vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-29 12:00:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/docs/security/pulse-sensor-proxy-hardening.md
rcourtman 524f42cc28 security: complete Phase 1 sensor proxy hardening 
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks

All 27 Phase 1 tasks complete. Ready for production deployment.
2025-10-20 15:13:37 +00:00

1.9 KiB
Raw Blame History

Pulse Sensor Proxy AppArmor & Seccomp Hardening

AppArmor Profile

  • Profile path: security/apparmor/pulse-sensor-proxy.apparmor
  • Grants read-only access to configs, logs, SSH keys, and binaries; allows outbound TCP/SSH; blocks raw sockets, module loading, ptrace, and absolute command execution outside the allowlist.

Installation

sudo install -m 0644 security/apparmor/pulse-sensor-proxy.apparmor /etc/apparmor.d/pulse-sensor-proxy
sudo apparmor_parser -r /etc/apparmor.d/pulse-sensor-proxy
sudo ln -sf /etc/apparmor.d/pulse-sensor-proxy /etc/apparmor.d/force-complain/pulse-sensor-proxy  # optional staged mode
sudo systemctl restart apparmor

Enforce Mode

sudo aa-enforce pulse-sensor-proxy

Monitor /var/log/syslog for DENIED events and update the profile as needed.

Seccomp Filter

  • OCI-style profile: security/seccomp/pulse-sensor-proxy.json
  • Allows standard Go runtime syscalls, network operations, file IO, and execve for whitelisted helpers; other syscalls return EPERM.

Apply via systemd (classic service)

Add to the override:

[Service]
AppArmorProfile=pulse-sensor-proxy
RestrictNamespaces=yes
NoNewPrivileges=yes
SystemCallFilter=@system-service
SystemCallArchitectures=native
SystemCallAllow=accept;connect;recvfrom;sendto;recvmsg;sendmsg;sendmmsg;getsockname;getpeername;getsockopt;setsockopt;shutdown

Reload and restart:

sudo systemctl daemon-reload
sudo systemctl restart pulse-sensor-proxy

Apply seccomp JSON (containerised deployments)

  • Profile: security/seccomp/pulse-sensor-proxy.json
  • Use with Podman/Docker style runtimes:
podman run --seccomp-profile /opt/pulse/security/seccomp/pulse-sensor-proxy.json ...

Operational Notes

  • Use journalctl -t auditbeat -g pulse-sensor-proxy or aa-status to confirm profile status.
  • Pair with network ACLs (see docs/security/pulse-sensor-proxy-network.md) and log shipping (scripts/setup-log-forwarding.sh).