-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ITE-3: Real-world example of combining TUF and in-toto for packaging Datadog Agent integrations #5
ITE-3: Real-world example of combining TUF and in-toto for packaging Datadog Agent integrations #5
Conversation
@jhdalek55 @SantiagoTorres @JustinCappos Please send feedback, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the submission. This is a really good document!
I'd like to suggest addition of rationale for the chosen thresholds, etc. to aid readers making their own deployment decisions.
If possible a subsection talking about how in-toto metadata is collected and flows through the system would also be a nice add.
Otherwise, I think it is quite good.
@JustinCappos Thanks! Does the security analysis make sense to you? |
Sort of. I wonder about multi-key / role attacks, especially those that
might be likely given your deployment model.
I like the general concept though.
…On Thu, Aug 1, 2019 at 2:20 PM Trishank K Kuppusamy < ***@***.***> wrote:
@JustinCappos <https://github.com/JustinCappos> Thanks! Does the security
analysis make sense to you?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5?email_source=notifications&email_token=AAGROD46SHYDDZGGR2W6IHDQCMSOPA5CNFSM4IF4JZOKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3LO5MQ#issuecomment-517402290>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGRODZTC4TEXJE4LJDZRKDQCMSOPANCNFSM4IF4JZOA>
.
|
Co-Authored-By: Justin Cappos <[email protected]>
Signed-off-by: Aditya Sirish <[email protected]>
I hope I made my way into the right file. I made minimal changes but I have two comments I feel you need a brief "rationale" at the beginning of the document explaining why DataDog decided to use both systems. I realize this might have been said in one of the other ITEs or TAPs, but I feel since you are presenting this as an example, stating why DataDog went this route would be helpful.
Signed-off-by: Trishank Karthik Kuppusamy <[email protected]>
23bbc5b
to
1ebd6ca
Compare
Thanks for all your help, @adityasaky! @JustinCappos, could we please get another review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from the unaddressed comments I have from before, I don't have new thoughts. I do think that if ITE 2 becomes the best practices document, then my comment about rationale here need not be resolved.
My other comment is minor and potentially can be closed without further changes, but I do think it would make sense to address it.
Signed-off-by: Trishank Karthik Kuppusamy <[email protected]>
Signed-off-by: Trishank Karthik Kuppusamy <[email protected]>
@JustinCappos Okay, I resolved your comments above. Is there anything else you'd like to see, or we can we merge now? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. This is really helpful.
Thanks! Could we merge this? |
LGTM, thanks! |
Datadog is a monitoring service for cloud-scale applications that monitors servers, databases, tools, and services through a software-as-a-service-based data analytics platform. It supports multiple cloud service providers, including Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Red Hat OpenShift. At the time of this writing, the company servers more than 8,000 customers, and collects trillions of monitoring record points on a daily basis.
The Datadog agent is the software that runs on virtual machines or containers. It collects events and metrics from these virtual machines or containers and sends them to Datadog, where customers can analyze their monitoring and performance data. The agent integrations are plug-ins that collect metrics from services running on customer infrastructure. Presently, there are more than one hundred integrations that come installed out-of-the-box with the Agent.
This ITE discusses the TUF security model used to distribute the Datadog Agent integrations in a compromise-resilient manner.