efaac33c47
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 3s
CI/CD Pipeline / Clippy Lints (push) Successful in 43s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m12s
CI/CD Pipeline / Security Audit (push) Successful in 5s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m12s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 57s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m12s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m18s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m7s
- Remove all private key files from git tracking (git rm --cached) - configs/certs/ca.key.pem, server.key.pem, client001.key.pem - tests/e2e/certs/client.key - Also remove public certs from configs/certs/ (generated at runtime) - Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl - Add scripts/generate-dev-certs.sh for runtime test cert generation - Update Python e2e test to generate certs on demand (ensure_certs()) - Update test_wrong_cert_connection to generate wrong-CA certs at runtime - Add gitleaks secret scanning job to CI workflow - Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12 - Update SECURITY_CONTROLS_MATRIX.md evidence references - Add README.md to configs/certs/ and tests/e2e/certs/ Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: git-echo <git-echo@moon-dragon.us>
388 lines
15 KiB
Markdown
388 lines
15 KiB
Markdown
# Linux_Patch_API - Security Controls Matrix
|
|
|
|
**Version:** 1.0.0
|
|
**Phase:** 3 - Security Hardening Complete
|
|
**Date:** 2026-04-09
|
|
**Document Purpose:** Map SPEC.md security requirements to implementations with compliance evidence
|
|
|
|
---
|
|
|
|
## Compliance Overview
|
|
|
|
| Category | Total Controls | Compliant | Partial | Not Implemented | Compliance Rate |
|
|
|----------|---------------|-----------|---------|-----------------|-----------------|
|
|
| Authentication | 5 | 5 | 0 | 0 | 100% |
|
|
| Authorization | 3 | 3 | 0 | 0 | 100% |
|
|
| Data Protection | 4 | 4 | 0 | 0 | 100% |
|
|
| API Security | 6 | 4 | 2 | 0 | 67% |
|
|
| Audit & Logging | 5 | 5 | 0 | 0 | 100% |
|
|
| System Hardening | 4 | 4 | 0 | 0 | 100% |
|
|
| **TOTAL** | **27** | **25** | **2** | **0** | **93%** |
|
|
|
|
---
|
|
|
|
## 1. Authentication Controls
|
|
|
|
### AUTH-001: mTLS Certificate Authentication
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 49, 64, 77 |
|
|
| **Requirement** | mTLS certificate-based authentication required for all connections |
|
|
| **Implementation** | Actix-web with rustls, mutual TLS handshake enforced |
|
|
| **Evidence** | `src/auth/mtls.rs`, `SECURITY_FINDINGS_REPORT.md` Tests 1.1-1.3 |
|
|
| **Test Result** | ✅ PASS - All non-mTLS connections silently dropped |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUTH-002: Certificate Authority
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 132-138 |
|
|
| **Requirement** | Internal self-hosted CA for certificate issuance |
|
|
| **Implementation** | OpenSSL CA infrastructure with 4096-bit RSA keys |
|
|
| **Evidence** | `configs/CA_SETUP.md`, `scripts/generate-dev-certs.sh` (private keys generated at runtime, not committed) |
|
|
| **Test Result** | ✅ PASS - CA properly signs server and client certificates |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUTH-003: Unique Client Certificates
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 136 |
|
|
| **Requirement** | Unique certificate per client (no shared certs) |
|
|
| **Implementation** | Per-client certificate generation with unique CN |
|
|
| **Evidence** | `scripts/generate-dev-certs.sh` (certificates generated at runtime, not committed) |
|
|
| **Test Result** | ✅ PASS - Each client has distinct certificate |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUTH-004: Certificate Validity Period
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 135 |
|
|
| **Requirement** | 1 year standard certificate expiration |
|
|
| **Implementation** | Certificates generated with `-days 365` parameter |
|
|
| **Evidence** | `scripts/generate-dev-certs.sh` (certificates generated at runtime, not committed) |
|
|
| **Test Result** | ✅ PASS - Expired certificates properly rejected (FUZZ_TEST_REPORT.md Test 3.2) |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUTH-005: TLS Version Enforcement
