ArcGIS Enterprise on Kubernetes includes a Python script, kubernetesScan.py, that scans for common security issues. The script is available in the directory where you extracted the deployment package under setup/tools/security.
Python 3.x, including the requests and urllib3 modules, are required to run this script.
Usage
To scan your organization for security best practices, complete the following steps:
- Open a terminal on your Kubernetes client machine.
- Change directories to the setup/tools/security directory.
- Run the kubernetesScan.py script using the following command format:
python3 kubernetesScan.py
The script prompts for input, for example:Enter ArcGIS Enterprise on Kubernetes hostname [machine.example.com]:
Enter ArcGIS Enterprise on Kubernetes context:
Enter administrator username:
Enter administrator password:
Enter output directory [/setup/tools/security]:
The script checks for problems based on some of the best practices for configuring a secure environment for ArcGIS Enterprise. The script generates an HTML file in the specified output directory. You can open the HTML file to view the results.
Severity levels and criteria
The script analyzes many criteria and configuration properties and divides them into three severity levels: Critical, Important, and Recommended. The following table describes these criteria:
| ID | Severity | Property | Description |
|---|---|---|---|
ES01 | Critical | Proxy restrictions | Determines whether the portal proxy capability is restricted. By default, the portal proxy server is open to any URL. To mitigate potential Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, it's recommended that you restrict the portal's proxy capability to approved web addresses. |
ES02 | Critical | Web content filtering | Generates a list of feature services in which the filter web content property is disabled. Disabling this property allows a user to enter any text in the input fields, which exposes the service to potential cross-site scripting (XSS) attacks. This property is enabled by default and unless unsupported HTML entities or attributes are required, do not disable it. |
ES03 | Important | Enterprise services directories | Determines whether the ArcGIS Enterprise services directories are accessible through a web browser. Unless being actively used to search for and find services by users, disable this property to reduce the chance that your services can be browsed, found in a web search, or queried through HTML forms. This also provides further protection for cross-site scripting (XSS) attacks. |
ES04 | Important | Web communication | Determines whether HTTPS is enabled for ArcGIS Enterprise. To prevent the interception of any communication, it is recommended that you configure ArcGIS Enterprise and the web server hosting the reverse proxy or ArcGIS Web Adaptor (if installed) to enforce SSL encryption. |
ES05 | Recommended | Built-in account sign-up | Determines whether users can click the Create An Account button on the organization sign-up page to create a built-in account. If you're using organization-specific accounts or you want to create all accounts manually, disable this option. |
ES06 | Recommended | Anonymous access | Determines whether anonymous access is allowed. To prevent any user from accessing content without first providing credentials, it's recommended that you configure your organization to disable anonymous access. |
ES07 | Recommended | LDAP identity store | If your organization is configured with an LDAP identity store, this determines whether encrypted communication is used. It is recommended that you use LDAP for the LDAP URL for users and groups. |
ES08 | Recommended | Ingress controller TLS certificate | Determines whether a self-signed certificate is used by the ingress controller. To help reduce web browser warnings or other unexpected behavior from clients communicating with the portal, it is recommended that you import and use a CA-signed TLS certificate bound to the ingress controller. |
ES09 | Recommended | Cross-domain requests | Determines whether cross-domain (CORS) requests are unrestricted. To reduce the possibility of an unknown application accessing a shared portal item, it is recommended that you restrict cross-domain requests to applications hosted only in trusted domains. |
ES10 | Critical | Federated server administrative URL | Determines whether your federated server's administrator URL is reachable by the portal and whether the TLS certificate used in this URL is trusted. If untrusted or not reachable, many portal functions and operations will fail. |
ES11 | Recommended | Federated server services URL | Determines whether your federated server's services URL is reachable by the portal and whether the SSL certificate used in this URL is trusted. If untrusted or not reachable, the portal will still function but some portal operations may fail. |
ES12 | Recommended | Public content | If your organization is configured so members cannot share content publicly, this will list any items that are still shared with Everyone. |
ES13 | Important | Dynamic workspace | Generates a list of services where the database can be accessed through a dynamic workspace. Unless appropriately safeguarded, this can expose the database and workspace to access by malicious third parties over REST. Enable dynamic workspaces only if the service and the dynamic layer or workspace capability is intended for active use in a web application. In these cases, ensure that the database connection used by the map service to connect to the workspace or database has the least privileges needed for the application, for example, read-only access to only those additional tables within the workspace that are needed. |
ES14 | Recommended | Feature service permissions | Returns a list of feature services that have the update or delete operations enabled and are open to anonymous access. This allows the feature service data to be changed or deleted without authentication. |
ES15 | Important | SAML configuration settings | If your organization is configured to use SAML authentication, this determines whether encrypted assertions and signed requests are enabled. If supported by the identity provider, it is recommended that you configure the portal to require both encrypted assertions and signed requests. |