Add a managerial security frame on top of the host baseline: explicit threat model (opportunistic external, lateral movement/blast radius, operator/agent error; supply chain accepted-lower-priority), security principles, and four governance mechanisms that ADR-002 establishes and links out to: - docs/security/service-checklist.md — per-service security bar (referenced from the new-role runbook) - docs/security/accepted-risks.md — living accepted-risk register (R1-R4) - planned /security-review skill (TODO 8.5) - agent guardrails in CLAUDE.md "what Claude must not do" STATUS.md records the frame as present (manual enforcement) and /security-review as planned-not-built. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
21 lines
1.8 KiB
Markdown
21 lines
1.8 KiB
Markdown
# Accepted security risks
|
|
|
|
Conscious security trade-offs we are choosing to live with — recorded so "what we
|
|
are *not* doing" is explicit and revisitable, not forgotten. This register is a
|
|
**living document** and is expected to change; it is deliberately kept out of
|
|
ADR-002 (which records durable decisions) so the ADR stays stable.
|
|
|
|
Owned by **ADR-002** (Security baseline and strategy). Re-challenged during the
|
|
periodic security review (planned `/security-review`; see `docs/TODO.md`).
|
|
|
|
**Each entry:** the risk · why we accept it (rationale) · what would make us
|
|
revisit (trigger).
|
|
|
|
| # | Accepted risk | Rationale | Revisit trigger |
|
|
|---|---|---|---|
|
|
| R1 | **Supply chain not actively defended** — third-party container/base images, dependencies, and Ansible collections are trusted as pulled | Out of proportion to a homelab's effort budget; the realistic threat is opportunistic, not a targeted supply-chain attack. gitleaks + version pinning (ADR-011) give partial cover | Hosting high-value data/finances for others; a relevant upstream compromise; appetite for image signing / SBOM / pinned digests |
|
|
| R2 | **No full CIS benchmark hardening** | Significant complexity for marginal gain at this scale | A compliance need, or hosting third-party data with obligations |
|
|
| R3 | **No SELinux / AppArmor** mandatory access control | Operational overhead exceeds benefit for the current threat model | Threat model shifts toward targeted attackers; a service with a poor security history |
|
|
| R4 | **No intrusion detection system (IDS)** | Detection is only useful with the capacity to triage it; alerts no one reads are noise | Monitoring/alerting stack (Prometheus/Loki/Grafana) is in place and someone will act on alerts |
|
|
|
|
_Last reviewed: 2026-06-04 (seeded — pending a first re-challenge pass)._
|