
      3. Regular Review: Regularly review and audit webhook configurations within the Harbor UI.
      4. Input validation: Validate all data received via webhooks.

    • Threats Mitigated:

      • Unauthorized Actions (High): Unauthenticated or overly permissive Harbor webhooks could be exploited.
      • Denial of Service (DoS) (Medium): Malicious webhook requests could overwhelm services triggered by Harbor.
      • Data Injection (Medium): If webhook data is not properly validated.

    • Impact:

      • Unauthorized Actions: Risk reduced from High to Low.
      • DoS: Risk reduced from Medium to Low.
      • Data Injection: Risk reduced from Medium to Low.

    • Currently Implemented: Webhooks are used within Harbor, but secret tokens are not consistently used.

    • Missing Implementation: Consistent use of secret tokens in Harbor's webhook configuration. Scope limitation within Harbor. Regular review. Input validation.

Mitigation Strategy: Secure Harbor Configuration File (harbor.yml or Helm Values) Specifically for Harbor Settings

  • Mitigation Strategy: Secure Harbor Configuration File (harbor.yml or Helm Values) Specifically for Harbor Settings

    • Description:

      1. Review Settings: Carefully review all settings in Harbor's configuration file, focusing on Harbor-specific security parameters (e.g., secretkey_path, database connection strings, external URLs, authentication settings).
      2. Secrets Management: Avoid hardcoding secrets directly in Harbor's configuration file. Use environment variables or a secrets management solution as supported by Harbor.
      3. Validation: After making changes, validate Harbor's configuration file to ensure it is syntactically correct for Harbor.

    • Threats Mitigated:

      • Misconfiguration (High): Incorrect Harbor-specific settings can expose Harbor.
      • Credential Exposure (High): Hardcoded secrets in Harbor's configuration could be exposed.

    • Impact:

      • Misconfiguration: Risk reduced from High to Low.
      • Credential Exposure: Risk reduced from High to Low.

    • Currently Implemented: Basic configuration file security is in place.

    • Missing Implementation: Use of a secrets management solution integrated with Harbor.