Profile Applicability:
Level 1
Description:
Anonymous or unauthenticated access to package artifacts in repositories or registries must be disabled. All access to artifacts should require proper authentication and authorization to prevent unauthorized downloads, tampering, or distribution of sensitive or proprietary software components.
Rationale:
Revoking anonymous access helps safeguard intellectual property, protects against unauthorized use or distribution, and reduces the risk of supply chain attacks. It ensures that only authorized users can access and consume artifacts, maintaining control over software supply and security.
Impact:
Pros:
Enhances security by restricting artifact access.
Prevents unauthorized download or tampering of packages.
Supports compliance with licensing and regulatory requirements.
Protects sensitive or proprietary code and binaries.
Cons:
May require additional user management and authentication infrastructure.
Could impact ease of access for legitimate external users if not properly managed.
Default value:
Some package registries may allow anonymous read access by default, exposing artifacts publicly.
Audit:
Review repository or registry access policies and logs to confirm anonymous access is disabled. Verify authentication requirements are enforced for artifact retrieval.
Remediation:
Configure package registries to require authentication for all artifact access. Implement role-based access control (RBAC) and monitor access logs for anomalies. Educate users on access policies.
References:
npm Access Control: https://docs.npmjs.com/using-npm/organizations-and-teams
Sonatype Nexus Repository Access Management: https://help.sonatype.com/repomanager3/security/security-overview
CIS Controls v8, Control 14 - Controlled Access Based on the Need to Know: https://www.cisecurity.org/controls/controlled-access-based-on-the-need-to-know/