more linting

alan-turing-institute · Dec 3, 2024 · 508a778 · 508a778
1 parent 6556e44
commit 508a778
Showing 1 changed file with 34 additions and 33 deletions.
diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md
@@ -1,4 +1,5 @@
 # Security checklist
+
 Running on SHM/SREs deployed using commit xxxxxx
 
 ## Summary
@@ -18,50 +19,50 @@ Running on SHM/SREs deployed using commit xxxxxx
 - <summary><b>Verify that:</b> User can reset their own password</summary>
     <img src=""/>
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace
-  - <summary> <b>Verify that:</b> User can authenticate but cannot see any workspaces</summary>
+   - <summary> <b>Verify that:</b> User can authenticate but cannot see any workspaces</summary>
     <img src=""/>
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces
-  - <summary> <b>Verify that:</b> User can authenticate and can see workspaces</summary>
+   - <summary> <b>Verify that:</b> User can authenticate and can see workspaces</summary>
     <img src=""/>
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces
-  - <summary> <b>Verify that:</b> You can connect to any workspace</i> </summary>
+   - <summary> <b>Verify that:</b> You can connect to any workspace</i> </summary>
     <img src=""/>
 
 ### Isolated Network
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace
-  - <summary> <b>Verify that:</b> Browsing to the service fails</summary>
+   - <summary> <b>Verify that:</b> Browsing to the service fails</summary>
     <img src=""/>
-  - <summary> <b>Verify that:</b> You cannot access the service using curl</summary>
+   - <summary> <b>Verify that:</b> You cannot access the service using curl</summary>
     <img src=""/>
-  - <summary> <b>Verify:</b> You cannot get the IP address for the service using nslookup</summary>
+   - <summary> <b>Verify:</b> You cannot get the IP address for the service using nslookup</summary>
     <img src=""/>
 
 ### User devices
 
 #### Tier 2:
 
 - Connect to the environment using an allowed IP address and credentials
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection succeeds
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection succeeds
 - Connect to the environment from an IP address that is not allowed but with correct credentials
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection fails
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection fails
 
 #### Tier 3:
 
 - All managed devices should be provided by a known IT team at an approved organisation.
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the IT team of the approved organisation take responsibility for managing the device.
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the user does not have administrator permissions on the device.
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> allowed IP addresses are exclusive to managed devices.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the IT team of the approved organisation take responsibility for managing the device.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the user does not have administrator permissions on the device.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> allowed IP addresses are exclusive to managed devices.
 - Connect to the environment using an allowed IP address and credentials
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection succeeds
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection succeeds
 - Connect to the environment from an IP address that is not allowed but with correct credentials
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection fails
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> Connection fails
 
 #### Tiers 2+:
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses
-  - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm-<SHM NAME>-sre-<SRE NAME>-nsg-application-gateway
-  - <summary> <b>Verify that:</b> the NSG has network rules allowing Inbound access from allowed IP addresses only</summary>
+   - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm-<SHM NAME>-sre-<SRE NAME>-nsg-application-gateway
+   - <summary> <b>Verify that:</b> the NSG has network rules allowing Inbound access from allowed IP addresses only</summary>
     <img src=""/>
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network
@@ -80,9 +81,9 @@ Running on SHM/SREs deployed using commit xxxxxx
 ### Remote connections
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH
-  - <summary> <b>Verify that:</b> SSH login by fully-qualified domain name fails</summary>
+   - <summary> <b>Verify that:</b> SSH login by fully-qualified domain name fails</summary>
     <img src=""/>
-  - <summary> <b>Verify that:</b> SSH login by public IP address fails</summary>
+   - <summary> <b>Verify that:</b> SSH login by public IP address fails</summary>
     <img src=""/>
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the remote desktop web client application gateway (shm-<SHM ID>-sre-<SRE ID>-ag-entrypoint) and the firewall are the only SRE resources with public IP addresses.
@@ -97,42 +98,42 @@ Running on SHM/SREs deployed using commit xxxxxx
 ### Data ingress
 
 - Check that the **System Manager** can send an upload token to the **Dataset Provider Representative**
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the upload token is successfully created.
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you are able to send this token using a secure mechanism.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the upload token is successfully created.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you are able to send this token using a secure mechanism.
 - Ensure that data ingress works only for connections from the accepted IP address range
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> writing succeeds by uploading a file
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window.
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the access token fails when using a device with a non-allowed IP address
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> writing succeeds by uploading a file
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the access token fails when using a device with a non-allowed IP address
 - Check that the upload fails if the token has expired
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you can connect and write with the token during the duration
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you cannot connect and write with the token after the duration has expired
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b>the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate)
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you can connect and write with the token during the duration
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you cannot connect and write with the token after the duration has expired
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b>the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate)
 
 ### Data egress
 
 - Confirm that a non-privileged user is able to read the different storage volumes and write to output
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the `/mnt/output` volume exists and can be written to
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the permissions of other storage volumes match that described in the user guide
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the `/mnt/output` volume exists and can be written to
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> the permissions of other storage volumes match that described in the user guide
 - Confirm that <b>System Manager</b> can see and download files from output
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you can see the files written to the `/mnt/output` storage volume.
-  - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> a written file can be taken out of the environment via download
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> you can see the files written to the `/mnt/output` storage volume.
+   - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: <b>Verify that:</b> a written file can be taken out of the environment via download
 
 ### Software package repositories
 
 #### Tier 2:
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages
-  - <summary> <b>Verify that:</b> pytz can be installed</summary>
+   - <summary> <b>Verify that:</b> pytz can be installed</summary>
     <img src=""/>
 
-  - <summary> <b>Verify that:</b> awscli can be installed</summary>
+   - <summary> <b>Verify that:</b> awscli can be installed</summary>
     <img src=""/>
 
 #### Tier 3:
 
 - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages
-  - <summary> <b>Verify:</b> pytz can be installed</summary>
+   - <summary> <b>Verify:</b> pytz can be installed</summary>
     <img src=""/>
 
-  - <summary> <b>Verify:</b> awscli cannot be installed</summary>
+   - <summary> <b>Verify:</b> awscli cannot be installed</summary>
     <img src=""/>