diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md index bcb8a9931b..55c2d3b543 100644 --- a/docs/source/deployment/security_checklist/security_checklist_template.md +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -1,4 +1,5 @@ # Security checklist + Running on SHM/SREs deployed using commit xxxxxx ## Summary @@ -18,23 +19,23 @@ Running on SHM/SREs deployed using commit xxxxxx - Verify that: User can reset their own password - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace - - Verify that: User can authenticate but cannot see any workspaces + - Verify that: User can authenticate but cannot see any workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces - - Verify that: User can authenticate and can see workspaces + - Verify that: User can authenticate and can see workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces - - Verify that: You can connect to any workspace + - Verify that: You can connect to any workspace ### Isolated Network - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace - - Verify that: Browsing to the service fails + - Verify that: Browsing to the service fails - - Verify that: You cannot access the service using curl + - Verify that: You cannot access the service using curl - - Verify: You cannot get the IP address for the service using nslookup + - Verify: You cannot get the IP address for the service using nslookup ### User devices @@ -42,26 +43,26 @@ Running on SHM/SREs deployed using commit xxxxxx #### Tier 2: - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tier 3: - All managed devices should be provided by a known IT team at an approved organisation. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tiers 2+: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses - - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway - - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network @@ -80,9 +81,9 @@ Running on SHM/SREs deployed using commit xxxxxx ### Remote connections - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH - - Verify that: SSH login by fully-qualified domain name fails + - Verify that: SSH login by fully-qualified domain name fails - - Verify that: SSH login by public IP address fails + - Verify that: SSH login by public IP address fails - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. @@ -97,42 +98,42 @@ Running on SHM/SREs deployed using commit xxxxxx ### Data ingress - Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. - Ensure that data ingress works only for connections from the accepted IP address range - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address - Check that the upload fails if the token has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) ### Data egress - Confirm that a non-privileged user is able to read the different storage volumes and write to output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide - Confirm that System Manager can see and download files from output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download ### Software package repositories #### Tier 2: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages - - Verify that: pytz can be installed + - Verify that: pytz can be installed - - Verify that: awscli can be installed + - Verify that: awscli can be installed #### Tier 3: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages - - Verify: pytz can be installed + - Verify: pytz can be installed - - Verify: awscli cannot be installed + - Verify: awscli cannot be installed