Commit Graph

1 Commits

Author SHA1 Message Date
raphael 0df229905d docs: SECURITY.md with concrete configs
README §2 used to list security categories ("network isolation",
"TLS tunnel", "authentication", "audit logging", "YAML signing")
without configs.  Customers deploying to a real fab can't act on
bullet points — they need files to drop in and paths to verify.

SECURITY.md replaces the bullets with:

- nftables ruleset locking the HSMS + Prometheus + SSH ports to
  known source IPs (with the test command to lint before reload)
- Kubernetes NetworkPolicy equivalent for pod deployments
- stunnel.conf for equipment side (terminator) AND MES side
  (initiator), with mTLS, TLS 1.3 minimum, and bind-127.0.0.1
  pattern so the cleartext socket never sees the network
- minisign-based YAML config signing: keygen, sign-at-deploy,
  systemd ExecStartPre verification.  Refuses to start on bad sig.
- Audit logging JSON schema for SIEM ingest, with one-line example
  per frame and the structured-dispatch wrapper to emit it
- SIEM alert thresholds: S9F rate, distinct source IPs, TLS
  handshake failures, signature-verify failures, spool depth,
  T-timer expiry counter
- Secrets handling: stunnel keys + minisign signing key custody
- Incident response capture protocol (tcpdump, journal snapshot,
  no-restart-until-captured) + reporting-back format

Every section has a runnable example.  Nothing here is invented
under pressure during an incident.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-09 15:33:43 +02:00