Harden deployment and fix PEN-01
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
10
dist/mcias.service
vendored
10
dist/mcias.service
vendored
@@ -11,11 +11,11 @@ User=mcias
|
||||
Group=mcias
|
||||
|
||||
# Configuration and secrets.
|
||||
# /etc/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
|
||||
# /srv/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
|
||||
# See dist/mcias.env.example for the template.
|
||||
EnvironmentFile=/etc/mcias/env
|
||||
EnvironmentFile=/srv/mcias/env
|
||||
|
||||
ExecStart=/usr/local/bin/mciassrv -config /etc/mcias/mcias.conf
|
||||
ExecStart=/usr/local/bin/mciassrv -config /srv/mcias/mcias.toml
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
|
||||
@@ -30,11 +30,11 @@ LimitNOFILE=65536
|
||||
CapabilityBoundingSet=
|
||||
|
||||
# Filesystem restrictions.
|
||||
# mciassrv reads /etc/mcias (config, TLS cert/key) and writes /var/lib/mcias (DB).
|
||||
# mciassrv reads and writes /srv/mcias (config, TLS cert/key, database).
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
ReadWritePaths=/var/lib/mcias
|
||||
ReadWritePaths=/srv/mcias
|
||||
|
||||
# Additional hardening.
|
||||
NoNewPrivileges=true
|
||||
|
||||
Reference in New Issue
Block a user