Skip to content

The 45 Teleport security checks Black Cat runs

Black Cat SSPM evaluates 45 security policies against your Teleport configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

criticalRole Has Wildcard Node Labels

Replace the wildcard node label selector with specific labels to enforce least-privilege node access

criticalRole Has Wildcard Database Labels

Replace the wildcard database label selector with specific labels to enforce least-privilege database access

criticalRole Has Wildcard Kubernetes Labels

Replace the wildcard Kubernetes label selector with specific labels to enforce least-privilege cluster access

highRole Has Wildcard App Labels

Replace the wildcard app label selector with specific labels to limit application access

highRole Enables SSH Agent Forwarding

Disable SSH agent forwarding in the role to prevent lateral movement via agent hijacking

highRole Has Unlimited Session TTL

Set a reasonable maximum session TTL in the role to limit the duration of access certificates

highRole Allows Impersonation

Review and restrict impersonation permissions to only those explicitly required

highRole Has Broad Admin RBAC Rules

Restrict the role RBAC rules to specific resources and verbs instead of wildcard access

mediumUser Account Is Locked

Investigate why the user account is locked and take appropriate action

mediumLocal User Has No SSO Identity

Link the local user account to an SSO identity or migrate them to SSO-only authentication

mediumUser Has Excessive Roles

Reduce the number of roles assigned to the user to enforce least-privilege access

highUser Has Admin Role

Review whether the user requires admin-level access and remove it if not justified

highAuth Connector Maps Claims to Admin Role

Restrict SSO role mappings so they do not grant admin roles automatically

mediumAuth Connector Has Broad Claim Mapping

Replace wildcard claim values with specific claim values to restrict role assignments

highAuth Connector Has No Role Mappings

Configure role mappings in the auth connector so SSO users receive appropriate access

mediumGitHub Connector Maps All Teams

Replace the wildcard team mapping with specific GitHub team names to restrict access

criticalToken Uses Static Join Method

Migrate from static token join to a cloud-native join method such as iam or ec2

highToken Has No Expiry

Set an expiry on the provisioning token to limit its validity window

criticalToken Grants Auth System Role

Remove the Auth role from provisioning tokens that are not specifically needed for auth server joining

highToken Grants Admin Role

Remove admin roles from provisioning tokens to prevent privilege escalation via node joining

highTrusted Cluster Has Broad Role Map

Replace the wildcard remote role mapping with specific roles to limit access from the trusted cluster

audit

criticalSession Recording Disabled

Enable session recording to maintain an audit trail of all interactive sessions

mediumSession Recording in Async Mode

Switch from async to sync recording mode to prevent recording loss on node crash

mediumSession Recording in Proxy Mode

Switch from proxy-mode recording to node-mode for end-to-end encrypted session recordings

highProxy Host Key Checks Disabled

Enable proxy host key checks to prevent man-in-the-middle attacks on recorded sessions

criticalRole Disables Session Recording

Remove the session recording override that disables recording in this role

mediumAudit Log Using Local Filesystem Storage

Configure a remote audit log backend such as DynamoDB, Firestore, or S3 to ensure log durability

authentication

criticalCluster MFA Disabled

Enable at least one second factor in the cluster authentication preference

highSession MFA Not Enforced

Enable require_session_mfa in the cluster authentication preference

mediumTOTP Without WebAuthn

Add WebAuthn as a second factor alongside TOTP to provide phishing-resistant MFA

mediumLocal Auth Enabled With SSO

Disable local authentication when SSO is configured to enforce centralized identity

mediumPasswordless Without Hardware Key Policy

Set a hardware key policy when passwordless authentication is enabled

highAdmin Action MFA Not Enforced

Enable MFA enforcement for admin actions to protect privileged operations

mediumExpired Certificate Disconnect Disabled

Enable automatic session disconnect when certificates expire

lowDevice Trust Disabled

Enable device trust mode to restrict access to managed corporate devices

mediumRole Does Not Require Session MFA

Enable per-session MFA in the role options to require MFA before each session

highLocal User Has No MFA Device

Require the user to register an MFA device to protect their account

lowUser Uses Only TOTP for MFA

Encourage the user to register a WebAuthn hardware key as a stronger MFA option

configuration

lowTrusted Cluster Is Disabled

Remove disabled trusted cluster configurations that are no longer in use

mediumNo Client Idle Timeout Configured

Set a client idle timeout to automatically disconnect inactive sessions

mediumNode Running Outdated Teleport Version

Upgrade the Teleport agent on the node to a supported version (v15 or later)

encryption

highDatabase Configured Without TLS

Configure TLS on the database connection to encrypt data in transit

highApplication Has TLS Verification Disabled

Enable TLS certificate verification for the application to prevent man-in-the-middle attacks

network security

mediumNo Network Restrictions Configured

Configure allow or deny CIDR rules to restrict Teleport access to expected IP ranges

highOverly Broad Network Allow Rule

Replace the all-IP allow CIDR with specific IP ranges to restrict network access

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial