gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-19 07:50:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5d165fc055ee0d02a9d02c46fd17a023214c816c
Pulse/security/seccomp/pulse-sensor-proxy.json
rcourtman 524f42cc28 security: complete Phase 1 sensor proxy hardening 
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks

All 27 Phase 1 tasks complete. Ready for production deployment.
2025-10-20 15:13:37 +00:00

103 lines
1.8 KiB
JSON
Raw Blame History

{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
"accept",
"accept4",
"access",
"bind",
"brk",
"capget",
"capset",
"chdir",
"chmod",
"chown",
"clock_gettime",
"close",
"connect",
"dup",
"dup2",
"epoll_create1",
"epoll_ctl",
"epoll_wait",
"eventfd2",
"execve",
"exit",
"exit_group",
"fchmod",
"fchown",
"fcntl",
"fdatasync",
"fstat",
"fsync",
"ftruncate",
"futex",
"getdents64",
"getegid",
"geteuid",
"getgid",
"getpeername",
"getpid",
"getppid",
"getrandom",
"getrlimit",
"getsockname",
"getsockopt",
"gettid",
"getuid",
"ioctl",
"lseek",
"madvise",
"mkdir",
"mmap",
"mprotect",
"munmap",
"newfstatat",
"open",
"openat",
"pipe2",
"prctl",
"pread64",
"pwrite64",
"read",
"readlink",
"recvfrom",
"recvmmsg",
"recvmsg",
"rename",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sendmmsg",
"sendmsg",
"sendto",
"setgid",
"setgroups",
"setrlimit",
"setsid",
"setsockopt",
"setuid",
"shutdown",
"sigaltstack",
"socket",
"socketpair",
"stat",
"statx",
"symlink",
"tgkill",
"unlink",
"unlinkat",
"wait4",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
Reference in New Issue View Git Blame Copy Permalink