Profile Applicability:
Level 1
Description:
User accounts and authentication for the package registry must be managed through centralized identity providers or directory services (e.g., LDAP, Active Directory, SSO) rather than local registry-specific user databases. Centralized user management improves consistency, security, and ease of administration across organizational systems.
Rationale:
Using centralized identity management reduces the risks associated with local credential stores, such as weak passwords, inconsistent policies, and fragmented access controls. It enables unified authentication mechanisms, stronger access policies, and easier user lifecycle management, supporting compliance and security best practices.
Impact:
Pros:
Enhances security through unified authentication and authorization.
Simplifies user provisioning, de-provisioning, and access reviews.
Supports multi-factor authentication and advanced access controls.
Improves auditability and compliance posture.
Cons:
Requires integration effort and infrastructure for identity providers.
Potential dependency on external identity systems availability.
Default value:
By default, some package registries use local user management with registry-specific accounts.
Audit:
Verify that package registry user accounts are managed via centralized identity services. Review authentication configurations and access logs for local user accounts.
Remediation:
Integrate package registries with centralized identity providers or SSO solutions. Disable local user management where possible. Implement consistent access policies and conduct regular access reviews.
References:
GitHub Enterprise Authentication: https://docs.github.com/en/enterprise-server@3.7/admin/authentication
Nexus Repository Manager LDAP Integration: https://help.sonatype.com/repomanager3/security/ldap-integration
CIS Controls v8, Control 6 - Access Control Management: https://www.cisecurity.org/controls/access-control-management/