gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 00:17:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
160adeb3b8fd39411d74112e8b0a4e1995a02da9
Pulse/docs/security/pulse-sensor-proxy-network.md
rcourtman 524f42cc28 security: complete Phase 1 sensor proxy hardening 
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks

All 27 Phase 1 tasks complete. Ready for production deployment.
2025-10-20 15:13:37 +00:00

3.8 KiB
Raw Blame History

Pulse Sensor Proxy Network Segmentation

Overview

  • Proxy host collects temperatures via SSH from Proxmox nodes and serves a Unix socket to the Pulse stack.
  • Goals: isolate the proxy from production hypervisors, prevent lateral movement, and ensure log forwarding/audit channels remain available.

Zones & Connectivity

  • Pulse Application Zone (AZ-Pulse)
    • Hosts Pulse backend/frontend containers.
    • Allowed to reach the proxy over Unix socket (local) or loopback if containerised via socat.
  • Sensor Proxy Zone (AZ-Sensor)
    • Dedicated VM/bare-metal host running pulse-sensor-proxy.
    • Maintains outbound SSH to Proxmox management interfaces only.
  • Proxmox Management Zone (AZ-Proxmox)
    • Hypervisors / BMCs reachable on tcp/22 (SSH) and optional IPMI UDP.
  • Logging/Monitoring Zone (AZ-Logging)
    • Receives forwarded audit/application logs (e.g. RELP/TLS on tcp/6514).
    • Exposes Prometheus scrape port (default tcp/9456) if remote monitoring required.

Recommended Firewall Rules

Source Zone Destination Zone Protocol/Port Purpose Action
AZ-Pulse (localhost) AZ-Sensor (Unix socket) unix RPC requests from Pulse Allow (local only)
AZ-Sensor AZ-Proxmox nodes tcp/22 SSH for sensors/ipmitool wrapper Allow (restricted to node list)
AZ-Sensor AZ-Proxmox BMC udp/623 (optional) IPMI if required for temperature data Allow if needed
AZ-Proxmox AZ-Sensor any Return SSH traffic Allow stateful
AZ-Sensor AZ-Logging tcp/6514 (TLS RELP) Audit/application log forwarding Allow
AZ-Logging AZ-Sensor tcp/9456 (optional) Prometheus scrape of proxy metrics Allow if scraping remotely
Any AZ-Sensor tcp/22 Shell/SSH access Deny (use management bastion)
AZ-Sensor Internet any Outbound Internet Deny (except package mirrors via proxy if required)

Implementation Steps

  1. Place proxy host in dedicated subnet/VLAN with ACLs enforcing the table above.
  2. Populate /etc/hosts or routing so proxy resolves Proxmox nodes to management IPs only (no public networks).
  3. Configure iptables/nftables on proxy: 
    # Allow SSH to Proxmox nodes
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET>/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s <PROXMOX_SUBNET>/24 --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow log forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s <LOG_HOST> --sport 6514 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# (Optional) allow Prometheus scrape
iptables -A INPUT -p tcp -s <SCRAPE_HOST> --dport 9456 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d <SCRAPE_HOST> --sport 9456 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop everything else
iptables -P OUTPUT DROP
iptables -P INPUT DROP
  4. Deny inbound SSH to proxy except via management bastion: block tcp/22 or whitelist bastion IPs.
  5. Ensure log-forwarding TLS certificates are rotated and stored under /etc/pulse/log-forwarding.

Monitoring & Alerting

  • Alert if proxy initiates connections outside permitted subnets (Netflow or host firewall counters).
  • Monitor pulse_proxy_limiter_* metrics for unusual rate-limit hits that might signal abuse.
  • Track audit_log forwarding queue depth and remote availability; on failure, emit alert via rsyslog action queue (set action.resumeRetryCount=-1 already).

Change Management

  • Document node IP changes and update firewall objects (PROXMOX_NODES) before redeploying certificates.
  • Capture segmentation in infrastructure-as-code (e.g. Terraform/security group definitions) to avoid drift.