You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The number of sections on the left sidebar makes the documentation
difficult to navigate. This change reduces the number of sidebar
sections by creating an "Enroll Resources" section from sidebar sections
related to protecting infrastructure resources with Teleport.
This change configures the sidebar for the Enroll Resources section to
be automatically generated. Since the generator expects each
subdirectory of a section to have a corresponding table of contents
page, this change also adds missing table of contents pages.
In some cases, we can repurpose an existing section introduction page
for a section's table of contents page. In other cases, the introduction
spends too much time on providing context to make for a useful table of
contents, so this change adds a separate table of contents page. Table
of contents pages use the `(!toc!)` syntax to list links automatically
based on the file system.
This change also adds redirects based on mentions of Teleport docs URLs
in the Web UI source, and removes all other redirects to avoid exceeding
the maximum number of routes in Vercel.
Copy file name to clipboardexpand all lines: docs/pages/access-controls/compliance-frameworks/soc2.mdx
+8-8
Original file line number
Diff line number
Diff line change
@@ -55,7 +55,7 @@ Each principle has many "Points of Focus" which will apply differently to differ
55
55
| CC6.1 - Manages Points of Access | Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. |[Label Nodes to inventory and create rules](../../management/admin/labels.mdx) <br/><br/> [Create Labels from AWS Tags](../../management/guides/ec2-tags.mdx) <br/><br/>Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. |
56
56
| CC6.1 - Restricts Access to Information Assets | Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. |[Teleport uses Certificates to grant access and create access control rules](../../core-concepts.mdx)|
57
57
| CC6.1 - Manages Identification and Authentication | Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. | Teleport makes setting policies for SSH requirements easy since it works in the cloud and on premise with the same authentication security standards. |
58
-
| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. |[Invite nodes to your cluster with short lived tokens](../../agents/join-services-to-your-cluster/join-token.mdx)|
58
+
| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. |[Invite nodes to your cluster with short lived tokens](../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx)|
59
59
| CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. |
60
60
| CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically |
61
61
| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. |[Request Approval from the command line](../../reference/cli/tctl.mdx#tctl-request-approve) <br/><br/> [Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx) <br/><br/> [Use Plugins to send approvals to tools like Slack or Jira](../../access-controls/access-requests.mdx)|
@@ -70,14 +70,14 @@ Each principle has many "Points of Focus" which will apply differently to differ
70
70
| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. |[Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../../access-controls/sso.mdx)|
71
71
| CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. |[Trusted clusters](../../management/admin/trustedclusters.mdx)|
72
72
| CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. |[Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#start-teleport-in-fips-mode)|
73
-
| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. |[Teleport creates detailed SSH Audit Logs with Metadata](../../reference/audit.mdx) <br/><br/> [Use BPF Session Recording to catch malicious program execution](../../server-access/guides/bpf-session-recording.mdx)|
74
-
| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. |[Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../../server-access/guides/bpf-session-recording.mdx)|
73
+
| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. |[Teleport creates detailed SSH Audit Logs with Metadata](../../reference/audit.mdx) <br/><br/> [Use BPF Session Recording to catch malicious program execution](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)|
74
+
| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. |[Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)|
75
75
| CC7.3 - Communicates and Reviews Detected Security Events | Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. |[Use Session recording to replay and review suspicious sessions](../../architecture/session-recording.mdx). |
76
-
| CC7.3 - Develops and Implements Procedures to Analyze Security Incidents | Procedures are in place to analyze security incidents and determine system impact. |[Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.](../../server-access/guides/bpf-session-recording.mdx)|
76
+
| CC7.3 - Develops and Implements Procedures to Analyze Security Incidents | Procedures are in place to analyze security incidents and determine system impact. |[Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)|
77
77
| CC7.4 - Contains Security Incidents | Procedures are in place to contain security incidents that actively threaten entity objectives. |[Use Teleport to quickly revoke access and contain an active incident](../../access-controls/guides/locking.mdx) <br/><br/> [Use Shared Sessions so Multiple On-Call Engineers can collaborate and fight fires together.](../../connect-your-client/tsh.mdx#sharing-sessions)|
78
78
| CC7.4 - Ends Threats Posed by Security Incidents | Procedures are in place to mitigate the effects of ongoing security incidents. |[Use Teleport to quickly revoke access and contain an active incident](../../access-controls/guides/locking.mdx)|
79
79
| CC7.4 - Obtains Understanding of Nature of Incident and Determines Containment Strategy | An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. |[Use Teleport’s Session Recording and Replay along with logs to understand what actions led to an incident.](../../reference/audit.mdx#recorded-sessions)|
80
-
| CC7.4 - Evaluates the Effectiveness of Incident Response | The design of incident-response activities is evaluated for effectiveness on a periodic basis. |[Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness](../../server-access/guides/bpf-session-recording.mdx). |
81
-
| CC7.4 - Periodically Evaluates Incidents | Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. |[Use Session recording and audit logs to find patterns that lead to incidents.](../../server-access/guides/bpf-session-recording.mdx)|
82
-
| CC7.5 - Determines Root Cause of the Event | The root cause of the event is determined. |[Use Session recording and audit logs to find root cause.](../../server-access/guides/bpf-session-recording.mdx)|
83
-
| CC7.5 - Improves Response and Recovery Procedures | Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. |[Replay Session recordings at your 'after action review' or postmortem meetings](../../server-access/guides/bpf-session-recording.mdx)|
80
+
| CC7.4 - Evaluates the Effectiveness of Incident Response | The design of incident-response activities is evaluated for effectiveness on a periodic basis. |[Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness](../../enroll-resources/server-access/guides/bpf-session-recording.mdx). |
81
+
| CC7.4 - Periodically Evaluates Incidents | Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. |[Use Session recording and audit logs to find patterns that lead to incidents.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)|
82
+
| CC7.5 - Determines Root Cause of the Event | The root cause of the event is determined. |[Use Session recording and audit logs to find root cause.](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)|
83
+
| CC7.5 - Improves Response and Recovery Procedures | Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. |[Replay Session recordings at your 'after action review' or postmortem meetings](../../enroll-resources/server-access/guides/bpf-session-recording.mdx)|
Copy file name to clipboardexpand all lines: docs/pages/access-controls/reference.mdx
+2-2
Original file line number
Diff line number
Diff line change
@@ -70,7 +70,7 @@ user:
70
70
|`pin_source_ip`| Enable source IP pinning for SSH certificates. | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination |
71
71
|`cert_extensions`| Specifies extensions to be included in SSH certificates ||
72
72
|`create_host_user_mode`| Allow users to be automatically created on a host | Logical "AND" i.e. if all roles matching a server specify host user creation (`off`, `keep`, `insecure-drop`), it will evaluate to the option specified by all of the roles. If some roles specify both `insecure-drop` or `keep` it will evaluate to `keep`|
73
-
|`create_db_user_mode`| Allow [database user auto provisioning](../database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed |
73
+
|`create_db_user_mode`| Allow [database user auto provisioning](../enroll-resources/database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed |
Copy file name to clipboardexpand all lines: docs/pages/access-controls/teleport-policy/policy-integrations.mdx
+1-1
Original file line number
Diff line number
Diff line change
@@ -67,7 +67,7 @@ spec:
67
67
The preset `editor` role has the required permissions by default.
68
68
</Admonition>
69
69
70
-
Teleport can also import and grant access to resources from an Okta organizations, such as user profiles, groups and applications. You can view connection data in Access Graph. Follow the steps here to add an (../../application-access/okta/hosted-guide.mdx) in your cluster.
70
+
Teleport can also import and grant access to resources from an Okta organizations, such as user profiles, groups and applications. You can view connection data in Access Graph. Follow the steps here to add an (../../enroll-resources/application-access/okta/hosted-guide.mdx) in your cluster.
71
71
72
72
## Next steps
73
73
- Explore [connections and resource paths](./policy-connections.mdx) with Access Graph.
0 commit comments