mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-04-28 19:41:17 +00:00
fd39196166
- Refactor specialized docs for conciseness and clarity - Rename files to UPPER_CASE.md convention - Verify accuracy against codebase - Fix broken links
1.7 KiB
1.7 KiB
🛡️ Sensor Proxy Hardening
The pulse-sensor-proxy runs on the host to securely collect temperatures, keeping SSH keys out of containers.
🏗️ Architecture
- Host: Runs
pulse-sensor-proxy(unprivileged user). - Container: Connects via Unix socket (
/run/pulse-sensor-proxy/pulse-sensor-proxy.sock). - Auth: Uses
SO_PEERCREDto verify container UID/PID.
🔒 Host Hardening
Service Account
Runs as pulse-sensor-proxy (no shell, no home).
id pulse-sensor-proxy # uid=XXX(pulse-sensor-proxy)
Systemd Security
The service unit uses:
User=pulse-sensor-proxyNoNewPrivileges=trueProtectSystem=strictPrivateTmp=true
File Permissions
| Path | Owner | Mode |
|---|---|---|
/var/lib/pulse-sensor-proxy/ |
pulse-sensor-proxy |
0750 |
/var/lib/pulse-sensor-proxy/ssh/ |
pulse-sensor-proxy |
0700 |
/run/pulse-sensor-proxy/ |
pulse-sensor-proxy |
0775 |
📦 LXC Configuration
Required for the container to access the proxy socket.
/etc/pve/lxc/<VMID>.conf:
unprivileged: 1
lxc.apparmor.profile: generated
lxc.mount.entry: /run/pulse-sensor-proxy mnt/pulse-proxy none bind,create=dir 0 0
🔑 Key Management
SSH keys are restricted to sensors -j only.
Rotation:
/opt/pulse/scripts/pulse-sensor-proxy-rotate-keys.sh
- Dry Run: Add
--dry-run. - Rollback: Add
--rollback.
🚨 Incident Response
If compromised:
- Stop Proxy:
systemctl stop pulse-sensor-proxy. - Rotate Keys: Remove old keys from nodes manually or use
pulse-sensor-proxy-rotate-keys.sh. - Audit Logs: Check
journalctl -u pulse-sensor-proxy. - Reinstall: Run
/opt/pulse/scripts/install-sensor-proxy.sh.