Pulse/docs/security/SENSOR_PROXY_HARDENING.md
rcourtman cc3c0187a0 feat: AI features, agent improvements, and host monitoring enhancements
AI Chat Integration:
- Multi-provider support (Anthropic, OpenAI, Ollama)
- Streaming responses with markdown rendering
- Agent command execution for remote troubleshooting
- Context-aware conversations with host/container metadata

Agent Updates:
- Add --enable-proxmox flag for automatic PVE/PBS token setup
- Improve auto-update with semver comparison (prevents downgrades)
- Add updatedFrom tracking to report previous version after update
- Reduce initial update check delay from 30s to 5s
- Add agent version column to Hosts page table

Host Metrics:
- Add DiskIO stats collection (read/write bytes, ops, time)
- Improve disk filtering to exclude Docker overlay mounts
- Add RAID array monitoring via mdadm
- Enhanced temperature sensor parsing

Frontend:
- New Agent Version column on Hosts overview table
- Improved node modal with agent-first installation flow
- Add DiskIO display in host drawer
- Better responsive handling for metric bars
2025-12-05 10:37:02 +00:00

2 KiB

🛡️ Sensor Proxy Hardening

⚠️ Deprecated: The sensor-proxy is deprecated in favor of the unified Pulse agent. For new installations, use install.sh --enable-proxmox instead. See TEMPERATURE_MONITORING.md.

The pulse-sensor-proxy runs on the host to securely collect temperatures, keeping SSH keys out of containers.

🏗️ Architecture

  • Host: Runs pulse-sensor-proxy (unprivileged user).
  • Container: Connects via Unix socket (/run/pulse-sensor-proxy/pulse-sensor-proxy.sock).
  • Auth: Uses SO_PEERCRED to verify container UID/PID.

🔒 Host Hardening

Service Account

Runs as pulse-sensor-proxy (no shell, no home).

id pulse-sensor-proxy # uid=XXX(pulse-sensor-proxy)

Systemd Security

The service unit uses:

  • User=pulse-sensor-proxy
  • NoNewPrivileges=true
  • ProtectSystem=strict
  • PrivateTmp=true

File Permissions

Path Owner Mode
/var/lib/pulse-sensor-proxy/ pulse-sensor-proxy 0750
/var/lib/pulse-sensor-proxy/ssh/ pulse-sensor-proxy 0700
/run/pulse-sensor-proxy/ pulse-sensor-proxy 0775

📦 LXC Configuration

Required for the container to access the proxy socket.

/etc/pve/lxc/<VMID>.conf:

unprivileged: 1
lxc.apparmor.profile: generated
lxc.mount.entry: /run/pulse-sensor-proxy mnt/pulse-proxy none bind,create=dir 0 0

🔑 Key Management

SSH keys are restricted to sensors -j only.

Rotation:

/opt/pulse/scripts/pulse-sensor-proxy-rotate-keys.sh
  • Dry Run: Add --dry-run.
  • Rollback: Add --rollback.

🚨 Incident Response

If compromised:

  1. Stop Proxy: systemctl stop pulse-sensor-proxy.
  2. Rotate Keys: Remove old keys from nodes manually or use pulse-sensor-proxy-rotate-keys.sh.
  3. Audit Logs: Check journalctl -u pulse-sensor-proxy.
  4. Reinstall: Run /opt/pulse/scripts/install-sensor-proxy.sh.