Files
rmm-openwrt/docs/security.md
2026-06-04 15:26:43 +03:00

60 lines
3.1 KiB
Markdown

# Security Notes
This project is still an MVP. Treat every enrolled router as a privileged remote execution target and run the server only on trusted networks until the remaining hardening work is complete.
## Trust Model
- The server is the control plane.
- The OpenWrt agent is a privileged device-side worker.
- Browser operators authenticate with a username/password and a signed `HttpOnly` session cookie.
- API automation can authenticate with `RMM_OPERATOR_TOKEN`.
- Devices authenticate with a per-device bearer token issued during enrollment.
- Enrollment currently uses a shared enrollment token and should be considered bootstrap-only.
## Current Controls
- Agent traffic is outbound polling, so routers do not need inbound firewall openings.
- Devices receive unique bearer tokens after enrollment.
- Operator APIs accept a signed browser session or an operator bearer token.
- Server and agent both enforce command allowlists.
- UCI operations are limited to allowlisted config packages: `network`, `wireless`, `dhcp`, `firewall`, and `system`.
- Command output is redacted for sensitive keys before storage and display.
- Command lifecycle has retries, expiry, cancellation, and result rejection for cancelled or expired commands.
- UCI preview can show a diff without leaving staged changes.
- UCI commit-confirmed can restore the latest local backup if the router loses server reachability after commit.
- Basic audit events are recorded for operator command creation and cancellation.
## MVP Risks
- Tokens are stored in SQLite as bearer credentials and are not yet hashed.
- The enrollment token is shared and long-lived unless operators rotate it manually.
- There is no RBAC, organization isolation, or per-command approval policy.
- There are no rate limits or replay protection.
- Commands are not signed.
- TLS termination is not handled by the application. Use a reverse proxy with HTTPS when exposing the server beyond localhost or a lab LAN.
## Operational Guidance
- Run the server behind HTTPS and restrict inbound access to trusted operator networks.
- Use a high-entropy `RMM_OPERATOR_TOKEN` and enrollment token.
- Use a high-entropy operator password and `RMM_SESSION_SECRET`.
- Set `RMM_COOKIE_SECURE=true` behind HTTPS.
- Rotate the enrollment token after initial device onboarding.
- Keep the SQLite database private and backed up.
- Prefer `uci_preview` and `uci_backup` before `uci_set` or `uci_commit`.
- Use `uci_commit_confirmed` for network changes that can break connectivity.
- Review command history and audit events after configuration changes.
## Next Hardening Work
- Hash device tokens in storage.
- Add device token rotation and revocation.
- Replace shared enrollment with single-use enrollment grants.
- Add request IDs and structured logs.
- Add rate limits for enrollment, heartbeat, command result, and operator APIs.
- Add replay protection or signed device requests.
- Add command approval policies for reboot, UCI commit, restore, package install, and remote access.
- Add RBAC for operators.
- Add organization or fleet isolation before multi-tenant use.
- Add mTLS or signed device tokens for production fleets.