Files
rmm-openwrt/docs/security.md
2026-06-04 15:26:43 +03:00

3.1 KiB

Security Notes

This project is still an MVP. Treat every enrolled router as a privileged remote execution target and run the server only on trusted networks until the remaining hardening work is complete.

Trust Model

  • The server is the control plane.
  • The OpenWrt agent is a privileged device-side worker.
  • Browser operators authenticate with a username/password and a signed HttpOnly session cookie.
  • API automation can authenticate with RMM_OPERATOR_TOKEN.
  • Devices authenticate with a per-device bearer token issued during enrollment.
  • Enrollment currently uses a shared enrollment token and should be considered bootstrap-only.

Current Controls

  • Agent traffic is outbound polling, so routers do not need inbound firewall openings.
  • Devices receive unique bearer tokens after enrollment.
  • Operator APIs accept a signed browser session or an operator bearer token.
  • Server and agent both enforce command allowlists.
  • UCI operations are limited to allowlisted config packages: network, wireless, dhcp, firewall, and system.
  • Command output is redacted for sensitive keys before storage and display.
  • Command lifecycle has retries, expiry, cancellation, and result rejection for cancelled or expired commands.
  • UCI preview can show a diff without leaving staged changes.
  • UCI commit-confirmed can restore the latest local backup if the router loses server reachability after commit.
  • Basic audit events are recorded for operator command creation and cancellation.

MVP Risks

  • Tokens are stored in SQLite as bearer credentials and are not yet hashed.
  • The enrollment token is shared and long-lived unless operators rotate it manually.
  • There is no RBAC, organization isolation, or per-command approval policy.
  • There are no rate limits or replay protection.
  • Commands are not signed.
  • TLS termination is not handled by the application. Use a reverse proxy with HTTPS when exposing the server beyond localhost or a lab LAN.

Operational Guidance

  • Run the server behind HTTPS and restrict inbound access to trusted operator networks.
  • Use a high-entropy RMM_OPERATOR_TOKEN and enrollment token.
  • Use a high-entropy operator password and RMM_SESSION_SECRET.
  • Set RMM_COOKIE_SECURE=true behind HTTPS.
  • Rotate the enrollment token after initial device onboarding.
  • Keep the SQLite database private and backed up.
  • Prefer uci_preview and uci_backup before uci_set or uci_commit.
  • Use uci_commit_confirmed for network changes that can break connectivity.
  • Review command history and audit events after configuration changes.

Next Hardening Work

  • Hash device tokens in storage.
  • Add device token rotation and revocation.
  • Replace shared enrollment with single-use enrollment grants.
  • Add request IDs and structured logs.
  • Add rate limits for enrollment, heartbeat, command result, and operator APIs.
  • Add replay protection or signed device requests.
  • Add command approval policies for reboot, UCI commit, restore, package install, and remote access.
  • Add RBAC for operators.
  • Add organization or fleet isolation before multi-tenant use.
  • Add mTLS or signed device tokens for production fleets.