From ec958a503b9add63b4edd3d20c33b08853fc00bd Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Mon, 2 Dec 2024 13:57:47 +0000 Subject: [PATCH 01/13] Update release checklist --- .github/ISSUE_TEMPLATE/release_checklist.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/release_checklist.md b/.github/ISSUE_TEMPLATE/release_checklist.md index 575f5c9c53..f4e887e797 100644 --- a/.github/ISSUE_TEMPLATE/release_checklist.md +++ b/.github/ISSUE_TEMPLATE/release_checklist.md @@ -25,11 +25,9 @@ Refer to the [Deployment](https://data-safe-haven.readthedocs.io/en/latest/deplo ### For minor releases and above - [ ] Deploy an SHM from this branch and save a transcript of the deployment logs -- Using the new image, deploy a tier 2 and a tier 3 SRE - - [ ] Save the transcript of your tier 2 SRE deployment - - [ ] Save the transcript of your tier 3 SRE deployment +- [ ] Deploy a tier 2 SRE from this branch and save the transcript of the deployment logs +- [ ] Deploy a tier 3 SRE from this branch and save the transcript of the deployment logs - [ ] Complete the [Security evaluation checklist](https://data-safe-haven.readthedocs.io/en/latest/deployment/security_checklist.html) from the deployment documentation -- [ ] Add the new versions tag as an active build on [Read The Docs](https://readthedocs.org) (You can add as a hidden build, before release, to preview) ### For major releases only From ce17321cd28d2c4157df03a9f2b4a9b7f3ec1b64 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Mon, 2 Dec 2024 14:06:38 +0000 Subject: [PATCH 02/13] Update SECURITY.md --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c81368a94e..9aee903593 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,8 +7,8 @@ All organisations using an earlier version in production should update to the la | Version | Supported | | --------------------------------------------------------------------------------------- | ------------------ | -| [5.1.0](https://github.com/alan-turing-institute/data-safe-haven/releases/tag/v5.1.0) | :white_check_mark: | -| < 5.1.0 | :x: | +| [5.2.0](https://github.com/alan-turing-institute/data-safe-haven/releases/tag/v5.1.0) | :white_check_mark: | +| < 5.2.0 | :x: | ## Reporting a Vulnerability From 9c371ba29523926f8ac2c071e10ee12b3c572d90 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Thu, 28 Nov 2024 09:47:20 +0000 Subject: [PATCH 03/13] Correct T2/3 PyPI/CRAN proxy information --- docs/source/overview/sensitivity_tiers.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/overview/sensitivity_tiers.md b/docs/source/overview/sensitivity_tiers.md index 4aef9a32fe..995be6ab87 100644 --- a/docs/source/overview/sensitivity_tiers.md +++ b/docs/source/overview/sensitivity_tiers.md @@ -49,7 +49,7 @@ Non-technical restrictions related to information governance procedures may also - connections to the in-browser remote desktop can only be made from an agreed set of IP addresses - outbound connections to the internet from inside the environment are not possible - copy-and-paste between the environment and the user's device is not possible -- access to all packages on PyPI and CRAN is made available through a proxy or mirror server +- access to all packages on PyPI and CRAN is made available through a proxy server Non-technical restrictions related to information governance procedures may also be applied according to your organisation's needs. @@ -63,7 +63,7 @@ At the Turing connections to Tier 2 environments are only permitted from **Organ **Tier 3** environments impose the following technical controls on top of what is required at {ref}`policy_tier_2`. -- a partial replica of agreed PyPI and CRAN packages is made available through a proxy or mirror server +- an agreed subset of PyPI and CRAN packages is made available through a proxy server Non-technical restrictions related to information governance procedures may also be applied according to your organisation's needs. From ed0ae2bb7293b507325712b455d080baf47faef6 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 09:49:11 +0000 Subject: [PATCH 04/13] exclude security_checklist_template --- docs/source/conf.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/conf.py b/docs/source/conf.py index f262d36dc2..fa99142138 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -64,7 +64,7 @@ # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. -exclude_patterns = ["**/*.partial.md"] +exclude_patterns = ["**/*.partial.md", "**/security_checklist_template.md"] # -- Options for HTML output ------------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for From 97fee49ed913c548eb557d003e7dae5380b922b6 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 09:51:02 +0000 Subject: [PATCH 05/13] Add download link for security checklist --- docs/source/deployment/security_checklist.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/source/deployment/security_checklist.md b/docs/source/deployment/security_checklist.md index 7c6036402a..d30e9c3baf 100644 --- a/docs/source/deployment/security_checklist.md +++ b/docs/source/deployment/security_checklist.md @@ -8,6 +8,7 @@ Organisations are responsible for making their own decisions about the suitabili ``` In this check list we aim to evaluate our deployment against the {ref}`security configuration ` that we apply at the Alan Turing Institute. +A copy of this template in Markdown format is {download}`available for download `. The security checklist currently focuses on checks that can evaluate these security requirements for {ref}`policy_tier_2` (or greater) SREs (with some steps noted as specific to a tier): ## How to use this checklist From af232b7b59205d09d998ddc067d59f1f1d7d2748 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 09:51:19 +0000 Subject: [PATCH 06/13] add checklist_template.md --- .../security_checklist_template.md | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 docs/source/deployment/security_checklist/security_checklist_template.md diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md new file mode 100644 index 0000000000..4c7489557c --- /dev/null +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -0,0 +1,128 @@ +# Security checklist +Running on SHM/SREs deployed using commit xxxxxx + +## Summary ++ :white_check_mark: x tests passed +- :partly_sunny: x tests partially passed (see below for more details) +- :fast_forward: x tests skipped (see below for more details) +- :x: x tests failed (see below for more details) + +## Details +- Any additional details as referred to in the summary + +### Multifactor Authentication and Password strength + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Users can reset