vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-28 19:41:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/docs/security/TEMPERATURE_MONITORING.md
courtmanr@gmail.com fd39196166 refactor: finalize documentation overhaul 
- Refactor specialized docs for conciseness and clarity
- Rename files to UPPER_CASE.md convention
- Verify accuracy against codebase
- Fix broken links
2025-11-25 00:45:20 +00:00

1 KiB
Raw Blame History

🌡️ Temperature Monitoring Security

Secure architecture for collecting hardware temperatures.

🛡️ Security Model

  • Isolation: SSH keys live on the host, not in the container.
  • Least Privilege: Proxy runs as pulse-sensor-proxy (no shell).
  • Verification: Container identity verified via SO_PEERCRED.

🏗️ Components

  1. Pulse Backend: Connects to Unix socket /mnt/pulse-proxy/pulse-sensor-proxy.sock.
  2. Sensor Proxy: Validates request, executes SSH to node.
  3. Target Node: Accepts SSH key restricted to sensors -j.

🔒 Key Restrictions

SSH keys deployed to nodes are locked down:

command="sensors -j",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

🚦 Rate Limiting

  • Per Peer: ~12 req/min.
  • Concurrency: Max 2 parallel requests per peer.
  • Global: Max 8 concurrent requests.

📝 Auditing

All requests logged to system journal:

journalctl -u pulse-sensor-proxy

Logs include: uid, pid, method, node, correlation_id.