vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-29 20:10:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/security/apparmor/pulse-sensor-proxy.apparmor
rcourtman 524f42cc28 security: complete Phase 1 sensor proxy hardening 
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks

All 27 Phase 1 tasks complete. Ready for production deployment.
2025-10-20 15:13:37 +00:00

75 lines
1.6 KiB
Text
Raw Blame History

#include <tunables/global>
profile pulse-sensor-proxy /opt/pulse/sensor-proxy/bin/pulse-sensor-proxy flags=(attach_disconnected,mediate_deleted) {
capability chown,
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
network unix stream,
deny network raw,
@{PROC}/@{pid}/fd/** r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/status r,
/opt/pulse/sensor-proxy/bin/pulse-sensor-proxy mr,
/opt/pulse/sensor-proxy/bin/* mr,
/opt/pulse/sensor-proxy/.ssh/** rwk,
/opt/pulse/sensor-proxy/etc/** r,
/opt/pulse/sensor-proxy/** r,
/var/log/pulse/sensor-proxy/** rw,
/run/pulse-sensor-proxy/** rw,
/etc/hosts r,
/etc/hostname r,
/etc/resolv.conf r,
/etc/pulse-sensor-proxy/** r,
/usr/bin/ssh mr,
/usr/bin/socat mr,
/usr/bin/sensors mr,
/usr/sbin/ipmitool mr,
/bin/bash mr,
/bin/sh mr,
/bin/cat mr,
/bin/echo mr,
/usr/bin/tee mr,
/usr/lib/** mr,
/lib/** mr,
deny /etc/shadow rwl,
deny /root/** rwxl,
ptrace (read) peer=pulse-sensor-proxy,
signal (receive) set=(hup term int usr1 usr2),
signal (send) set=(term) peer=pulse-sensor-proxy,
/usr/bin/ssh ixr,
/usr/bin/sensors ixr,
/usr/sbin/ipmitool ixr,
/bin/sh ixr,
/bin/cat ixr,
/bin/echo ixr,
/usr/bin/tee ixr,
deny mount,
deny ptrace,
deny sys_module,
deny sys_rawio,
deny sys_admin,
@{HOME}/.cache/** rw,
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/user-tmp>
}
Reference in a new issue View git blame Copy permalink