31 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			31 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Security hardening
 | |
| ## Overview
 | |
| This document outlines the various operations you may want to perform to increase the security of your installation and
 | |
| avoid leak of credentials/key pairs
 | |
| 
 | |
| ## Configuration
 | |
| Your config file should have the following ownership:
 | |
| - Dedicated user for mxisd, used to run the software
 | |
| - Dedicated group for mxisd, used by other applications to access and read configuration files
 | |
| 
 | |
| Your config file should have the following access:
 | |
| - Read and write for the mxisd user
 | |
| - Read for the mxisd group
 | |
| - Nothing for others
 | |
| 
 | |
| This translates into `640` and be applied with `chmod 640 /path/to/config/file.yaml`.
 | |
| 
 | |
| ## Data
 | |
| The only sensible place is the key store where mxisd's signing keys are stored. You should therefore limit access to only
 | |
| the mxisd user, and deny access to anything else.
 | |
| 
 | |
| Your key store should have the following access:
 | |
| - Read and write for the mxisd user
 | |
| - Nothing for the mxisd group
 | |
| - Nothing for others
 | |
| 
 | |
| The identity store can either be a file or a directory, depending on your version. v1.4 and higher are using a directory,
 | |
| everything before is using a file.
 | |
| - If your version is directory-based, you will want to apply chmod `700` on it.
 | |
| - If your version is file-based, you will want to apply chmod `600` on it.
 |