|
1 | 1 | <!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. --> |
2 | 2 | <!-- SPDX-License-Identifier: Apache-2.0 --> |
3 | | -# Security Best Practices |
| 3 | +# NemoClaw Security Best Practices: Controls, Risks, and Posture Profiles |
4 | 4 |
|
5 | 5 | NemoClaw ships with deny-by-default security controls across four layers: network, filesystem, process, and inference. |
6 | 6 | You can tune every control, but each change shifts the risk profile. |
7 | 7 | This page documents every configurable knob, its default, what it protects, the concrete risk of relaxing it, and a recommendation for common use cases. |
8 | 8 |
|
9 | 9 | For background on how the layers fit together, refer to How It Works (use the `nemoclaw-user-overview` skill). |
10 | 10 |
|
11 | | -<!-- TODO: uncomment after the OpenShell docs are published |
12 | | -:::{seealso} |
13 | | -OpenShell enforces the platform-level mechanisms that NemoClaw configures, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication. |
14 | | -For the full platform-level controls reference, see [OpenShell Security Best Practices](https://docs.nvidia.com/openshell/latest/security/best-practices.html). |
15 | | -::: |
16 | | ---> |
17 | | - |
18 | 11 | ## Protection Layers at a Glance |
19 | 12 |
|
20 | 13 | NemoClaw enforces security at four layers. |
@@ -72,44 +65,17 @@ flowchart TB |
72 | 65 | style GW fill:#2a2a2a,stroke:#76b900,stroke-width:2px,color:#fff |
73 | 66 | ``` |
74 | 67 |
|
75 | | -:::{list-table} |
76 | | -:header-rows: 1 |
77 | | -:widths: 20 30 20 30 |
78 | | - |
79 | | -* - Layer |
80 | | - - What it protects |
81 | | - - Enforcement point |
82 | | - - Changeable at runtime |
83 | | - |
84 | | -* - Network |
85 | | - - Unauthorized outbound connections and data exfiltration. |
86 | | - - OpenShell gateway |
87 | | - - Yes. Use `openshell policy set` or operator approval. |
88 | | - |
89 | | -* - Filesystem |
90 | | - - System binary tampering, credential theft, config manipulation. |
91 | | - - Landlock LSM + container mounts |
92 | | - - Landlock layout: no. Requires sandbox re-creation. Config lockdown posture: yes, with host-side shields commands. |
93 | | - |
94 | | -* - Process |
95 | | - - Privilege escalation, fork bombs, syscall abuse. |
96 | | - - Container runtime (Docker/K8s `securityContext`) |
97 | | - - No. Requires sandbox re-creation. |
98 | | - |
99 | | -* - Inference |
100 | | - - Credential exposure, unauthorized model access, cost overruns. |
101 | | - - OpenShell gateway |
102 | | - - Yes. Use `nemoclaw inference set`. |
103 | | - |
104 | | -::: |
| 68 | +| Layer | What it protects | Enforcement point | Changeable at runtime | |
| 69 | +| --- | --- | --- | --- | |
| 70 | +| Network | Unauthorized outbound connections and data exfiltration. | OpenShell gateway | Yes. Use `openshell policy set` or operator approval. | |
| 71 | +| Filesystem | System binary tampering, credential theft, config manipulation. | Landlock LSM + container mounts | Landlock layout: no. Requires sandbox re-creation. Config lockdown posture: yes, with host-side shields commands. | |
| 72 | +| Process | Privilege escalation, fork bombs, syscall abuse. | Container runtime (Docker/K8s `securityContext`) | No. Requires sandbox re-creation. | |
| 73 | +| Inference | Credential exposure, unauthorized model access, cost overruns. | OpenShell gateway | Yes. Use `nemoclaw inference set`. | |
105 | 74 |
|
106 | 75 | ## Network Controls |
107 | 76 |
|
108 | 77 | NemoClaw controls which hosts, ports, and HTTP methods the sandbox can reach, and lets operators approve or deny requests in real time. |
109 | 78 |
|
110 | | -<!-- OpenShell provides additional network enforcement mechanisms not covered here, including network namespace isolation, SSRF protection, TLS auto-detection and termination, and audit-vs-enforce modes. |
111 | | -See the [Network Controls](https://docs.nvidia.com/openshell/latest/security/best-practices.html#network-controls) section of the OpenShell Security Best Practices. --> |
112 | | - |
113 | 79 | ### Deny-by-Default Egress |
114 | 80 |
|
115 | 81 | The sandbox blocks all outbound connections unless you explicitly list the endpoint in the policy file `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`. |
@@ -194,9 +160,6 @@ NemoClaw ships preset policy files in `nemoclaw-blueprint/policies/presets/` for |
194 | 160 |
|
195 | 161 | NemoClaw restricts which paths the agent can read and write, protecting system binaries, configuration files, and gateway credentials. |
196 | 162 |
|
197 | | -<!-- OpenShell covers additional filesystem enforcement details, including `hard_requirement` compatibility mode for Landlock and policy path validation rules. |
198 | | -See the [Filesystem Controls](https://docs.nvidia.com/openshell/latest/security/best-practices.html#filesystem-controls) section of the OpenShell Security Best Practices. --> |
199 | | - |
200 | 163 | ### Read-Only System Paths |
201 | 164 |
|
202 | 165 | The container mounts system directories read-only to prevent the agent from modifying binaries, libraries, or configuration files. |
@@ -256,9 +219,6 @@ Landlock is a Linux Security Module that enforces filesystem access rules at the |
256 | 219 |
|
257 | 220 | NemoClaw limits the capabilities, user privileges, and resource quotas available to processes inside the sandbox. |
258 | 221 |
|
259 | | -<!-- OpenShell enforces additional process-level controls not covered here, including seccomp BPF socket domain filters and a specific enforcement application order (namespace entry, privilege drop, Landlock, seccomp). |
260 | | -See the [Process Controls](https://docs.nvidia.com/openshell/latest/security/best-practices.html#process-controls) section of the OpenShell Security Best Practices. --> |
261 | | - |
262 | 222 | ### Capability Drops |
263 | 223 |
|
264 | 224 | The entrypoint drops dangerous Linux capabilities from the bounding set at startup using `capsh`. |
@@ -549,4 +509,3 @@ The following patterns weaken security without providing meaningful benefit. |
549 | 509 | - Sandbox Hardening (use the `nemoclaw-user-deploy-remote` skill) for container-level security measures. |
550 | 510 | - Inference Options (use the `nemoclaw-user-configure-inference` skill) for provider configuration details. |
551 | 511 | - How It Works (use the `nemoclaw-user-overview` skill) for the protection layer architecture. |
552 | | -<!-- - OpenShell [Security Best Practices](https://docs.nvidia.com/openshell/latest/security/best-practices.html) for the platform-level controls reference, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication. --> |
0 commit comments