PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project Summary 4 Audit Scope 4 Threat model formalisation 5 Fuzzing Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was a new component of Vitess,

TiDB Audit Plugin User Guide August 4, 2022 TiDB Audit Plugin User Guide Introduction The TiDB audit plugin records the TiDB server’s activities that are expected to follow auditing regulations of describes how to compile, package, and use the audit plugin. Download the plugin You can download the plugin on TiDB Enterprise Edition Downloads. Deploy the audit plugin After downloading the plugin, you TiUP to deploy the audit plugin. Use TiDB Operator to deploy the plugin Configure TidbCluster CR. tidb: additionalContainers: - command: - sh - -c - touch /var/log/tidb/tidb-audit.log; tail -n0 -F

out by Cure53 in summer 2020, the project entailed comprehensive penetration test and source code audit of the Dapr scope. In terms of resources, the project was assigned to four members of the Cure53 work packages (WPs) were outlined. In WP1, Cure53 performed both a broad and thorough source code audit of the latest version of Dapr. The focus was explicitly placed on the Dapr main repository and the Berlin cure53.de · mario@cure53.de very helpful and productive, assisting the test and audit in moving forward swiftly. Given good choices and practices regarding methodology, setup and communications

previous code audit (Low) DAP-02-013 WP2: Access policy bypass due to missing URL normalization (High) Miscellaneous Issues DAP-02-002 WP3: Status of miscellaneous issues from previous audit (Low) Conclusions cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and source code audit against the Dapr software. In addition to shedding light on the state of security on some new features mistakes. In effect, three work packages (WPs) were delineated: • WP1: Thorough source code audit of the latest Dapr version • WP2: Penetration tests targeting the Dapr integration and setup • WP3:

PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th Creative Commons 4.0 (CC BY 4.0) CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts carried out by CNCF in this engagement, Dapr was doing no fuzzing for any of its sub projects, and the goal of this fuzzing audit was to build the fundamental infrastructure and improve the fuzzing efforts in a continuous manner

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to complete a holistic audit drawing on several

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

database auditing and the audit plugin 1 Obtain the database auditing feature 2 The range of database auditing 2 The events of database auditing 3 Recorded information in audit logs 5 General information 6 Audit operation information 7 Audit log filters and rules 7 Filters 8 Filter rules 9 File formats of audit log 10 Rotation of audit log 11 The number and duration for reserving audit logs 11 Audit log redaction 11 System tables 11 mysql.audit_log_filters 11 mysql.audit_log_filter_rules 12 System variables 13 tidb_audit_enabled 13 tidb_audit_log 14 tidb_audit_log_format 14 tidb_au

秒(30s)，以便收集器回收连接 并重新尝试在合理的时间内发送失败消息。(LOG-2534) 在此次更新之前，网关组件强制租期中的错误，用于读取带有 Kubernetes 命名空间的日志的有限 访问会导致 "audit" 以及一些 "infrastructure" 日志不可读取。在这个版本中，代理可以正确地检 测到具有 admin 访问权限的用户，并允许在没有命名空间的情况下访问日志。(LOG-2448) 在 annotations: logging.openshift.io/preview-vector-collector: enabled spec: collection: logs: type: "vector" vector: {} OpenShift Container Platform 4.8 日志 日志记录 记录 16 e. 选择 Enable 节点上运行的基础架构组件生成的日 志，如 journal 日志。基础架构组件是在 openshift*、kube* 或 default 项目中运行的 pod。 audit - 由 auditd 生成的日志，节点审计系统存储在 /var/log/audit/audit.log 文件中，以及 Kubernetes apiserver 和 OpenShift apiserver 的审计日志。 注意 注意 由于内部

节点上运行的基础架构组件生成的日 志，如 journal 日志。基础架构组件是在 openshift*、kube* 或 default 项目中运行的 pod。 audit - 由节点审计系统 (auditd) 生成的日志，这些日志保存在 /var/log/audit/audit.log 文件 中，以及 Kubernetes apiserver 和 OpenShift apiserver 的审计日志。 注意 注意 由于内部 默认情况下，日志收集器使用以下源： 所有系统的日志记录的 journald /var/log/containers/*.log 用于所有容器日志 如果您配置了日志收集器来收集审计日志，它会从 /var/log/audit/audit.log 中获取日志信息。 日志记录收集器是一个守护进程集，它将 pod 部署到每个 OpenShift Container Platform 节点。系统及基 础架构日志由来自操作系统、容器运行时和 retentionPolicy: 4 application: maxAge: 1d infra: maxAge: 7d audit: maxAge: 7d elasticsearch: nodeCount: 3 5 storage: storageClassName: