From 508a77818b3e56b74ece8c48479593987475634d Mon Sep 17 00:00:00 2001
From: Matt Craddock <5796417+craddm@users.noreply.github.com>
Date: Tue, 3 Dec 2024 12:44:03 +0000
Subject: [PATCH] more linting
---
.../security_checklist_template.md | 67 ++++++++++---------
1 file changed, 34 insertions(+), 33 deletions(-)
diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md
index bcb8a9931b..55c2d3b543 100644
--- a/docs/source/deployment/security_checklist/security_checklist_template.md
+++ b/docs/source/deployment/security_checklist/security_checklist_template.md
@@ -1,4 +1,5 @@
# Security checklist
+
Running on SHM/SREs deployed using commit xxxxxx
## Summary
@@ -18,23 +19,23 @@ Running on SHM/SREs deployed using commit xxxxxx
- Verify that: User can reset their own password
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace
- - Verify that: User can authenticate but cannot see any workspaces
+ - Verify that: User can authenticate but cannot see any workspaces
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces
- - Verify that: User can authenticate and can see workspaces
+ - Verify that: User can authenticate and can see workspaces
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces
- - Verify that: You can connect to any workspace
+ - Verify that: You can connect to any workspace
![]()
### Isolated Network
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace
- - Verify that: Browsing to the service fails
+ - Verify that: Browsing to the service fails
![]()
- - Verify that: You cannot access the service using curl
+ - Verify that: You cannot access the service using curl
![]()
- - Verify: You cannot get the IP address for the service using nslookup
+ - Verify: You cannot get the IP address for the service using nslookup
![]()
### User devices
@@ -42,26 +43,26 @@ Running on SHM/SREs deployed using commit xxxxxx
#### Tier 2:
- Connect to the environment using an allowed IP address and credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
- Connect to the environment from an IP address that is not allowed but with correct credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
#### Tier 3:
- All managed devices should be provided by a known IT team at an approved organisation.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices.
- Connect to the environment using an allowed IP address and credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
- Connect to the environment from an IP address that is not allowed but with correct credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
#### Tiers 2+:
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses
- - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway
- - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only
+ - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway
+ - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network
@@ -80,9 +81,9 @@ Running on SHM/SREs deployed using commit xxxxxx
### Remote connections
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH
- - Verify that: SSH login by fully-qualified domain name fails
+ - Verify that: SSH login by fully-qualified domain name fails
![]()
- - Verify that: SSH login by public IP address fails
+ - Verify that: SSH login by public IP address fails
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses.
@@ -97,42 +98,42 @@ Running on SHM/SREs deployed using commit xxxxxx
### Data ingress
- Check that the **System Manager** can send an upload token to the **Dataset Provider Representative**
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism.
- Ensure that data ingress works only for connections from the accepted IP address range
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address
- Check that the upload fails if the token has expired
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate)
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate)
### Data egress
- Confirm that a non-privileged user is able to read the different storage volumes and write to output
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide
- Confirm that System Manager can see and download files from output
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download
### Software package repositories
#### Tier 2:
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages
- - Verify that: pytz can be installed
+ - Verify that: pytz can be installed
![]()
- - Verify that: awscli can be installed
+ - Verify that: awscli can be installed
![]()
#### Tier 3:
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages
- - Verify: pytz can be installed
+ - Verify: pytz can be installed
![]()
- - Verify: awscli cannot be installed
+ - Verify: awscli cannot be installed
![]()