mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-04-28 11:30:15 +00:00
fd39196166
- Refactor specialized docs for conciseness and clarity - Rename files to UPPER_CASE.md convention - Verify accuracy against codebase - Fix broken links
31 lines
1 KiB
Markdown
31 lines
1 KiB
Markdown
# 🌡️ Temperature Monitoring Security
|
|
|
|
Secure architecture for collecting hardware temperatures.
|
|
|
|
## 🛡️ Security Model
|
|
* **Isolation**: SSH keys live on the host, not in the container.
|
|
* **Least Privilege**: Proxy runs as `pulse-sensor-proxy` (no shell).
|
|
* **Verification**: Container identity verified via `SO_PEERCRED`.
|
|
|
|
## 🏗️ Components
|
|
1. **Pulse Backend**: Connects to Unix socket `/mnt/pulse-proxy/pulse-sensor-proxy.sock`.
|
|
2. **Sensor Proxy**: Validates request, executes SSH to node.
|
|
3. **Target Node**: Accepts SSH key restricted to `sensors -j`.
|
|
|
|
## 🔒 Key Restrictions
|
|
SSH keys deployed to nodes are locked down:
|
|
```
|
|
command="sensors -j",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
|
|
```
|
|
|
|
## 🚦 Rate Limiting
|
|
* **Per Peer**: ~12 req/min.
|
|
* **Concurrency**: Max 2 parallel requests per peer.
|
|
* **Global**: Max 8 concurrent requests.
|
|
|
|
## 📝 Auditing
|
|
All requests logged to system journal:
|
|
```bash
|
|
journalctl -u pulse-sensor-proxy
|
|
```
|
|
Logs include: `uid`, `pid`, `method`, `node`, `correlation_id`.
|