Files
hiveops-guide/backend/src/main/resources/content/devops/security/overview.md
T
johannes 03f6c16eab docs(guide): correct devops.backups + devops.security after prod audit
First pass had a partial view. Backups are 3 layers (Swift dumps + encrypted
off-cluster borg to DLX + Cinder snapshots), not just pg_dumpall — #15 (DR)
resolved, #13/#14 re-scoped. Security has iptables auto-block (security-monitor)
+ AIDE FIM — #17 re-scoped; ClamAV (#16) remains the one real gap.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 08:27:18 -04:00

2.4 KiB

module, title, tab, order, audience
module title tab order audience
devops.security Host Security & Anti-Virus Overview 20 dev

DRAFT · internal. Rewritten 2026-07-02 after auditing the prod VMs. The first pass reported a bare posture ("no firewall/fail2ban") — that was mis-scoped; there IS custom IDS + FIM. Scripts: hiveops-devops/scripts/ops/security/.

Controls actually in place

Control How Hosts PCI
Intrusion detection + auto-block security-monitor.sh (every 5 min): scans nginx logs for attack patterns (.env, .git, id_rsa, /actuator/env, /actuator/heapdump, webshells…) → iptables -I INPUT -s <ip> -j DROP; Slack alerts; daily/weekly reports .250, .252 Req 1/10/11 (compensating)
File-integrity monitoring aide-check.sh (daily 03:15): AIDE --check → email alerts@bcos.cloud on any change .250, .188 Req 11.5
Firewall iptables (managed via security-monitor blocks) + almost certainly OpenStack security groups at the network layer all Req 1
TLS acme.sh auto-renew .250, .252

So iptables auto-blocking and AIDE FIM are live — the box is not wide open.

The one genuine gap: anti-virus (ClamAV)

This is the real finding and it still stands (hiveiq-devops#16, Critical). Audit 2026-07-02:

VM ClamAV freshclam DB age
services .250 installed active current — but clamd failed
database .188 (PCI CDE) installed stopped stale 06-09
cdn .252 installed stopped stale 06-09
proxy .253 / share .254 / ollama .7 not installed

PCI Req 5 (anti-malware) is not met on most hosts, including the CDE. Remediation: install/enable ClamAV + freshclam everywhere, fix clamd on .250. The daily health check (platform.production-checks §4) flags this per-VM.

Residual (re-scoped from #17)

  • No ufw (iptables is used directly via security-monitor; confirm OpenStack SG rules are the network firewall of record and document them).
  • No fail2ban — but security-monitor covers web attack auto-blocking; SSH brute-force specifically is the residual gap (SSH is key-only, which mitigates). → hiveiq-devops#17 (re-scoped)

See platform.production-checks, devops.backups, platform.topology.