vrr/Pulse

mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-28 11:30:15 +00:00

courtmanr@gmail.com fd39196166 refactor: finalize documentation overhaul

- Refactor specialized docs for conciseness and clarity
- Rename files to UPPER_CASE.md convention
- Verify accuracy against codebase
- Fix broken links

2025-11-25 00:45:20 +00:00

1.2 KiB

Raw Blame History

🛡️ Sensor Proxy Hardening

Secure pulse-sensor-proxy with AppArmor and Seccomp.

🛡️ AppArmor

Profile: security/apparmor/pulse-sensor-proxy.apparmor

Allows: Configs, logs, SSH keys, outbound TCP/SSH.
Blocks: Raw sockets, module loading, ptrace, exec outside allowlist.

Install & Enforce

sudo install -m 0644 security/apparmor/pulse-sensor-proxy.apparmor /etc/apparmor.d/pulse-sensor-proxy
sudo apparmor_parser -r /etc/apparmor.d/pulse-sensor-proxy
sudo aa-enforce pulse-sensor-proxy

🔒 Seccomp

Profile: security/seccomp/pulse-sensor-proxy.json

Allows: Go runtime syscalls, network, file IO.
Blocks: Everything else (returns EPERM).

Systemd (Classic)

Add to service override:

[Service]
AppArmorProfile=pulse-sensor-proxy
SystemCallFilter=@system-service
SystemCallAllow=accept;connect;recvfrom;sendto;recvmsg;sendmsg;sendmmsg;getsockname;getpeername;getsockopt;setsockopt;shutdown

Containers (Docker/Podman)

podman run --seccomp-profile /opt/pulse/security/seccomp/pulse-sensor-proxy.json ...

🔍 Verification

Check status with aa-status or journalctl -t auditbeat.

1.2 KiB Raw Blame History