diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md
index 55c2d3b543..b8069f839b 100644
--- a/docs/source/deployment/security_checklist/security_checklist_template.md
+++ b/docs/source/deployment/security_checklist/security_checklist_template.md
@@ -16,26 +16,26 @@ Running on SHM/SREs deployed using commit xxxxxx
### Multifactor Authentication and Password strength
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Users can reset their own password
-- Verify that: User can reset their own password
+ - Verify that: User can reset their own password
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace
- - Verify that: User can authenticate but cannot see any workspaces
+ - Verify that: User can authenticate but cannot see any workspaces
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces
- - Verify that: User can authenticate and can see workspaces
+ - Verify that: User can authenticate and can see workspaces
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces
- - Verify that: You can connect to any workspace
+ - Verify that: You can connect to any workspace
![]()
### Isolated Network
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace
- - Verify that: Browsing to the service fails
+ - Verify that: Browsing to the service fails
![]()
- - Verify that: You cannot access the service using curl
+ - Verify that: You cannot access the service using curl
![]()
- - Verify: You cannot get the IP address for the service using nslookup
+ - Verify: You cannot get the IP address for the service using nslookup
![]()
### User devices
@@ -43,26 +43,26 @@ Running on SHM/SREs deployed using commit xxxxxx
#### Tier 2:
- Connect to the environment using an allowed IP address and credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
- Connect to the environment from an IP address that is not allowed but with correct credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
#### Tier 3:
- All managed devices should be provided by a known IT team at an approved organisation.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices.
- Connect to the environment using an allowed IP address and credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds
- Connect to the environment from an IP address that is not allowed but with correct credentials
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails
#### Tiers 2+:
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses
- - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway
- - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only
+ - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway
+ - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network
@@ -72,18 +72,18 @@ Running on SHM/SREs deployed using commit xxxxxx
#### Tier 3 only
- Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials.
- - :fast_forward: Verify that: connection fails.
+ - :fast_forward: Verify that: connection fails.
- Attempt to connect from research office using a managed device and the correct VPN connection and credentials.
- - :fast_forward: Verify that: connection succeeds
- - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall
- - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high
+ - :fast_forward: Verify that: connection succeeds
+ - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall
+ - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high
### Remote connections
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH
- - Verify that: SSH login by fully-qualified domain name fails
+ - Verify that: SSH login by fully-qualified domain name fails
![]()
- - Verify that: SSH login by public IP address fails
+ - Verify that: SSH login by public IP address fails
![]()
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses.
@@ -91,49 +91,47 @@ Running on SHM/SREs deployed using commit xxxxxx
### Copy-and-paste
- Unable to paste text from a local device into a workspace
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails
- Unable to copy text from a workspace to a local device
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails
### Data ingress
- Check that the **System Manager** can send an upload token to the **Dataset Provider Representative**
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism.
- Ensure that data ingress works only for connections from the accepted IP address range
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address
- Check that the upload fails if the token has expired
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate)
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate)
### Data egress
- Confirm that a non-privileged user is able to read the different storage volumes and write to output
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide
- Confirm that System Manager can see and download files from output
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume.
- - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume.
+ - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download
### Software package repositories
#### Tier 2:
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages
- - Verify that: pytz can be installed
+ - Verify that: pytz can be installed
![]()
-
- - Verify that: awscli can be installed
+ - Verify that: awscli can be installed
![]()
#### Tier 3:
- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages
- - Verify: pytz can be installed
+ - Verify: pytz can be installed
![]()
-
- - Verify: awscli cannot be installed
+ - Verify: awscli cannot be installed
![]()