their own password ++ Verify that: User can reset their own password + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace + + Verify that: User can authenticate but cannot see any workspaces + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces + + Verify that: User can authenticate and can see workspaces + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces + + Verify that: You can connect to any workspace + + +### Isolated Network ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace + + Verify that: Browsing to the service fails + + + Verify that: You cannot access the service using curl + + + Verify: You cannot get the IP address for the service using nslookup + + + +### User devices +#### Tier 2: ++ Connect to the environment using an allowed IP address and credentials + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds ++ Connect to the environment from an IP address that is not allowed but with correct credentials + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + +#### Tier 3: ++ All managed devices should be provided by a known IT team at an approved organisation. + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. ++ Connect to the environment using an allowed IP address and credentials + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds ++ Connect to the environment from an IP address that is not allowed but with correct credentials + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + +#### Tiers 2+: ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses + + In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + + Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network + +### Physical security + +#### Tier 3 only + ++ Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials. + + :fast_forward: Verify that: connection fails. ++ Attempt to connect from research office using a managed device and the correct VPN connection and credentials. + + :fast_forward: Verify that: connection succeeds + + :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall + + :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high + +### Remote connections + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH + + Verify that: SSH login by fully-qualified domain name fails + + + Verify that: SSH login by public IP address fails + + ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. + +### Copy-and-paste ++ Unable to paste text from a local device into a workspace + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails ++ Unable to copy text from a workspace to a local device + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails + +### Data ingress ++ Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. ++ Ensure that data ingress works only for connections from the accepted IP address range + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address ++ Check that the upload fails if the token has expired + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + +### Data egress ++ Confirm that a non-privileged user is able to read the different storage volumes and write to output + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide ++ Confirm that System Manager can see and download files from output + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. + + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download + +### Software package repositories + +#### Tier 2: ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages + + Verify that: pytz can be installed + + + + Verify that: awscli can be installed + + + +#### Tier 3: ++ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages + + Verify: pytz can be installed + + + + Verify: awscli cannot be installed + From 97fe53a40cdd5b446941b16948b3f1de6b7dfbd1 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 3 Dec 2024 10:33:15 +0000 Subject: [PATCH 07/13] Add checklist template --- docs/source/conf.py | 5 +- docs/source/deployment/security_checklist.md | 2 + .../security_checklist_template.md | 163 ++++++++++++++++++ 3 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 docs/source/deployment/security_checklist/security_checklist_template.md diff --git a/docs/source/conf.py b/docs/source/conf.py index f262d36dc2..dcc77557e7 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -64,7 +64,10 @@ # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. -exclude_patterns = ["**/*.partial.md"] +exclude_patterns = [ + "**/*.partial.md", + "deployment/security_checklist/security_checklist_template.md", +] # -- Options for HTML output ------------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for diff --git a/docs/source/deployment/security_checklist.md b/docs/source/deployment/security_checklist.md index 7c6036402a..2c4ca4a6ca 100644 --- a/docs/source/deployment/security_checklist.md +++ b/docs/source/deployment/security_checklist.md @@ -559,3 +559,5 @@ To minimise the risk of unauthorised access to the dataset while the ingress vol ``` ```` + +{download}`this file <./security_checklist/security_checklist_template.md>`. diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md new file mode 100644 index 0000000000..ba762aa699 --- /dev/null +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -0,0 +1,163 @@ +# Security checklist + +Running on SHM/SREs deployed using commit XXXXXXX + +## Summary + +- :white_check_mark: N tests passed +- :partly_sunny: N tests partially passed (see below for more details) +- :fast_forward: N tests skipped (see below for more details) +- :x: N tests failed (see below for more details) + +## Details + +Some security checks were skipped since: + +- No managed device was available +- No access to a physical space with its own dedicated network was possible + +### Multifactor Authentication and Password strength + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the SRE standard user cannot access the apps + -
:camera: Verify before adding to group: Microsoft Remote Desktop: Login works but apps cannot be viewed + +
+ -
:camera: Verify before adding to group: Guacamole: User is prompted to setup MFA + +
+ +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that adding the **SRE standard user** to the SRE group on the domain controller does not give them access + -
:camera: Verify after adding to group: Microsoft Remote Desktop: Login works and apps can be viewed + +
+ -
:camera: Verify after adding to group: Microsoft Remote Desktop: attempt to login to DSVM Main (Desktop) fails + +
+ -
:camera: Verify before adding to group: Guacamole: User is prompted to setup MFA + +
+ +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the **SRE standard user** is able to successfully set up MFA + -
