Pulse/docs/security/pulse-sensor-proxy-network.md
rcourtman 524f42cc28 security: complete Phase 1 sensor proxy hardening
Implements comprehensive security hardening for pulse-sensor-proxy:
- Privilege drop from root to unprivileged user (UID 995)
- Hash-chained tamper-evident audit logging with remote forwarding
- Per-UID rate limiting (0.2 QPS, burst 2) with concurrency caps
- Enhanced command validation with 10+ attack pattern tests
- Fuzz testing (7M+ executions, 0 crashes)
- SSH hardening, AppArmor/seccomp profiles, operational runbooks

All 27 Phase 1 tasks complete. Ready for production deployment.
2025-10-20 15:13:37 +00:00

64 lines
3.8 KiB
Markdown

# Pulse Sensor Proxy Network Segmentation
## Overview
- **Proxy host** collects temperatures via SSH from Proxmox nodes and serves a Unix socket to the Pulse stack.
- Goals: isolate the proxy from production hypervisors, prevent lateral movement, and ensure log forwarding/audit channels remain available.
## Zones & Connectivity
- **Pulse Application Zone (AZ-Pulse)**
- Hosts Pulse backend/frontend containers.
- Allowed to reach the proxy over Unix socket (local) or loopback if containerised via `socat`.
- **Sensor Proxy Zone (AZ-Sensor)**
- Dedicated VM/bare-metal host running `pulse-sensor-proxy`.
- Maintains outbound SSH to Proxmox management interfaces only.
- **Proxmox Management Zone (AZ-Proxmox)**
- Hypervisors / BMCs reachable on `tcp/22` (SSH) and optional IPMI UDP.
- **Logging/Monitoring Zone (AZ-Logging)**
- Receives forwarded audit/application logs (e.g. RELP/TLS on `tcp/6514`).
- Exposes Prometheus scrape port (default `tcp/9456`) if remote monitoring required.
## Recommended Firewall Rules
| Source Zone | Destination Zone | Protocol/Port | Purpose | Action |
|-------------|------------------|---------------|---------|--------|
| AZ-Pulse (localhost) | AZ-Sensor (Unix socket) | `unix` | RPC requests from Pulse | Allow (local only) |
| AZ-Sensor | AZ-Proxmox nodes | `tcp/22` | SSH for sensors/ipmitool wrapper | Allow (restricted to node list) |
| AZ-Sensor | AZ-Proxmox BMC | `udp/623` *(optional)* | IPMI if required for temperature data | Allow if needed |
| AZ-Proxmox | AZ-Sensor | `any` | Return SSH traffic | Allow stateful |
| AZ-Sensor | AZ-Logging | `tcp/6514` (TLS RELP) | Audit/application log forwarding | Allow |
| AZ-Logging | AZ-Sensor | `tcp/9456` *(optional)* | Prometheus scrape of proxy metrics | Allow if scraping remotely |
| Any | AZ-Sensor | `tcp/22` | Shell/SSH access | Deny (use management bastion) |
| AZ-Sensor | Internet | `any` | Outbound Internet | Deny (except package mirrors via proxy if required) |
## Implementation Steps
1. Place proxy host in dedicated subnet/VLAN with ACLs enforcing the table above.
2. Populate `/etc/hosts` or routing so proxy resolves Proxmox nodes to management IPs only (no public networks).
3. Configure iptables/nftables on proxy:
```bash
# Allow SSH to Proxmox nodes
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET>/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s <PROXMOX_SUBNET>/24 --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow log forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s <LOG_HOST> --sport 6514 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# (Optional) allow Prometheus scrape
iptables -A INPUT -p tcp -s <SCRAPE_HOST> --dport 9456 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d <SCRAPE_HOST> --sport 9456 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Drop everything else
iptables -P OUTPUT DROP
iptables -P INPUT DROP
```
4. Deny inbound SSH to proxy except via management bastion: block `tcp/22` or whitelist bastion IPs.
5. Ensure log-forwarding TLS certificates are rotated and stored under `/etc/pulse/log-forwarding`.
## Monitoring & Alerting
- Alert if proxy initiates connections outside permitted subnets (Netflow or host firewall counters).
- Monitor `pulse_proxy_limiter_*` metrics for unusual rate-limit hits that might signal abuse.
- Track `audit_log` forwarding queue depth and remote availability; on failure, emit alert via rsyslog action queue (set `action.resumeRetryCount=-1` already).
## Change Management
- Document node IP changes and update firewall objects (`PROXMOX_NODES`) before redeploying certificates.
- Capture segmentation in infrastructure-as-code (e.g. Terraform/security group definitions) to avoid drift.