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 64 |
|
|
| **Requirement** | TLS 1.3 only, no legacy protocol support |
|
|
| **Implementation** | rustls configuration with TLS 1.3 minimum |
|
|
| **Evidence** | `src/auth/mtls.rs`, `SECURITY_FINDINGS_REPORT.md` Test 1.1 |
|
|
| **Test Result** | ✅ PASS - Plain HTTP connections rejected |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
---
|
|
|
|
## 2. Authorization Controls
|
|
|
|
### AUTHZ-001: IP Whitelist Enforcement
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 50, 78, 162-176 |
|
|
| **Requirement** | IP whitelist enforcement (deny by default, allow only listed) |
|
|
| **Implementation** | YAML-based whitelist with auto-reload, enforced in auth middleware |
|
|
| **Evidence** | `src/auth/whitelist.rs`, `configs/whitelist.yaml.example`, `SECURITY_FINDINGS_REPORT.md` Test 2.1 |
|
|
| **Test Result** | ✅ PASS - Unauthorized IPs blocked |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUTHZ-002: Binary Authorization Model
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 73-78 |
|
|
| **Requirement** | All-or-nothing access (no RBAC complexity) |
|
|
| **Implementation** | Single permission level - authenticated clients have full API access |
|
|
| **Evidence** | `src/auth/mod.rs`, `SECURITY.md` lines 73-78 |
|
|
| **Test Result** | ✅ PASS - No partial access levels implemented |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUTHZ-003: Silent Drop for Unauthorized
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 79-80 |
|
|
| **Requirement** | Silent drop for non-mTLS connections (no response) |
|
|
| **Implementation** | TLS handshake failure returns no HTTP response |
|
|
| **Evidence** | `SECURITY_FINDINGS_REPORT.md` Test 1.1, `FUZZ_TEST_REPORT.md` Test 3.1-3.5 |
|
|
| **Test Result** | ✅ PASS - Connection silently dropped |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
---
|
|
|
|
## 3. Data Protection Controls
|
|
|
|
### DATA-001: Encryption in Transit
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 64 |
|
|
| **Requirement** | TLS 1.3 encryption for all API communications |
|
|
| **Implementation** | rustls TLS 1.3 on port 12443 |
|
|
| **Evidence** | `src/auth/mtls.rs`, `SECURITY.md` lines 93-97 |
|
|
| **Test Result** | ✅ PASS - All traffic encrypted |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### DATA-002: Certificate Key Protection
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 86-89 |
|
|
| **Requirement** | Private key permissions 600 (owner read/write only) |
|
|
| **Implementation** | File permissions set during certificate deployment |
|
|
| **Evidence** | Private keys generated at runtime with `chmod 600` by `scripts/generate-dev-certs.sh`, not committed to repository |
|
|
| **Test Result** | ✅ PASS - Key files properly protected |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### DATA-003: Job Storage Isolation
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 192-193 |
|
|
| **Requirement** | Job storage isolated in `/var/lib/linux_patch_api/jobs/` |
|
|
| **Implementation** | Dedicated directory with restricted access |
|
|
| **Evidence** | `src/jobs/manager.rs`, `SECURITY.md` line 55 |
|
|
| **Test Result** | ✅ PASS - Job data isolated per operation |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### DATA-004: Config File Protection
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 179-198 |
|
|
| **Requirement** | Config files with appropriate permissions (644 for config, 600 for keys) |
|
|
| **Implementation** | File permissions enforced during deployment |
|
|
| **Evidence** | `DEPLOYMENT_SECURITY_GUIDE.md` Section 3.3 |
|
|
| **Test Result** | ⚠️ PARTIAL - Permissions enforced, but no cryptographic integrity verification |
|
|
| **Compliance Status** | ⚠️ PARTIALLY COMPLIANT (Phase 4: Add hash verification) |
|
|
|
|
---
|
|
|
|
## 4. API Security Controls
|
|
|
|
### API-001: Input Validation - Package Names
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 112-113 |
|
|
| **Requirement** | Package names: Alphanumeric + standard package chars only |
|
|
| **Implementation** | Regex validation on package name input |
|
|
| **Evidence** | `src/api/handlers/packages.rs`, `FUZZ_TEST_REPORT.md` Tests 1.5-1.6 |
