03f6c16eab
First pass had a partial view. Backups are 3 layers (Swift dumps + encrypted off-cluster borg to DLX + Cinder snapshots), not just pg_dumpall — #15 (DR) resolved, #13/#14 re-scoped. Security has iptables auto-block (security-monitor) + AIDE FIM — #17 re-scoped; ClamAV (#16) remains the one real gap. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2.4 KiB
2.4 KiB
module, title, tab, order, audience
| module | title | tab | order | audience |
|---|---|---|---|---|
| devops.security | Host Security & Anti-Virus | Overview | 20 | dev |
DRAFT · internal. Rewritten 2026-07-02 after auditing the prod VMs. The first pass reported a bare posture ("no firewall/fail2ban") — that was mis-scoped; there IS custom IDS + FIM. Scripts:
hiveops-devops/scripts/ops/security/.
Controls actually in place
| Control | How | Hosts | PCI |
|---|---|---|---|
| Intrusion detection + auto-block | security-monitor.sh (every 5 min): scans nginx logs for attack patterns (.env, .git, id_rsa, /actuator/env, /actuator/heapdump, webshells…) → iptables -I INPUT -s <ip> -j DROP; Slack alerts; daily/weekly reports |
.250, .252 |
Req 1/10/11 (compensating) |
| File-integrity monitoring | aide-check.sh (daily 03:15): AIDE --check → email alerts@bcos.cloud on any change |
.250, .188 |
Req 11.5 |
| Firewall | iptables (managed via security-monitor blocks) + almost certainly OpenStack security groups at the network layer |
all | Req 1 |
| TLS | acme.sh auto-renew |
.250, .252 |
— |
So iptables auto-blocking and AIDE FIM are live — the box is not wide open.
The one genuine gap: anti-virus (ClamAV)
This is the real finding and it still stands (hiveiq-devops#16, Critical). Audit 2026-07-02:
| VM | ClamAV | freshclam | DB age |
|---|---|---|---|
services .250 |
installed | active | current — but clamd failed |
database .188 (PCI CDE) |
installed | stopped | stale 06-09 |
cdn .252 |
installed | stopped | stale 06-09 |
proxy .253 / share .254 / ollama .7 |
not installed | — | — |
PCI Req 5 (anti-malware) is not met on most hosts, including the CDE. Remediation: install/enable
ClamAV + freshclam everywhere, fix clamd on .250. The daily health check (platform.production-checks
§4) flags this per-VM.
Residual (re-scoped from #17)
- No
ufw(iptables is used directly via security-monitor; confirm OpenStack SG rules are the network firewall of record and document them). - No
fail2ban— but security-monitor covers web attack auto-blocking; SSH brute-force specifically is the residual gap (SSH is key-only, which mitigates). → hiveiq-devops#17 (re-scoped)
See platform.production-checks, devops.backups, platform.topology.