:camera: Verify: successfully set up MFA + +
+ +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the **SRE standard user** can authenticate with MFA + -
:camera: Verify: Guacamole: respond to the MFA prompt + 122043131-47bc8080-cddb-11eb-8578-e45ab3efaef0.png"> +
+ -
:camera: Verify: Microsoft Remote Desktop: attempt to log in to DSVM Main (Desktop) and respond to the MFA prompt + 122043131-47bc8080-cddb-11eb-8578-e45ab3efaef0.png"> +
+ +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the **SRE standard user** can access the DSVM desktop + -
:camera: Verify: Microsoft Remote Desktop: connect to DSVM Main (Desktop) + +
+ -
:camera: Verify: Guacamole: connect to Desktop: Ubuntu0 + +
+ +### Isolated Network + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Connect to the SHM DC and NPS if connected to the SHM VPN +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the SHM DC and NPS if not connected to the SHM VPN +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from within a DSVM on the SRE network. + -
:camera: Verify: Connection fails + 122045859-8142bb00-cdde-11eb-920c-3a162a180647.png"> +
+ -
:camera: Verify: that you cannot access a website using curl + +
+ -
:camera: Verify: that you cannot get the IP address for a website using nslookup + +
+- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that users cannot connect between two SREs within the same SHM, even if they have access to both SREs + -
:camera: Verify: SSH connection fails + +
+- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules are set appropriately to block outgoing traffic + -
:camera: Verify: access rules + +
+ +### User devices + +#### Tier 2: + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Connection succeeds from a personal device with an allow-listed IP address +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No managed device available to check connection + +#### Tier 3: + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No managed device available to check user lacks root access +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Connection succeeds from a personal device with an allow-listed IP address +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No managed device available to check connection with an allow-listed IP address + +#### Tiers 2+: + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses + -
:camera: Verify: access rules + +
+- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: All non-deployment NSGs have rules denying inbound connections from outside the Virtual Network + +### Physical security + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No secure physical space available so connection from outside was not tested +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No secure physical space available so connection from inside was not tested +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check the network IP ranges corresponding to the research spaces and compare against the IPs accepted by the firewall. +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No secure physical space available so confirmation of physical measures was not tested + +### Remote connections + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH + -
:camera: Verify: SSH connection by FQDN fails + +
+ -
:camera: Verify: SSH connection by public IP address fails + +
+- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: The remote desktop server is the only SRE resource with a public IP address + +### Copy-and-paste + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to paste local text into a DSVM +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to copy text from a DSVM +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Copy between VMs in an SRE succeeds + +### Data ingress + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** secure upload token successfully created with write-only permissions +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** token was sent using a secure, out-of-band communication channel (e.g. secure email) +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** uploading a file from an allow-listed IP address succeeds +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** downloading a file from an allow-listed IP address fails +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** uploading a file from an non-allowed IP address fails +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** connection during lifetime of short-duration token succeeds +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** connection after lifetime of short-duration token fails +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** uploading different file types succeeds + +### Storage volumes and egress + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can read and write to the `/output` volume +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can only read from the `/data` volume +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can read and write to their directory in `/home` +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can read and write to the `/shared` volume +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** can see the files ready for egress +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** can download egress-ready files + +### Package mirrors + +#### Tier 2: + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages + -
:camera: Verify: botocore can be installed + +
+ +#### Tier 3: + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages + -
:camera: Verify: aero-calc can be installed; botocore cannot be installed + +
From 6556e44443b3135bb2d3a4ecdea9e3b115a81cf2 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:42:24 +0000 Subject: [PATCH 08/13] fixing markdown linting --- .../security_checklist_template.md | 146 ++++++++++-------- 1 file changed, 78 insertions(+), 68 deletions(-) diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md index 4c7489557c..bcb8a9931b 100644 --- a/docs/source/deployment/security_checklist/security_checklist_template.md +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -2,127 +2,137 @@ Running on SHM/SREs deployed using commit xxxxxx ## Summary -+ :white_check_mark: x tests passed + +- :white_check_mark: x tests passed - :partly_sunny: x tests partially passed (see below for more details) - :fast_forward: x tests skipped (see below for more details) - :x: x tests failed (see below for more details) ## Details + - Any additional details as referred to in the summary ### Multifactor Authentication and Password strength -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Users