Security Configuration
This guide covers security configuration and best practices for Tripl-i, including authentication, authorization, encryption, and compliance requirements.
Authentication
Two-Factor Authentication (2FA)
Starting with v3.1.0, Tripl-i requires mandatory two-factor authentication for all users:
two_factor_auth:
enabled: true
mandatory: true
grace_period_days: 7
totp:
issuer: "Tripl-i"
algorithm: "SHA1"
digits: 6
period: 30
backup_codes:
count: 10
length: 8
one_time_use: true
Key Features:
- TOTP Support: Compatible with Google Authenticator, Authy, Microsoft Authenticator
- Backup Codes: 10 single-use recovery codes per user
- Mandatory Enforcement: All users must enable 2FA within 7 days
- Security Logging: All 2FA events are audited and logged
Administrative Controls:
- Reset user 2FA settings via user management interface
- Monitor 2FA compliance through admin dashboard
- View 2FA setup statistics and audit trails
For user setup instructions, see the Multi-Factor Authentication Guide.
Local Authentication
authentication:
local:
enabled: true
password_policy:
min_length: 12
require_uppercase: true
require_lowercase: true
require_numbers: true
require_special_chars: true
expiry_days: 90
history_count: 5
LDAP/Active Directory
authentication:
ldap:
enabled: true
server: ldap://domain.com:389
base_dn: dc=domain,dc=com
bind_dn: cn=nopesight,ou=services,dc=domain,dc=com
user_filter: (sAMAccountName={username})
group_filter: (member={dn})
ssl: true
timeout: 30
SAML/SSO
authentication:
saml:
enabled: true
entity_id: https://nopesight.company.com
sso_url: https://idp.company.com/sso
certificate: /path/to/cert.pem
attribute_mapping:
email: mail
name: displayName
groups: memberOf
Authorization
Role-Based Access Control (RBAC)
roles:
admin:
description: Full system administrator
permissions:
- system.*
- cmdb.*
- reports.*
- users.*
operator:
description: Day-to-day operations
permissions:
- cmdb.read
- cmdb.update
- reports.read
- discovery.execute
viewer:
description: Read-only access
permissions:
- cmdb.read
- reports.read
- dashboard.view
API Security
api_security:
rate_limiting:
enabled: true
requests_per_minute: 60
burst_size: 100
cors:
enabled: true
allowed_origins:
- https://app.company.com
- https://dashboard.company.com
allowed_methods:
- GET
- POST
- PUT
- DELETE
allowed_headers:
- Authorization
- Content-Type
jwt:
secret: ${JWT_SECRET}
expiry: 24h
refresh_token_expiry: 30d
Secrets Management
AWS Secrets Manager Integration
Starting with v3.1.0, Tripl-i integrates with AWS Secrets Manager for secure credential storage:
secrets_manager:
enabled: true
region: ${AWS_REGION}
secrets:
jwt_secret: "nopesight/jwt-secret"
openai_api_key: "nopesight/openai-api-key"
database_password: "nopesight/database-password"
rotation:
enabled: true
schedule: "rate(90 days)"
access_control:
iam_role: "Tripl-iSecretsRole"
policies:
- "SecretsManagerReadWrite"
Benefits:
- Centralized Management: All secrets stored in AWS Secrets Manager
- Automatic Rotation: Configurable rotation schedules for enhanced security
- Access Control: IAM-based permissions for secret access
- Audit Trail: Complete logging of secret access and modifications
- Environment Separation: Different secrets for dev/staging/production
Configuration Steps:
- Create secrets in AWS Secrets Manager
- Configure IAM roles and policies
- Update Tripl-i environment variables to reference secret ARNs
- Enable automatic rotation schedules
Encryption
Data at Rest
encryption:
at_rest:
enabled: true
algorithm: AES-256-GCM
key_management: aws_kms
kms_key_id: ${KMS_KEY_ID}
database:
field_level_encryption:
enabled: true
fields:
- password
- api_key
- credential
- secret
Data in Transit
tls:
enabled: true
min_version: "1.2"
ciphers:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
certificate: /path/to/cert.pem
private_key: /path/to/key.pem
ca_bundle: /path/to/ca-bundle.pem
Audit Logging
Configuration
audit:
enabled: true
retention_days: 365
events:
- authentication.login
- authentication.logout
- authentication.failed
- authentication.2fa.setup
- authentication.2fa.verify
- authentication.2fa.failed
- authentication.2fa.reset
- authentication.backup_code.used
- cmdb.create
- cmdb.update
- cmdb.delete
- user.create
- user.update
- user.delete
- api.access
- secrets.access
- secrets.rotation
storage:
type: elasticsearch
index: nopesight-audit
rotation: monthly
Log Format
{
"timestamp": "2024-01-20T10:30:00Z",
"user": "john.doe@company.com",
"action": "cmdb.update",
"resource": "ci/server-001",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"result": "success",
"details": {
"previous_value": "active",
"new_value": "maintenance"
}
}
Security Headers
# Nginx configuration
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Compliance
GDPR Compliance
gdpr:
enabled: true
data_retention:
default_days: 730
anonymization_enabled: true
user_rights:
data_export: true
data_deletion: true
consent_management: true
pii_fields:
- user.email
- user.name
- user.phone
- ci.owner
SOX Compliance
sox:
enabled: true
controls:
access_reviews:
enabled: true
frequency: quarterly
segregation_of_duties:
enabled: true
incompatible_roles:
- [admin, auditor]
- [developer, production_operator]
change_management:
approval_required: true
documentation_required: true
Security Scanning
Vulnerability Scanning
# Run security scan
./security-scan.sh
# Check for vulnerabilities in dependencies
npm audit
pip check
# Container scanning
docker scan nopesight:latest
Penetration Testing
pentest:
schedule: annually
scope:
- Web application
- API endpoints
- Network infrastructure
- Authentication systems
remediation:
critical: 24_hours
high: 7_days
medium: 30_days
low: 90_days
Incident Response
Security Incident Procedure
incident_response:
contacts:
security_team: security@company.com
on_call: +1-555-0123
severity_levels:
critical:
response_time: 15_minutes
escalation: ciso@company.com
high:
response_time: 1_hour
escalation: security-lead@company.com
medium:
response_time: 4_hours
escalation: security@company.com
Best Practices
1. Regular Updates
- Apply security patches promptly
- Update dependencies regularly
- Monitor security advisories
2. Access Control
- Use principle of least privilege
- Regular access reviews
- Multi-factor authentication for admins
3. Monitoring
- Real-time security monitoring
- Anomaly detection
- Regular security audits
4. Training
- Security awareness training
- Phishing simulations
- Incident response drills
Security Checklist
- Enable HTTPS/TLS for all connections
- Configure mandatory two-factor authentication
- Configure strong password policies
- Set up AWS Secrets Manager integration
- Enable audit logging with 2FA events
- Set up backup encryption
- Configure firewall rules
- Enable rate limiting
- Set up intrusion detection
- Regular vulnerability scans
- Monitor 2FA compliance
- Test backup code recovery procedures
- Incident response plan
- Security training completed
- Database security vulnerabilities addressed