rcourtman
|
b2e65f7b3e
|
feat(security): Add SSH output limits and improve host key management
Addresses two security vulnerabilities:
1. SSH Output Size Limits:
- Prevents memory exhaustion from malicious remote nodes
- Configurable max_ssh_output_bytes (default 1MB)
- Stream with io.LimitReader to cap output size
- New metric: pulse_proxy_ssh_output_oversized_total{node}
- WARN logging for oversized outputs
2. Improved Host Key Management:
- Seed host keys from Proxmox cluster store (/etc/pve/priv/known_hosts)
- Falls back to ssh-keyscan only if Proxmox unavailable (with WARN)
- Fingerprint change detection with ERROR logging
- require_proxmox_hostkeys option for strict mode
- New metric: pulse_proxy_hostkey_changes_total{node}
- Reduces MITM attack surface significantly
Known hosts manager now normalizes entries, reuses existing fingerprints,
and raises typed HostKeyChangeError when fingerprints differ.
Related to security audit 2025-11-07.
Co-authored-by: Codex <codex@openai.com>
|
2025-11-07 17:09:02 +00:00 |
|
rcourtman
|
524f42cc28
|
security: complete Phase 1 sensor proxy hardening
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks
All 27 Phase 1 tasks complete. Ready for production deployment.
|
2025-10-20 15:13:37 +00:00 |
|