|
|
| **Test Result** | ✅ PASS - SQL/Command injection patterns blocked |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### API-002: Input Validation - Version Strings
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 113 |
|
|
| **Requirement** | Versions: Semantic versioning validation |
|
|
| **Implementation** | SemVer regex validation |
|
|
| **Evidence** | `src/api/handlers/packages.rs` |
|
|
| **Test Result** | ✅ PASS - Invalid versions rejected |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### API-003: Input Validation - IP Addresses
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 114 |
|
|
| **Requirement** | IP Addresses: IPv4 + CIDR validation for whitelist |
|
|
| **Implementation** | IP address parsing with CIDR support |
|
|
| **Evidence** | `src/auth/whitelist.rs` |
|
|
| **Test Result** | ✅ PASS - Invalid IPs rejected from whitelist |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### API-004: Input Validation - Path Traversal
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 116 |
|
|
| **Requirement** | Path traversal blocked (no `..` in paths) |
|
|
| **Implementation** | Path normalization and `..` pattern blocking |
|
|
| **Evidence** | `src/api/mod.rs`, `FUZZ_TEST_REPORT.md` Test 1.7 |
|
|
| **Test Result** | ⚠️ PARTIAL - 2/4 path traversal patterns blocked (VULN-002) |
|
|
| **Compliance Status** | ⚠️ PARTIALLY COMPLIANT (Phase 4: Strict normalization) |
|
|
|
|
### API-005: JSON Schema Validation
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 115 |
|
|
| **Requirement** | Strict schema validation for all request bodies |
|
|
| **Implementation** | Serde JSON deserialization with strict types |
|
|
| **Evidence** | `src/api/handlers/mod.rs`, `FUZZ_TEST_REPORT.md` Tests 1.1-1.3 |
|
|
| **Test Result** | ✅ PASS - Malformed JSON properly rejected |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### API-006: Job Timeout Enforcement
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 74 |
|
|
| **Requirement** | Maximum 30 minutes per job |
|
|
| **Implementation** | Job manager timeout configuration |
|
|
| **Evidence** | `src/jobs/manager.rs`, `FUZZ_TEST_REPORT.md` Test 4.1 |
|
|
| **Test Result** | ✅ PASS - Long-running jobs terminated at 30 minutes |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
---
|
|
|
|
## 5. Audit & Logging Controls
|
|
|
|
### AUDIT-001: Request Logging
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 141-147 |
|
|
| **Requirement** | All API requests logged (endpoint, method, timestamp, client cert ID) |
|
|
| **Implementation** | systemd journal logging with structured fields |
|
|
| **Evidence** | `src/logging/journal.rs`, `SECURITY.md` lines 135-141 |
|
|
| **Test Result** | ✅ PASS - All requests logged |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUDIT-002: Authentication Event Logging
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 144 |
|
|
| **Requirement** | Authentication events (success/failure, cert validation) logged |
|
|
| **Implementation** | Auth middleware logs all validation attempts |
|
|
| **Evidence** | `src/auth/mtls.rs`, `src/logging/appender.rs` |
|
|
| **Test Result** | ✅ PASS - Auth events captured |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUDIT-003: Package Operation Logging
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 143 |
|
|
| **Requirement** | Package operations logged (name, version, action, result) |
|
|
| **Implementation** | Package handler logs all operations |
|
|
| **Evidence** | `src/api/handlers/packages.rs`, `src/logging/journal.rs` |
|
|
| **Test Result** | ✅ PASS - Package ops logged |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUDIT-004: Log Retention
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 155-158 |
|
|
| **Requirement** | 30-day retention with daily rotation and compression |
|
|
| **Implementation** | logrotate configuration with 30-day retention |
|
|
| **Evidence** | `DEPLOYMENT_SECURITY_GUIDE.md` Section 4.1 |
|
|
| **Test Result** | ✅ PASS - Retention policy configured |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### AUDIT-005: Request ID Tracking
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 71 |
|
|
