mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-18 00:17:39 +01:00
524f42cc28
Implements comprehensive security hardening for pulse-sensor-proxy: - Privilege drop from root to unprivileged user (UID 995) - Hash-chained tamper-evident audit logging with remote forwarding - Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps - Enhanced command validation with 10+ attack pattern tests - Fuzz testing (7M+ executions, 0 crashes) - SSH hardening, AppArmor/seccomp profiles, operational runbooks All 27 Phase 1 tasks complete. Ready for production deployment.
39 lines
968 B
Bash
Executable File
39 lines
968 B
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
FORCE_COMMAND="${FORCE_COMMAND:-/opt/pulse/bin/sensor-proxy-wrapper}"
|
|
CONF_PATH="/etc/ssh/sshd_config.d/pulse-sensor-proxy.conf"
|
|
|
|
if [[ ! -x "$FORCE_COMMAND" ]]; then
|
|
echo "Error: FORCE_COMMAND '$FORCE_COMMAND' not found or not executable" >&2
|
|
exit 1
|
|
fi
|
|
|
|
TMP_CONF="$(mktemp)"
|
|
trap 'rm -f "$TMP_CONF"' EXIT
|
|
|
|
cat >"$TMP_CONF" <<EOF
|
|
# Hardening for Pulse sensor proxy access
|
|
PasswordAuthentication no
|
|
KbdInteractiveAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
PermitRootLogin no
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
PermitUserEnvironment no
|
|
ForceCommand $FORCE_COMMAND
|
|
EOF
|
|
|
|
install -o root -g root -m 0644 "$TMP_CONF" "$CONF_PATH"
|
|
|
|
sshd -t
|
|
systemctl reload sshd
|
|
|
|
echo "sshd hardening applied to $CONF_PATH"
|
|
|
|
# Verification
|
|
echo "Verifying hardening settings:"
|
|
sshd -T | grep -E 'passwordauthentication|allowagentforwarding|allowtcpforwarding|x11forwarding|permittunnel' || true
|