can reset their own password -+ Verify that: User can reset their own password +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Users can reset their own password +- Verify that: User can reset their own password -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace - + Verify that: User can authenticate but cannot see any workspaces +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace + - Verify that: User can authenticate but cannot see any workspaces -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces - + Verify that: User can authenticate and can see workspaces +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces + - Verify that: User can authenticate and can see workspaces -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces - + Verify that: You can connect to any workspace +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces + - Verify that: You can connect to any workspace ### Isolated Network -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace - + Verify that: Browsing to the service fails + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace + - Verify that: Browsing to the service fails - + Verify that: You cannot access the service using curl + - Verify that: You cannot access the service using curl - + Verify: You cannot get the IP address for the service using nslookup + - Verify: You cannot get the IP address for the service using nslookup - ### User devices + #### Tier 2: -+ Connect to the environment using an allowed IP address and credentials - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds -+ Connect to the environment from an IP address that is not allowed but with correct credentials - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + +- Connect to the environment using an allowed IP address and credentials + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds +- Connect to the environment from an IP address that is not allowed but with correct credentials + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tier 3: -+ All managed devices should be provided by a known IT team at an approved organisation. - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. -+ Connect to the environment using an allowed IP address and credentials - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds -+ Connect to the environment from an IP address that is not allowed but with correct credentials - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + +- All managed devices should be provided by a known IT team at an approved organisation. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. +- Connect to the environment using an allowed IP address and credentials + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds +- Connect to the environment from an IP address that is not allowed but with correct credentials + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tiers 2+: -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses - + In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway - + Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses + - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network ### Physical security #### Tier 3 only -+ Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials. - + :fast_forward: Verify that: connection fails. -+ Attempt to connect from research office using a managed device and the correct VPN connection and credentials. - + :fast_forward: Verify that: connection succeeds - + :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall - + :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high +- Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials. + - :fast_forward: Verify that: connection fails. +- Attempt to connect from research office using a managed device and the correct VPN connection and credentials. + - :fast_forward: Verify that: connection succeeds + - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall + - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high ### Remote connections -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH - + Verify that: SSH login by fully-qualified domain name fails +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH + - Verify that: SSH login by fully-qualified domain name fails - + Verify that: SSH login by public IP address fails + - Verify that: SSH login by public IP address fails -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. ### Copy-and-paste -+ Unable to paste text from a local device into a workspace - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails -+ Unable to copy text from a workspace to a local device - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails + +- Unable to paste text from a local device into a workspace + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails +- Unable to copy text from a workspace to a local device + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails ### Data ingress -+ Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. -+ Ensure that data ingress works only for connections from the accepted IP address range - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address -+ Check that the upload fails if the token has expired - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + +- Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. +- Ensure that data ingress works only for connections from the accepted IP address range + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address +- Check that the upload fails if the token has expired + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) ### Data egress -+ Confirm that a non-privileged user is able to read the different storage volumes and write to output - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide -+ Confirm that System Manager can see and download files from output - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. - + :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download + +- Confirm that a non-privileged user is able to read the different storage volumes and write to output + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide +- Confirm that System Manager can see and download files from output + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download ### Software package repositories #### Tier 2: -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages - + Verify that: pytz can be installed - - + Verify that: awscli can be installed +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages + - Verify that: pytz can be installed + - Verify that: awscli can be installed + #### Tier 3: -+ :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages - + Verify: