Files

master c58a236d70 Doctor plugin checks: implement health check classes and documentation

Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-27 12:28:00 +02:00

3.2 KiB

Raw Blame History

checkId, plugin, severity, tags

checkId

plugin

severity

Password Policy

What It Checks

Validates password requirements meet security standards. The check only runs when a password policy configuration section exists (Identity:Password, Password, or Security:Password). It inspects:

Setting	Threshold	Severity
`RequiredLength` / `MinLength`	Less than 8	`fail` (if < 6), otherwise `warn`
`RequiredLength` / `MinLength`	Less than 12	`warn` — 12+ recommended
`RequireDigit`	`false`	`warn`
`RequireLowercase`	`false`	`warn`
`RequireUppercase`	`false`	`warn`
`RequireNonAlphanumeric` / `RequireSpecialChar`	`false`	`warn`
`MaxFailedAccessAttempts` / `MaxAttempts`	Greater than 10	`warn`
`DefaultLockoutTimeSpan` / `DurationMinutes`	Less than 1 minute	`warn`

Default values if not explicitly set: min length = 8, require digit/lowercase/uppercase/special = true, max failed attempts = 5, lockout duration = 5 minutes.

Why It Matters

Weak password policies enable brute-force and credential-stuffing attacks. Short passwords with low complexity can be cracked quickly with dictionary attacks. Without account lockout or with too many allowed attempts, automated attacks can run indefinitely. In a release control plane, compromised credentials could lead to unauthorized release approvals, policy changes, or data exfiltration.

Common Causes

Minimum password length set too short (below 8 characters)
Password complexity requirements disabled (no digit, uppercase, lowercase, or special character requirement)
Maximum failed login attempts too high (above 10), allowing extended brute-force
Account lockout duration too short (less than 1 minute)

How to Fix

Docker Compose

Set password policy via environment variables:

environment:
  Identity__Password__RequiredLength: "12"
  Identity__Password__RequireDigit: "true"
  Identity__Password__RequireLowercase: "true"
  Identity__Password__RequireUppercase: "true"
  Identity__Password__RequireNonAlphanumeric: "true"
  Identity__Lockout__MaxFailedAccessAttempts: "5"
  Identity__Lockout__DefaultLockoutTimeSpan: "15"

Bare Metal / systemd

Edit appsettings.json:

{
  "Identity": {
    "Password": {
      "RequiredLength": 12,
      "RequireDigit": true,
      "RequireLowercase": true,
      "RequireUppercase": true,
      "RequireNonAlphanumeric": true
    },
    "Lockout": {
      "MaxFailedAccessAttempts": 5,
      "DefaultLockoutTimeSpan": 15
    }
  }
}

Kubernetes / Helm

Set in Helm values:

identity:
  password:
    requiredLength: 12
    requireDigit: true
    requireLowercase: true
    requireUppercase: true
    requireNonAlphanumeric: true
  lockout:
    maxFailedAccessAttempts: 5
    defaultLockoutTimeSpan: 15

Verification

stella doctor run --check check.security.password.policy

check.core.auth.config — validates overall authentication configuration
check.security.audit.logging — authentication failure events should be logged
check.security.ratelimit — rate limiting provides an additional layer of brute-force protection

3.2 KiB Raw Blame History