Security Checklist
Installation
-
Only system administrators and midPoint daemon user have access to midPoint home directory (usually
vardirectory) -
administratormidPoint user is disabled or its initial password was changed. -
Personalized system administrator accounts were created.
-
Superuserrole or roles granting#allare assigned only to trusted users.
-
-
Initial roles and security policy was reviewed.
Mappings & Expressions
-
Only system administrators (users with
Superuseror similar role) have access to Query Playground, Mapping Playground -
Only trusted users have edit access to expressions
-
Mappings in Resources, Archetypes, Object Templates
-
Mappings and Queries in Reports
-
-
Groovy Expressions were reviewed for potential security vulnerabilities
-
Mappings in Expressions were reviewed and modified to provision sanitized values to resources
Flexible Authentication
-
Security Policies were reviewed and customized
-
Emergency login is configured if remote authentication modules are configured
-
-
If using Security Questions:
-
Security Questions are used only with other authentication mechanism
-
Set of available questions does not lead to easily guessable / searchable answers
-
Networking
-
MidPoint GUI and REST is accessible only via HTTPS proxy
-
HTTPS Proxy is configured to:
-
add HSTS headers (HTTP Strict Transport Security)
-
add
Secureattribute toJSESSIONIDcookie
-
-
-
If Outbound Firewall is used, make sure outbound traffic is enabled for:
-
midPoint to midPoint communication if cluster is used
-
midPoint to Resource
-
midPoint to Database
-
Operations
-
Latest maintenance release is deployed
-
Subscribed to midpoint@lists.evolveum.com mailing list for Advisories