pytz can be installed + +- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages + - Verify: pytz can be installed - + Verify: awscli cannot be installed + - Verify: awscli cannot be installed From 508a77818b3e56b74ece8c48479593987475634d Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:44:03 +0000 Subject: [PATCH 09/13] more linting --- .../security_checklist_template.md | 67 ++++++++++--------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md index bcb8a9931b..55c2d3b543 100644 --- a/docs/source/deployment/security_checklist/security_checklist_template.md +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -1,4 +1,5 @@ # Security checklist + Running on SHM/SREs deployed using commit xxxxxx ## Summary @@ -18,23 +19,23 @@ Running on SHM/SREs deployed using commit xxxxxx - Verify that: User can reset their own password - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace - - Verify that: User can authenticate but cannot see any workspaces + - Verify that: User can authenticate but cannot see any workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces - - Verify that: User can authenticate and can see workspaces + - Verify that: User can authenticate and can see workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces - - Verify that: You can connect to any workspace + - Verify that: You can connect to any workspace ### Isolated Network - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace - - Verify that: Browsing to the service fails + - Verify that: Browsing to the service fails - - Verify that: You cannot access the service using curl + - Verify that: You cannot access the service using curl - - Verify: You cannot get the IP address for the service using nslookup + - Verify: You cannot get the IP address for the service using nslookup ### User devices @@ -42,26 +43,26 @@ Running on SHM/SREs deployed using commit xxxxxx #### Tier 2: - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tier 3: - All managed devices should be provided by a known IT team at an approved organisation. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tiers 2+: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses - - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway - - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network @@ -80,9 +81,9 @@ Running on SHM/SREs deployed using commit xxxxxx ### Remote connections - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH - - Verify that: SSH login by fully-qualified domain name fails + - Verify that: SSH login by fully-qualified domain name fails - - Verify that: SSH login by public IP address fails + - Verify that: SSH login by public IP address fails - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. @@ -97,42 +98,42 @@ Running on SHM/SREs deployed using commit xxxxxx ### Data ingress - Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. - Ensure that data ingress works only for connections from the accepted IP address range - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address - Check that the upload fails if the token has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) ### Data egress - Confirm that a non-privileged user is able to read the different storage volumes and write to output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide - Confirm that System Manager can see and download files from output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download ### Software package repositories #### Tier 2: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages - - Verify that: pytz can be installed + - Verify that: pytz can be installed - - Verify that: awscli can be installed + - Verify that: awscli can be installed #### Tier 3: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages - - Verify: pytz can be installed + - Verify: pytz can be installed - - Verify: awscli cannot be installed + - Verify: awscli cannot be installed From a9c7815ebb57e1b41947b327ac8561b2b4eb0e9c Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:49:16 +0000 Subject: [PATCH 10/13] more linting --- .../security_checklist_template.md | 82 +++++++++---------- 1 file changed, 40 insertions(+), 42 deletions(-) diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md index 55c2d3b543..b8069f839b 100644 --- a/docs/source/deployment/security_checklist/security_checklist_template.md +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -16,26 +16,26 @@ Running on SHM/SREs deployed using commit xxxxxx ### Multifactor Authentication and Password strength - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Users can reset their own password -- Verify that: User can reset their own password + - Verify that: User can reset their own password - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: non-registered users cannot connect to any SRE workspace - - Verify that: User can authenticate but cannot see any workspaces + - Verify that: User can authenticate but cannot see any workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: registered users can see SRE workspaces - - Verify that: User can authenticate and can see workspaces + - Verify that: User can authenticate and can see workspaces - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check: Authenticated user can access workspaces - - Verify that: You can connect to any workspace + - Verify that: You can connect to any workspace ### Isolated Network - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from a workspace - - Verify that: Browsing to the service fails + - Verify that: Browsing to the service fails - - Verify that: You cannot access the service using curl + - Verify that: You cannot access the service using curl - - Verify: You cannot get the IP address for the service using nslookup + - Verify: You cannot get the IP address for the service using nslookup ### User devices @@ -43,26 +43,26 @@ Running on SHM/SREs deployed using commit xxxxxx #### Tier 2: - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tier 3: - All managed devices should be provided by a known IT team at an approved organisation. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the IT team of the approved organisation take responsibility for managing the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the user does not have administrator permissions on the device. