Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
95
docs/doctor/articles/security/password-policy.md
Normal file
95
docs/doctor/articles/security/password-policy.md
Normal file
@@ -0,0 +1,95 @@
|
||||
---
|
||||
checkId: check.security.password.policy
|
||||
plugin: stellaops.doctor.security
|
||||
severity: warn
|
||||
tags: [security, password, authentication]
|
||||
---
|
||||
# Password Policy
|
||||
|
||||
## What It Checks
|
||||
Validates password requirements meet security standards. The check only runs when a password policy configuration section exists (`Identity:Password`, `Password`, or `Security:Password`). It inspects:
|
||||
|
||||
| Setting | Threshold | Severity |
|
||||
|---|---|---|
|
||||
| `RequiredLength` / `MinLength` | Less than 8 | `fail` (if < 6), otherwise `warn` |
|
||||
| `RequiredLength` / `MinLength` | Less than 12 | `warn` — 12+ recommended |
|
||||
| `RequireDigit` | `false` | `warn` |
|
||||
| `RequireLowercase` | `false` | `warn` |
|
||||
| `RequireUppercase` | `false` | `warn` |
|
||||
| `RequireNonAlphanumeric` / `RequireSpecialChar` | `false` | `warn` |
|
||||
| `MaxFailedAccessAttempts` / `MaxAttempts` | Greater than 10 | `warn` |
|
||||
| `DefaultLockoutTimeSpan` / `DurationMinutes` | Less than 1 minute | `warn` |
|
||||
|
||||
Default values if not explicitly set: min length = 8, require digit/lowercase/uppercase/special = true, max failed attempts = 5, lockout duration = 5 minutes.
|
||||
|
||||
## Why It Matters
|
||||
Weak password policies enable brute-force and credential-stuffing attacks. Short passwords with low complexity can be cracked quickly with dictionary attacks. Without account lockout or with too many allowed attempts, automated attacks can run indefinitely. In a release control plane, compromised credentials could lead to unauthorized release approvals, policy changes, or data exfiltration.
|
||||
|
||||
## Common Causes
|
||||
- Minimum password length set too short (below 8 characters)
|
||||
- Password complexity requirements disabled (no digit, uppercase, lowercase, or special character requirement)
|
||||
- Maximum failed login attempts too high (above 10), allowing extended brute-force
|
||||
- Account lockout duration too short (less than 1 minute)
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
Set password policy via environment variables:
|
||||
|
||||
```yaml
|
||||
environment:
|
||||
Identity__Password__RequiredLength: "12"
|
||||
Identity__Password__RequireDigit: "true"
|
||||
Identity__Password__RequireLowercase: "true"
|
||||
Identity__Password__RequireUppercase: "true"
|
||||
Identity__Password__RequireNonAlphanumeric: "true"
|
||||
Identity__Lockout__MaxFailedAccessAttempts: "5"
|
||||
Identity__Lockout__DefaultLockoutTimeSpan: "15"
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
Edit `appsettings.json`:
|
||||
|
||||
```json
|
||||
{
|
||||
"Identity": {
|
||||
"Password": {
|
||||
"RequiredLength": 12,
|
||||
"RequireDigit": true,
|
||||
"RequireLowercase": true,
|
||||
"RequireUppercase": true,
|
||||
"RequireNonAlphanumeric": true
|
||||
},
|
||||
"Lockout": {
|
||||
"MaxFailedAccessAttempts": 5,
|
||||
"DefaultLockoutTimeSpan": 15
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
Set in Helm values:
|
||||
|
||||
```yaml
|
||||
identity:
|
||||
password:
|
||||
requiredLength: 12
|
||||
requireDigit: true
|
||||
requireLowercase: true
|
||||
requireUppercase: true
|
||||
requireNonAlphanumeric: true
|
||||
lockout:
|
||||
maxFailedAccessAttempts: 5
|
||||
defaultLockoutTimeSpan: 15
|
||||
```
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.security.password.policy
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.core.auth.config` — validates overall authentication configuration
|
||||
- `check.security.audit.logging` — authentication failure events should be logged
|
||||
- `check.security.ratelimit` — rate limiting provides an additional layer of brute-force protection
|
||||
Reference in New Issue
Block a user