boma/docs/security/service-checklist.md
sjat f338bccd46 Expand ADR-002 into a security baseline + strategy
Add a managerial security frame on top of the host baseline: explicit threat
model (opportunistic external, lateral movement/blast radius, operator/agent
error; supply chain accepted-lower-priority), security principles, and four
governance mechanisms that ADR-002 establishes and links out to:

- docs/security/service-checklist.md — per-service security bar (referenced
  from the new-role runbook)
- docs/security/accepted-risks.md — living accepted-risk register (R1-R4)
- planned /security-review skill (TODO 8.5)
- agent guardrails in CLAUDE.md "what Claude must not do"

STATUS.md records the frame as present (manual enforcement) and /security-review
as planned-not-built.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 14:39:51 +02:00

2.2 KiB

Per-service security checklist

The bar every service (a per-service role — ADR-004) must clear before deploy, especially anything reachable beyond its own host. Established by ADR-002 (Security baseline and strategy); referenced from docs/runbooks/new-role.md. Enforced manually in review today; the planned /security-review skill (see docs/TODO.md) will automate the check.

Treat each item as must-pass unless a deviation is recorded in docs/security/accepted-risks.md with a rationale and a revisit trigger.

Secrets & credentials

  • All secrets live in an encrypted vault.yml (vault.<service>.<key>); none in plaintext files, templates, or Compose env literals
  • No default or vendor-shipped credentials remain — admin passwords/tokens are generated and stored in vault
  • Nothing secret is baked into an image or committed to git (gitleaks must pass)

Least privilege

  • Container runs as a non-root user where the image supports it
  • No privileged: true and no host network mode unless explicitly justified
  • Only the volumes/paths the service needs are mounted; read-only where possible
  • Linux capabilities dropped to what's required (no blanket grants)

Network & exposure

  • Every listening port is declared in group_vars firewall definitions — never opened ad-hoc on a host
  • The service is not published directly to a LAN/WAN port if it can sit behind the reverse proxy instead
  • Anything reachable beyond the srv VLAN is behind the reverse proxy with authentication (and TLS)
  • Inter-service reach follows least privilege — no broad srvsrv access where a single declared dependency suffices

Updates & provenance

  • Image/source version is pinned (tag or digest), not floating latest (ADR-011)
  • The update path is known — how this service gets patched

Operability (security-adjacent)

  • Logs go somewhere reviewable (central aggregation when available)
  • Backup/restore is covered if the service holds state

Deviations are allowed but must be conscious: record them in docs/security/accepted-risks.md, don't leave them implicit.