60 lines
3.1 KiB
Markdown
60 lines
3.1 KiB
Markdown
# Security Notes
|
|
|
|
This project is still an MVP. Treat every enrolled router as a privileged remote execution target and run the server only on trusted networks until the remaining hardening work is complete.
|
|
|
|
## Trust Model
|
|
|
|
- The server is the control plane.
|
|
- The OpenWrt agent is a privileged device-side worker.
|
|
- Browser operators authenticate with a username/password and a signed `HttpOnly` session cookie.
|
|
- API automation can authenticate with `RMM_OPERATOR_TOKEN`.
|
|
- Devices authenticate with a per-device bearer token issued during enrollment.
|
|
- Enrollment currently uses a shared enrollment token and should be considered bootstrap-only.
|
|
|
|
## Current Controls
|
|
|
|
- Agent traffic is outbound polling, so routers do not need inbound firewall openings.
|
|
- Devices receive unique bearer tokens after enrollment.
|
|
- Operator APIs accept a signed browser session or an operator bearer token.
|
|
- Server and agent both enforce command allowlists.
|
|
- UCI operations are limited to allowlisted config packages: `network`, `wireless`, `dhcp`, `firewall`, and `system`.
|
|
- Command output is redacted for sensitive keys before storage and display.
|
|
- Command lifecycle has retries, expiry, cancellation, and result rejection for cancelled or expired commands.
|
|
- UCI preview can show a diff without leaving staged changes.
|
|
- UCI commit-confirmed can restore the latest local backup if the router loses server reachability after commit.
|
|
- Basic audit events are recorded for operator command creation and cancellation.
|
|
|
|
## MVP Risks
|
|
|
|
- Tokens are stored in SQLite as bearer credentials and are not yet hashed.
|
|
- The enrollment token is shared and long-lived unless operators rotate it manually.
|
|
- There is no RBAC, organization isolation, or per-command approval policy.
|
|
- There are no rate limits or replay protection.
|
|
- Commands are not signed.
|
|
- TLS termination is not handled by the application. Use a reverse proxy with HTTPS when exposing the server beyond localhost or a lab LAN.
|
|
|
|
## Operational Guidance
|
|
|
|
- Run the server behind HTTPS and restrict inbound access to trusted operator networks.
|
|
- Use a high-entropy `RMM_OPERATOR_TOKEN` and enrollment token.
|
|
- Use a high-entropy operator password and `RMM_SESSION_SECRET`.
|
|
- Set `RMM_COOKIE_SECURE=true` behind HTTPS.
|
|
- Rotate the enrollment token after initial device onboarding.
|
|
- Keep the SQLite database private and backed up.
|
|
- Prefer `uci_preview` and `uci_backup` before `uci_set` or `uci_commit`.
|
|
- Use `uci_commit_confirmed` for network changes that can break connectivity.
|
|
- Review command history and audit events after configuration changes.
|
|
|
|
## Next Hardening Work
|
|
|
|
- Hash device tokens in storage.
|
|
- Add device token rotation and revocation.
|
|
- Replace shared enrollment with single-use enrollment grants.
|
|
- Add request IDs and structured logs.
|
|
- Add rate limits for enrollment, heartbeat, command result, and operator APIs.
|
|
- Add replay protection or signed device requests.
|
|
- Add command approval policies for reboot, UCI commit, restore, package install, and remote access.
|
|
- Add RBAC for operators.
|
|
- Add organization or fleet isolation before multi-tenant use.
|
|
- Add mTLS or signed device tokens for production fleets.
|