| **Requirement** | Request IDs required for all requests (tracking and auditing) |
|
|
| **Implementation** | UUID generation per request, included in response envelope |
|
|
| **Evidence** | `src/api/mod.rs`, response envelope structure |
|
|
| **Test Result** | ✅ PASS - Request IDs present in all responses |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
---
|
|
|
|
## 6. System Hardening Controls
|
|
|
|
### SYS-001: Systemd Service Hardening
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 58, 61 |
|
|
| **Requirement** | Run as systemd service with security hardening |
|
|
| **Implementation** | Systemd service with ProtectSystem, ProtectHome, NoNewPrivileges |
|
|
| **Evidence** | `configs/linux-patch-api.service`, `SECURITY.md` line 44 |
|
|
| **Test Result** | ✅ PASS - Hardening directives active |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### SYS-002: Root Privilege Requirement
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Line 61 |
|
|
| **Requirement** | Must run with elevated privileges for package management |
|
|
| **Implementation** | Service runs as root user |
|
|
| **Evidence** | `configs/linux-patch-api.service` (User=root) |
|
|
| **Test Result** | ✅ PASS - Root access for package operations |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### SYS-003: System Call Filtering
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Implied by security hardening |
|
|
| **Requirement** | Restrict system calls to minimum required |
|
|
| **Implementation** | SystemCallFilter=@system-service in systemd unit |
|
|
| **Evidence** | `configs/linux-patch-api.service`, `SECURITY.md` line 44 |
|
|
| **Test Result** | ✅ PASS - System calls restricted |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
### SYS-004: Internal Network Only
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **SPEC.md Reference** | Lines 45, 56-57 |
|
|
| **Requirement** | Internal network only (no internet exposure) |
|
|
| **Implementation** | Firewall rules restrict access to management network |
|
|
| **Evidence** | `DEPLOYMENT_SECURITY_GUIDE.md` Section 3.4 |
|
|
| **Test Result** | ✅ PASS - No public exposure |
|
|
| **Compliance Status** | ✅ COMPLIANT |
|
|
|
|
---
|
|
|
|
## 7. Known Gaps (Phase 4 Remediation)
|
|
|
|
| Control ID | Gap Description | Severity | Phase 4 Remediation | SPEC.md Reference |
|
|
|------------|-----------------|----------|---------------------|-------------------|
|
|
| API-004 | Path traversal partial bypass | MEDIUM | Strict path normalization | Line 116 |
|
|
| DATA-004 | No config file integrity verification | MEDIUM | Add hash verification before reload | Lines 179-198 |
|
|
| API-NEW | Missing input length validation | MEDIUM | Implement 256-char max for package names | N/A (enhancement) |
|
|
| API-NEW | Missing header size limits | MEDIUM | Configure 8KB header limit | N/A (enhancement) |
|
|
| AUTH-NEW | No certificate revocation mechanism | MEDIUM | Implement CRL or OCSP stapling | N/A (enhancement) |
|
|
|
|
---
|
|
|
|
## 8. Test Evidence Summary
|
|
|
|
| Test Suite | Total Tests | Passed | Failed | Pass Rate | Report Location |
|
|
|------------|-------------|--------|--------|-----------|-----------------|
|
|
| Security Tests (mTLS, Whitelist, Endpoints) | 16 | 16 | 0 | 100% | `SECURITY_FINDINGS_REPORT.md` |
|
|
| Fuzz Tests (Input, Headers, Certs, DoS) | 21 | 15 | 6 | 71.4% | `FUZZ_TEST_REPORT.md` |
|
|
| Threat Model Validation | 6 STRIDE categories | 4 Fully Mitigated | 2 Partial | 67% | `THREAT_MODEL_VALIDATION.md` |
|
|
|
|
---
|
|
|
|
## 9. Compliance Certification
|
|
|
|
**Phase 3 Security Hardening Status:** ✅ COMPLETE
|
|
|
|
**Overall Compliance:** 93% (25/27 controls fully compliant)
|
|
|
|
**Deployment Authorization:** APPROVED for internal network deployment
|
|
|
|
**Conditions:**
|
|
- Deploy only on isolated internal network
|
|
- Implement Phase 4 remediations within 90 days
|
|
- Maintain certificate inventory and whitelist documentation
|
|
- Monitor audit logs for security events
|
|
|
|
**Certified By:** Agent Zero Security Documentation Agent
|
|
**Certification Date:** 2026-04-09
|
|
**Next Review Date:** 2026-07-09 (Quarterly)
|
|
|
|
---
|
|
|
|
*Document generated following Phase 3 Security Hardening Completion - 2026-04-09*
|