mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-19 07:50:43 +01:00
Implements comprehensive security hardening for pulse-sensor-proxy: - Privilege drop from root to unprivileged user (UID 995) - Hash-chained tamper-evident audit logging with remote forwarding - Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps - Enhanced command validation with 10+ attack pattern tests - Fuzz testing (7M+ executions, 0 crashes) - SSH hardening, AppArmor/seccomp profiles, operational runbooks All 27 Phase 1 tasks complete. Ready for production deployment.
103 lines
1.8 KiB
JSON
103 lines
1.8 KiB
JSON
{
|
|
"defaultAction": "SCMP_ACT_ERRNO",
|
|
"architectures": [
|
|
"SCMP_ARCH_X86_64",
|
|
"SCMP_ARCH_AARCH64"
|
|
],
|
|
"syscalls": [
|
|
{
|
|
"names": [
|
|
"accept",
|
|
"accept4",
|
|
"access",
|
|
"bind",
|
|
"brk",
|
|
"capget",
|
|
"capset",
|
|
"chdir",
|
|
"chmod",
|
|
"chown",
|
|
"clock_gettime",
|
|
"close",
|
|
"connect",
|
|
"dup",
|
|
"dup2",
|
|
"epoll_create1",
|
|
"epoll_ctl",
|
|
"epoll_wait",
|
|
"eventfd2",
|
|
"execve",
|
|
"exit",
|
|
"exit_group",
|
|
"fchmod",
|
|
"fchown",
|
|
"fcntl",
|
|
"fdatasync",
|
|
"fstat",
|
|
"fsync",
|
|
"ftruncate",
|
|
"futex",
|
|
"getdents64",
|
|
"getegid",
|
|
"geteuid",
|
|
"getgid",
|
|
"getpeername",
|
|
"getpid",
|
|
"getppid",
|
|
"getrandom",
|
|
"getrlimit",
|
|
"getsockname",
|
|
"getsockopt",
|
|
"gettid",
|
|
"getuid",
|
|
"ioctl",
|
|
"lseek",
|
|
"madvise",
|
|
"mkdir",
|
|
"mmap",
|
|
"mprotect",
|
|
"munmap",
|
|
"newfstatat",
|
|
"open",
|
|
"openat",
|
|
"pipe2",
|
|
"prctl",
|
|
"pread64",
|
|
"pwrite64",
|
|
"read",
|
|
"readlink",
|
|
"recvfrom",
|
|
"recvmmsg",
|
|
"recvmsg",
|
|
"rename",
|
|
"rt_sigaction",
|
|
"rt_sigprocmask",
|
|
"rt_sigreturn",
|
|
"sendmmsg",
|
|
"sendmsg",
|
|
"sendto",
|
|
"setgid",
|
|
"setgroups",
|
|
"setrlimit",
|
|
"setsid",
|
|
"setsockopt",
|
|
"setuid",
|
|
"shutdown",
|
|
"sigaltstack",
|
|
"socket",
|
|
"socketpair",
|
|
"stat",
|
|
"statx",
|
|
"symlink",
|
|
"tgkill",
|
|
"unlink",
|
|
"unlinkat",
|
|
"wait4",
|
|
"write",
|
|
"writev"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
}
|
|
]
|
|
}
|