Fully integrate new instance into its environment
New Instance
Integration
The following need to be completed:
-
Hardening of server to secure it -
Firewalling to restrict SSH access to nmrc.org domain only -
Firewalling of web access in place to nmrc.org domain only until sign-up is disabled
-
-
Basic instance installed on secured server -
Location: https://blackhole.nmrc.org/
-
-
- Integration with nmrc.org domain email. This should invoke TLS without SMTP authentication. -
Verify via headers or logs that TLS is invoked
-
-
Implement CAA (see https://tools.ietf.org/html/rfc6844 for details) -
Set all recommended items from https://about.gitlab.com/blog/2020/05/20/gitlab-instance-security-best-practices/ -
Ensure proper SSH keys are being used -
Sign-up disabled -
Send confirmation is enabled -
Minimum password length increased to 12 (not in blog post, added) -
White-listed domain implemented (nmrc.org) to restrict access -
Multi-factor enabled -
Ensure default "private" for existing object and new projects -
Proper rate limits: -
Enable unauthenticated request rate limit -
Enable authenticated API request rate limit -
Enable authenticated web request rate limit
-
-
Ensure "allow requests to the local network from web hooks and services" is disabled -
Disable "allow requests to the local network from system hooks" -
Ensure "Enable protected paths rate limit" is checked
-
-
Implement a secure Content Security Policy -
Lock down subsystems (something that can listen on a port and potentially be exposed to the Internet, or makes calls to the Internet) -
nginx -
Gravatar -
Prometheus -
Grafana -
Docker - private container registry, mainly for SAST -
RSS Feeds - merged and implemented: gitlab-org/gitlab!48600 (merged)
-
Testing
-
Email: Verify via headers or logs that TLS is invoked so SMTP traffic is encrypted -
Verify new user invite email is working -
Install and integrate Duo Security for SSH (nmrc.org standard) -
Ensure authentication still works properly -
git access should still work, but needs testing
-
-
Upload/check in source code and have SAST check it for security flaws, all while using local-only resources -
Scan from local, internal, and external sources for network-based discovery and testing of resources -
Full port scans -
Full network security scans
-
Documentation
-
Complete a risk assessment using the Threat Modeling process -
Use the risk assessment as a working sample for the handbook page on Threat Modeling
-
-
Publish the risk assessment -
Blog post/video about the project
Edited by Mark Loveless