gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 00:17:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
615cb129dfcfefff54d7e8b558d648301a9d6ea3
Pulse/scripts/setup-log-forwarding.sh
rcourtman 524f42cc28 security: complete Phase 1 sensor proxy hardening 
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks

All 27 Phase 1 tasks complete. Ready for production deployment.
2025-10-20 15:13:37 +00:00

63 lines
1.6 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
if [[ $EUID -ne 0 ]]; then
echo "Run as root" >&2
exit 1
fi
REMOTE_HOST=${REMOTE_HOST:-logs.pulse.example}
REMOTE_PORT=${REMOTE_PORT:-6514}
CERT_DIR=${CERT_DIR:-/etc/pulse/log-forwarding}
CA_CERT=${CA_CERT:-$CERT_DIR/ca.crt}
CLIENT_CERT=${CLIENT_CERT:-$CERT_DIR/client.crt}
CLIENT_KEY=${CLIENT_KEY:-$CERT_DIR/client.key}
install -d -m 0750 "$CERT_DIR"
CONF_PATH=/etc/rsyslog.d/pulse-sensor-proxy.conf
cat <<EOF >"$CONF_PATH"
module(load="imfile" PollingInterval="5")
input(type="imfile"
File="/var/log/pulse/sensor-proxy/audit.log"
Tag="pulse.audit"
Facility="local4"
Severity="notice"
PersistStateInterval="100"
addMetadata="on")
input(type="imfile"
File="/var/log/pulse/sensor-proxy/proxy.log"
Tag="pulse.app"
Facility="local4"
Severity="info"
PersistStateInterval="100"
addMetadata="on")
action(type="omfile"
File="/var/log/pulse/sensor-proxy/forwarding.log"
Template="RSYSLOG_TraditionalFileFormat"
DirCreateMode="0750"
FileCreateMode="0640")
if (\$programname == 'pulse.audit' or \$programname == 'pulse.app') then {
action(type="omrelp"
target="$REMOTE_HOST"
port="$REMOTE_PORT"
tls="on"
tls.caCert="$CA_CERT"
tls.myCert="$CLIENT_CERT"
tls.myPrivKey="$CLIENT_KEY"
queue.type="LinkedList"
queue.size="50000"
queue.dequeuebatchsize="500"
queue.workerthreads="2"
action.resumeRetryCount="-1")
stop
}
EOF
systemctl restart rsyslog
echo "Log forwarding enabled to $REMOTE_HOST:$REMOTE_PORT"
Reference in New Issue View Git Blame Copy Permalink