Security Event Review Checklist

Security events will be reviewed every Wednesday. Logs are available via https://logs.fr.cloud.gov. Make github issues for each undiscovered problems. For any incidents that happen regarding accounts, notify the FEC CISO, Jay Ribeiro, and follow the 18F incident response handbook.

The development team will have a rotation of log duty. Scheduling people for their rotation will be managed by the system owner. This is added in the FEC team calendar, with the assignee added as the guest for that day.

Checklist:

1. Create a github issue to track this Security Event Review.
2. Review Gemnasium & Snyk for all repositories and open a ticket for all "red" alerts.
3. Review production logs for account creations, ensure these were approved in a ticket, and verify that the number of service keys in cloud.gov is unchanged.
4. Review production logs for account permission elevations, ensure these were approved in a ticket
5. Review actionable security events on production logs for successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.
6. Deactivate any accounts for people who have left the team.
7. Note any findings in the Security Event Review issue.
8. Close the Security Event Review issue.

See all Security Event Review issues here

---

Example searches and checks

Vulnerabilities

SNYK: https://snyk.io/org/fecgov/projects

GEMNASIUM: double-check until May 15

• FEC-CMS https://gemnasium.com/github.com/fecgov/fec-cms
• FEC-EREGS https://gemnasium.com/github.com/fecgov/fec-eregs
• FEC-PATTERN-LIB https://gemnasium.com/github.com/fecgov/fec-pattern-library
• OPENFEC https://gemnasium.com/github.com/fecgov/openFEC

If you haven't done so yet, you can also sign up for a free open-source account with Gemasium and make a specialized dashboard and get security alerts mailed to you.

Search logs

Compare account creation to account approvals

Look for account creations and other security events In Kabana do searches like:

cms accounts created and changed the previous week

cms accounts created and changed this week

check cloud.gov users

Check or via dashboard scroll to the users section. Users need to be out of all spaces before you can use the dashboard tool to remove them as org users.

Note that deployer accounts have long, random strings for their names.

Offboarding

When you are offboarding someone who has left the team, first let them know. Be sure to thank them for their contributions and offer to reactivate access if they need it in the future. Create an issue in the fec-accounts repo to track their offboarding. On the ticket, use the checklist below to track if they have the following accounts, and remove them:

• GitHub groups
• Wagtail
• cloud.gov
• RDS log in
• Amazon
• New Relic
• api.data.gov admin
• Move user to fecgov Slack #Alumni channel