PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project Summary 4 Audit Scope 4 Threat model formalisation 5 Fuzzing Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was a new component of Vitess,

TiDB Audit Plugin User Guide August 4, 2022 TiDB Audit Plugin User Guide Introduction The TiDB audit plugin records the TiDB server’s activities that are expected to follow auditing regulations of describes how to compile, package, and use the audit plugin. Download the plugin You can download the plugin on TiDB Enterprise Edition Downloads. Deploy the audit plugin After downloading the plugin, you TiUP to deploy the audit plugin. Use TiDB Operator to deploy the plugin Configure TidbCluster CR. tidb: additionalContainers: - command: - sh - -c - touch /var/log/tidb/tidb-audit.log; tail -n0 -F

out by Cure53 in summer 2020, the project entailed comprehensive penetration test and source code audit of the Dapr scope. In terms of resources, the project was assigned to four members of the Cure53 work packages (WPs) were outlined. In WP1, Cure53 performed both a broad and thorough source code audit of the latest version of Dapr. The focus was explicitly placed on the Dapr main repository and the Berlin cure53.de · mario@cure53.de very helpful and productive, assisting the test and audit in moving forward swiftly. Given good choices and practices regarding methodology, setup and communications

previous code audit (Low) DAP-02-013 WP2: Access policy bypass due to missing URL normalization (High) Miscellaneous Issues DAP-02-002 WP3: Status of miscellaneous issues from previous audit (Low) Conclusions cooperation between Cure53 and Dapr, reporting on the findings of a penetration test and source code audit against the Dapr software. In addition to shedding light on the state of security on some new features mistakes. In effect, three work packages (WPs) were delineated: • WP1: Thorough source code audit of the latest Dapr version • WP2: Penetration tests targeting the Dapr integration and setup • WP3:

PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th Creative Commons 4.0 (CC BY 4.0) CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts carried out by CNCF in this engagement, Dapr was doing no fuzzing for any of its sub projects, and the goal of this fuzzing audit was to build the fundamental infrastructure and improve the fuzzing efforts in a continuous manner

PRESENTS Dapr security audit In collaboration with the Dapr maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski under Creative Commons 4.0 (CC BY 4.0) Dapr security audit 2023 Table of contents Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics carried out a security audit for the Dapr project. The high-level goal was to complete a holistic audit drawing on several

PRESENTS Istio Security Audit In collaboration with the Istio projects maintainers and The Open Source Technology Improvement Fund, Inc (OSTIF). ostif.org Authors Adam Korczynski International (CC BY 4.0) Istio Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project summary 4 Audit scope 6 Overall assessment 7 Fuzzing 9 previous audit 50 Istio SLSA compliance 52 1 Istio Security Audit, 2023 Executive summary In September and October 2022 Ada Logics carried out a security audit of the Istio project. The audit was sponsored

--profiling argument is set to false (Automated) 1.2.22 Ensure that the --audit-log-path argument is set (Automated) 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) 81 83 83 83 85 85 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate be used for users (Manual) 3.2 Logging 3.2.1 Ensure that a minimal audit policy is created (Automated) 3.2.2 Ensure that the audit policy covers key security concerns (Manual) 4.1 Worker Node Configuration

database auditing and the audit plugin 1 Obtain the database auditing feature 2 The range of database auditing 2 The events of database auditing 3 Recorded information in audit logs 5 General information information 6 Audit operation information 7 Audit log filters and rules 7 Filters 8 Filter rules 9 File formats of audit log 10 Rotation of audit log 11 The number and duration for reserving audit logs 11 11 Audit log redaction 11 System tables 11 mysql.audit_log_filters 11 mysql.audit_log_filter_rules 12 System variables 13 tidb_audit_enabled 13 tidb_audit_log 14 tidb_audit_log_format 14 tidb

commands to audit compliance in Rancher-created clusters. This document is to be used by Rancher operators, security teams, auditors and decision makers. For more detail about each audit, including 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--anonymous-auth=false").string' Returned --anonymous-auth=false Result: Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned