The 45 Teleport security checks Black Cat runs
Black Cat SSPM evaluates 45 security policies against your Teleport configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Replace the wildcard node label selector with specific labels to enforce least-privilege node access
Replace the wildcard database label selector with specific labels to enforce least-privilege database access
Replace the wildcard Kubernetes label selector with specific labels to enforce least-privilege cluster access
Replace the wildcard app label selector with specific labels to limit application access
Disable SSH agent forwarding in the role to prevent lateral movement via agent hijacking
Set a reasonable maximum session TTL in the role to limit the duration of access certificates
Review and restrict impersonation permissions to only those explicitly required
Restrict the role RBAC rules to specific resources and verbs instead of wildcard access
Investigate why the user account is locked and take appropriate action
Link the local user account to an SSO identity or migrate them to SSO-only authentication
Reduce the number of roles assigned to the user to enforce least-privilege access
Review whether the user requires admin-level access and remove it if not justified
Restrict SSO role mappings so they do not grant admin roles automatically
Replace wildcard claim values with specific claim values to restrict role assignments
Configure role mappings in the auth connector so SSO users receive appropriate access
Replace the wildcard team mapping with specific GitHub team names to restrict access
Migrate from static token join to a cloud-native join method such as iam or ec2
Set an expiry on the provisioning token to limit its validity window
Remove the Auth role from provisioning tokens that are not specifically needed for auth server joining
Remove admin roles from provisioning tokens to prevent privilege escalation via node joining
Replace the wildcard remote role mapping with specific roles to limit access from the trusted cluster
audit
Enable session recording to maintain an audit trail of all interactive sessions
Switch from async to sync recording mode to prevent recording loss on node crash
Switch from proxy-mode recording to node-mode for end-to-end encrypted session recordings
Enable proxy host key checks to prevent man-in-the-middle attacks on recorded sessions
Remove the session recording override that disables recording in this role
Configure a remote audit log backend such as DynamoDB, Firestore, or S3 to ensure log durability
authentication
Enable at least one second factor in the cluster authentication preference
Enable require_session_mfa in the cluster authentication preference
Add WebAuthn as a second factor alongside TOTP to provide phishing-resistant MFA
Disable local authentication when SSO is configured to enforce centralized identity
Set a hardware key policy when passwordless authentication is enabled
Enable MFA enforcement for admin actions to protect privileged operations
Enable automatic session disconnect when certificates expire
Enable device trust mode to restrict access to managed corporate devices
Enable per-session MFA in the role options to require MFA before each session
Require the user to register an MFA device to protect their account
Encourage the user to register a WebAuthn hardware key as a stronger MFA option
configuration
Remove disabled trusted cluster configurations that are no longer in use
Set a client idle timeout to automatically disconnect inactive sessions
Upgrade the Teleport agent on the node to a supported version (v15 or later)
encryption
Configure TLS on the database connection to encrypt data in transit
Enable TLS certificate verification for the application to prevent man-in-the-middle attacks
network security
Configure allow or deny CIDR rules to restrict Teleport access to expected IP ranges
Replace the all-IP allow CIDR with specific IP ranges to restrict network access