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: allowed IP addresses are exclusive to managed devices. - Connect to the environment using an allowed IP address and credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection succeeds - Connect to the environment from an IP address that is not allowed but with correct credentials - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: Connection fails #### Tiers 2+: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses - - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway - - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network @@ -72,18 +72,18 @@ Running on SHM/SREs deployed using commit xxxxxx #### Tier 3 only - Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials. - - :fast_forward: Verify that: connection fails. + - :fast_forward: Verify that: connection fails. - Attempt to connect from research office using a managed device and the correct VPN connection and credentials. - - :fast_forward: Verify that: connection succeeds - - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall - - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high + - :fast_forward: Verify that: connection succeeds + - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall + - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high ### Remote connections - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH - - Verify that: SSH login by fully-qualified domain name fails + - Verify that: SSH login by fully-qualified domain name fails - - Verify that: SSH login by public IP address fails + - Verify that: SSH login by public IP address fails - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. @@ -91,49 +91,47 @@ Running on SHM/SREs deployed using commit xxxxxx ### Copy-and-paste - Unable to paste text from a local device into a workspace - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails - Unable to copy text from a workspace to a local device - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: paste fails ### Data ingress - Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the upload token is successfully created. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you are able to send this token using a secure mechanism. - Ensure that data ingress works only for connections from the accepted IP address range - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: writing succeeds by uploading a file + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the access token fails when using a device with a non-allowed IP address - Check that the upload fails if the token has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can connect and write with the token during the duration + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you cannot connect and write with the token after the duration has expired + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) ### Data egress - Confirm that a non-privileged user is able to read the different storage volumes and write to output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the `/mnt/output` volume exists and can be written to + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: the permissions of other storage volumes match that described in the user guide - Confirm that System Manager can see and download files from output - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. - - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: you can see the files written to the `/mnt/output` storage volume. + - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Verify that: a written file can be taken out of the environment via download ### Software package repositories #### Tier 2: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages - - Verify that: pytz can be installed + - Verify that: pytz can be installed - - - Verify that: awscli can be installed + - Verify that: awscli can be installed #### Tier 3: - :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages - - Verify: pytz can be installed + - Verify: pytz can be installed - - - Verify: awscli cannot be installed + - Verify: awscli cannot be installed From 4409e5cd88ac7dcaf39098f41e9ccb9c31b9776f Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 3 Dec 2024 11:31:48 +0000 Subject: [PATCH 11/13] Update checklist template Co-authored-by: Matt Craddock <5796417+craddm@users.noreply.github.com> --- docs/source/deployment/security_checklist.md | 4 +- .../security_checklist_template.md | 232 ++++++++---------- 2 files changed, 106 insertions(+), 130 deletions(-) diff --git a/docs/source/deployment/security_checklist.md b/docs/source/deployment/security_checklist.md index 2c4ca4a6ca..b2f8308181 100644 --- a/docs/source/deployment/security_checklist.md +++ b/docs/source/deployment/security_checklist.md @@ -20,6 +20,8 @@ Work your way through the actions described in each section, taking care to noti - {{white_check_mark}} This indicates a checklist item for which a screenshot is either not appropriate or difficult ``` +You can use {download}`this template Markdown file <./security_checklist/security_checklist_template.md>` to complete the checklist. + ## Prerequisites ### Roles @@ -559,5 +561,3 @@ To minimise the risk of unauthorised access to the dataset while the ingress vol ``` ```` - -{download}`this file <./security_checklist/security_checklist_template.md>`. diff --git a/docs/source/deployment/security_checklist/security_checklist_template.md b/docs/source/deployment/security_checklist/security_checklist_template.md index ba762aa699..5c1a64a119 100644 --- a/docs/source/deployment/security_checklist/security_checklist_template.md +++ b/docs/source/deployment/security_checklist/security_checklist_template.md @@ -1,163 +1,139 @@ # Security checklist -Running on SHM/SREs deployed using commit XXXXXXX +Running on SHM/SREs deployed using commit ## Summary -- :white_check_mark: N tests passed -- :partly_sunny: N tests partially passed (see below for more details) -- :fast_forward: N tests skipped (see below for more details) -- :x: N tests failed (see below for more details) +- :white_check_mark: tests passed +- :partly_sunny: tests partially passed (see below for more details) +- :fast_forward: tests skipped (see below for more details) +- :x: tests failed (see below for more details) ## Details -Some security checks were skipped since: +Some security checks were skipped because: -- No managed device was available -- No access to a physical space with its own dedicated network was possible +- … +- … ### Multifactor Authentication and Password strength -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the SRE standard user cannot access the apps - -
:camera: Verify before adding to group: Microsoft Remote Desktop: Login works but apps cannot be viewed - -
- -
:camera: Verify before adding to group: Guacamole: User is prompted to setup MFA - -
- -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that adding the **SRE standard user** to the SRE group on the domain controller does not give them access - -
:camera: Verify after adding to group: Microsoft Remote Desktop: Login works and apps can be viewed - -
- -
:camera: Verify after adding to group: Microsoft Remote Desktop: attempt to login to DSVM Main (Desktop) fails - -
- -
:camera: Verify before adding to group: Guacamole: User is prompted to setup MFA - -
- -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the **SRE standard user** is able to successfully set up MFA - -
:camera: Verify: successfully set up MFA - -
- -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the **SRE standard user** can authenticate with MFA - -
:camera: Verify: Guacamole: respond to the MFA prompt - 122043131-47bc8080-cddb-11eb-8578-e45ab3efaef0.png"> -
- -
:camera: Verify: Microsoft Remote Desktop: attempt to log in to DSVM Main (Desktop) and respond to the MFA prompt - 122043131-47bc8080-cddb-11eb-8578-e45ab3efaef0.png"> -
- -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that the **SRE standard user** can access the DSVM desktop - -
:camera: Verify: Microsoft Remote Desktop: connect to DSVM Main (Desktop) - -
- -
:camera: Verify: Guacamole: connect to Desktop: Ubuntu0 - -
+- :white_check_mark: Check: Users can reset their own password +- Verify that: User can reset their own password + + +- :white_check_mark: Check: non-registered users cannot connect to any SRE workspace + - Verify that: User can authenticate but cannot see any workspaces + +- :white_check_mark: Check: registered users can see SRE workspaces + - Verify that: User can authenticate and can see workspaces + +- :white_check_mark: Check: Authenticated user can access workspaces + - Verify that: You can connect to any workspace + ### Isolated Network -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Connect to the SHM DC and NPS if connected to the SHM VPN -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the SHM DC and NPS if not connected to the SHM VPN -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Fail to connect to the internet from within a DSVM on the SRE network. - -
:camera: Verify: Connection fails - 122045859-8142bb00-cdde-11eb-920c-3a162a180647.png"> -
- -
:camera: Verify: that you cannot access a website using curl - -
- -
:camera: Verify: that you cannot get the IP address for a website using nslookup - -
-- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check that users cannot connect between two SREs within the same SHM, even if they have access to both SREs - -
:camera: Verify: SSH connection fails - -
-- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules are set appropriately to block outgoing traffic - -
:camera: Verify: access rules - -
+- :white_check_mark: Fail to connect to the internet from a workspace + - Verify that: Browsing to the service fails + + - Verify that: You cannot access the service using curl + + - Verify: You cannot get the IP address for the service using nslookup + ### User devices -#### Tier 2: +#### Tier 2 -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Connection succeeds from a personal device with an allow-listed IP address -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No managed device available to check connection +- Connect to the environment using an allowed IP address and credentials + - :white_check_mark: Verify that: Connection succeeds +- Connect to the environment from an IP address that is not allowed but with correct credentials + - :white_check_mark: Verify that: Connection fails -#### Tier 3: +#### Tier 3 -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No managed device available to check user lacks root access -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Connection succeeds from a personal device with an allow-listed IP address -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No managed device available to check connection with an allow-listed IP address +- All managed devices should be provided by a known IT team at an approved organisation. + - :fast_forward: Verify that: the IT team of the approved organisation take responsibility for managing the device. + - :fast_forward: Verify that: the user does not have administrator permissions on the device. + - :fast_forward: Verify that: allowed IP addresses are exclusive to managed devices. +- Connect to the environment using an allowed IP address and credentials + - :fast_forward: Verify that: Connection succeeds +- Connect to the environment from an IP address that is not allowed but with correct credentials + - :fast_forward: Verify that: Connection fails -#### Tiers 2+: +#### Tiers 2 and above -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Network rules permit access only from allow-listed IP addresses - -
:camera: Verify: access rules - -
-- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: All non-deployment NSGs have rules denying inbound connections from outside the Virtual Network +- :white_check_mark: Network rules permit access only from allow-listed IP addresses + - In the Azure portal navigate to the Guacamole application gateway NSG for this SRE shm--sre--nsg-application-gateway + - Verify that: the NSG has network rules allowing Inbound access from allowed IP addresses only + +- :white_check_mark: all other NSGs have an inbound Deny All rule and no higher priority rule allowing inbound connections from outside the Virtual Network ### Physical security -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No secure physical space available so connection from outside was not tested -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No secure physical space available so connection from inside was not tested -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Check the network IP ranges corresponding to the research spaces and compare against the IPs accepted by the firewall. -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: No secure physical space available so confirmation of physical measures was not tested +#### Tier 3 only + +- Attempt to connect to the Tier 3 SRE web client from home using a managed device and the correct VPN connection and credentials. + - :fast_forward: Verify that: connection fails. +- Attempt to connect from research office using a managed device and the correct VPN connection and credentials. + - :fast_forward: Verify that: connection succeeds + - :fast_forward: Verify that: the network IP ranges corresponding to the research spaces correspond to those allowed by storage account firewall + - :fast_forward: Verify that: physical measures such as screen adaptions or desk partitions are present if risk of visual eavesdropping is high ### Remote connections -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to connect as a user to the remote desktop server via SSH - -
