From a9c7815ebb57e1b41947b327ac8561b2b4eb0e9c Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:49:16 +0000 Subject: [PATCH] more linting --- .../security_checklist_template.md | 82 +++++++++---------- 1 file changed, 40 insertions(+), 42 deletions(-) diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md index 55c2d3b543..b8069f839b 100644 --- a/docs/source/deployment/security_checklist/security_checklist_template.md +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -16,26 +16,26 @@ Running on SHM/SREs deployed using commit xxxxxx ### Multifactor Authentication and Password strength - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Users can reset their own password -- Verify that: User can reset their own password + - Verify that: User can reset their own password - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace - - Verify that: User can authenticate but cannot see any workspaces + - Verify that: User can authenticate but cannot see any workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces - - Verify that: User can authenticate and can see workspaces + - Verify that: User can authenticate and can see workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces - - Verify that: You can connect to any workspace + - Verify that: You can connect to any workspace ### Isolated Network - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace - - Verify that: Browsing to the service fails + - Verify that: Browsing to the service fails - - Verify that: You cannot access the service using curl + - Verify that: You cannot access the service using curl - - Verify: You cannot get the IP address for the service using nslookup + - Verify: You cannot get the IP address for the service using nslookup ### User devices @@ -43,26 +43,26 @@ Running on SHM/SREs deployed using commit xxxxxx #### Tier 2: - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tier 3: - All managed devices should be provided by a known IT team at an approved organisation. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tiers 2+: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses - - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway - - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network @@ -72,18 +72,18 @@ Running on SHM/SREs deployed using commit xxxxxx #### Tier 3 only - Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials. - - :fast_forward: Verify that: connection fails. + - :fast_forward: Verify that: connection fails. - Attempt to connect from research office using a managed device and the correct VPN connection and credentials. - - :fast_forward: Verify that: connection succeeds - - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall - - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high + - :fast_forward: Verify that: connection succeeds + - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall + - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high ### Remote connections - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH - - Verify that: SSH login by fully-qualified domain name fails + - Verify that: SSH login by fully-qualified domain name fails - - Verify that: SSH login by public IP address fails + - Verify that: SSH login by public IP address fails - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. @@ -91,49 +91,47 @@ Running on SHM/SREs deployed using commit xxxxxx ### Copy-and-paste - Unable to paste text from a local device into a workspace - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails - Unable to copy text from a workspace to a local device - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails ### Data ingress - Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. - Ensure that data ingress works only for connections from the accepted IP address range - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address - Check that the upload fails if the token has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) ### Data egress - Confirm that a non-privileged user is able to read the different storage volumes and write to output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide - Confirm that System Manager can see and download files from output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download ### Software package repositories #### Tier 2: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages - - Verify that: pytz can be installed + - Verify that: pytz can be installed - - - Verify that: awscli can be installed + - Verify that: awscli can be installed #### Tier 3: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages - - Verify: pytz can be installed + - Verify: pytz can be installed - - - Verify: awscli cannot be installed + - Verify: awscli cannot be installed