:camera: Verify: SSH connection by FQDN fails - -
- -
:camera: Verify: SSH connection by public IP address fails - -
-- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: The remote desktop server is the only SRE resource with a public IP address +- :white_check_mark: Unable to connect as a user to the remote desktop server via SSH + - Verify that: SSH login by fully-qualified domain name fails + + - Verify that: SSH login by public IP address fails + +- :white_check_mark: Verify that: the remote desktop web client application gateway (shm--sre--ag-entrypoint) and the firewall are the only SRE resources with public IP addresses. ### Copy-and-paste -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to paste local text into a DSVM -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Unable to copy text from a DSVM -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Copy between VMs in an SRE succeeds +- Unable to paste text from a local device into a workspace + - :white_check_mark: Verify that: paste fails +- Unable to copy text from a workspace to a local device + - :white_check_mark: Verify that: paste fails ### Data ingress -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** secure upload token successfully created with write-only permissions -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** token was sent using a secure, out-of-band communication channel (e.g. secure email) -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** uploading a file from an allow-listed IP address succeeds -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** downloading a file from an allow-listed IP address fails -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** uploading a file from an non-allowed IP address fails -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** connection during lifetime of short-duration token succeeds -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** connection after lifetime of short-duration token fails -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **Data Provider:** uploading different file types succeeds - -### Storage volumes and egress - -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can read and write to the `/output` volume -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can only read from the `/data` volume -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can read and write to their directory in `/home` -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **SRE standard user** can read and write to the `/shared` volume -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** can see the files ready for egress -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: **System administrator:** can download egress-ready files - -### Package mirrors - -#### Tier 2: - -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install any packages - -
:camera: Verify: botocore can be installed - -
- -#### Tier 3: - -- :white_check_mark:/:partly_sunny:/:fast_forward:/:x: Can install only allow-listed packages - -
:camera: Verify: aero-calc can be installed; botocore cannot be installed - -
+- Check that the **System Manager** can send an upload token to the **Dataset Provider Representative** + - :white_check_mark: Verify that: the upload token is successfully created. + - :white_check_mark: Verify that: you are able to send this token using a secure mechanism. +- Ensure that data ingress works only for connections from the accepted IP address range + - :white_check_mark: Verify that: writing succeeds by uploading a file + - :white_check_mark: Verify that: attempting to open or download any of the files results in the following error: "Failed to start transfer: Insufficient credentials" under the Activities pane at the bottom of the MS Azure Storage Explorer window. + - :white_check_mark: Verify that: the access token fails when using a device with a non-allowed IP address +- Check that the upload fails if the token has expired + - :white_check_mark: Verify that: you can connect and write with the token during the duration + - :white_check_mark: Verify that: you cannot connect and write with the token after the duration has expired + - :white_check_mark: Verify that:the data ingress process works by uploading different kinds of files, e.g. data, images, scripts (if appropriate) + +### Data egress + +- Confirm that a non-privileged user is able to read the different storage volumes and write to output + - :white_check_mark: Verify that: the `/mnt/output` volume exists and can be written to + - :white_check_mark: Verify that: the permissions of other storage volumes match that described in the user guide +- Confirm that System Manager can see and download files from output + - :white_check_mark: Verify that: you can see the files written to the `/mnt/output` storage volume. + - :white_check_mark: Verify that: a written file can be taken out of the environment via download + +### Software package repositories + +#### Tier 2 + +- :white_check_mark: Can install any packages + - Verify that: pytz can be installed + + - Verify that: awscli can be installed + + +#### Tier 3 + +- :white_check_mark: Can install only allow-listed packages + - Verify: pytz can be installed + + - Verify: awscli cannot be installed + From bebeea64002ba45e945ac38a5ae93fce395559e2 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Thu, 5 Dec 2024 12:09:05 +0000 Subject: [PATCH 12/13] Correct docstring --- .../infrastructure/programs/sre/software_repositories.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data_safe_haven/infrastructure/programs/sre/software_repositories.py b/data_safe_haven/infrastructure/programs/sre/software_repositories.py index 420ca5c5a2..be67c3e8af 100644 --- a/data_safe_haven/infrastructure/programs/sre/software_repositories.py +++ b/data_safe_haven/infrastructure/programs/sre/software_repositories.py @@ -1,4 +1,4 @@ -"""Pulumi component for SRE monitoring""" +"""Pulumi component for SRE software repositories""" from collections.abc import Mapping From 8e99750670dadcad007a0f2ac40285a5246afada Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Thu, 5 Dec 2024 14:10:05 +0000 Subject: [PATCH 13/13] Bump version --- data_safe_haven/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data_safe_haven/version.py b/data_safe_haven/version.py index 6a7d91a4eb..e5ca1b74a8 100644 --- a/data_safe_haven/version.py +++ b/data_safe_haven/version.py @@ -1,2 +1,2 @@ -__version__ = "5.1.0" +__version__ = "5.2.0" __version_info__ = tuple(__version__.split("."))