Hardening improvements

Signed-off-by: Scott R. Shinn <scott@atomicorp.com>

Author: atomicturtle

README.md

@@ -63,16 +63,31 @@ Edit `/etc/chelon/chelon.conf`:
 
 ```bash
 # Server binding
-ORACLE_HOST=127.0.0.1
-ORACLE_PORT=5050
+CHELON_HOST=127.0.0.1
+CHELON_PORT=5050
 
 # GPG home directory
 GNUPGHOME=/var/lib/chelon/.gnupg
 
+# Logging
 # Logging
 LOG_LEVEL=INFO
+
+# Transport Security (HTTPS/mTLS)
+# Paths to your certificate files:
+CHELON_SSL_CERT=/etc/chelon/certs/server.crt
+CHELON_SSL_KEY=/etc/chelon/certs/server.key
+CHELON_SSL_CA=/etc/chelon/certs/ca.crt
+
+# Enforce Client Certificate Authentication (mTLS)
+CHELON_SSL_VERIFY_CLIENT=true
 ```
 
+> [!IMPORTANT]
+> Ensure `/etc/chelon/chelon.conf` is readable ONLY by the `chelon` user (`chmod 600`).
+> The service contains sensitive passphrases and will refuse to start if permissions are insecure.
+
+
 Restart after changes:
 ```bash
 sudo systemctl restart chelon
@@ -145,8 +160,43 @@ sudo journalctl -u chelon -n 100
 - Tokens hashed with SHA-256
 - Rate limiting prevents abuse
 - All operations logged to audit trail
+- Rate limiting prevents abuse
+- All operations logged to audit trail
+
+## Transport Security (HTTPS/mTLS)
+
+To enable HTTPS and Mutual TLS (mTLS):
+
+1.  **Generate Certificates**: Creating a CA, Server, and Client certificate.
+    ```bash
+    # Create directory for certs
+    sudo mkdir -p /etc/chelon/certs
+    
+    # Generate CA
+    openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 365 -nodes -subj "/CN=Chelon CA"
+    
+    # Server Cert
+    openssl req -newkey rsa:2048 -keyout server.key -out server.csr -nodes -subj "/CN=chelon-server"
+    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
+    
+    # Client Cert
+    openssl req -newkey rsa:2048 -keyout client.key -out client.csr -nodes -subj "/CN=build-runner"
+    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -out client.crt -days 365
+    
+    # Install
+    sudo mv *.crt *.key /etc/chelon/certs/
+    sudo chown -R chelon:chelon /etc/chelon/certs
+    sudo chmod 600 /etc/chelon/certs/*.key
+    ```
+
+2.  **Configure Chelon**: Update `/etc/chelon/chelon.conf` with the paths (see Configuration section).
+
+3.  **Client Usage**:
+    ```bash
+    curl --cert client.crt --key client.key --cacert ca.crt \
+         https://chelon-server:5050/api/v1/health
+    ```
 
-## File Locations
 
 | Path | Purpose |
 |------|---------|

chelon.spec

@@ -25,6 +25,9 @@ Requires(pre):  shadow-utils
 # Prevent auto-generated requires for user/group (we create them in %pre)
 %global __requires_exclude ^(user|group)\\(chelon\\)$
 
+Provides:       user(chelon)
+Provides:       group(chelon)
+
 %description
 Chelon is a secure remote signing service for RPM packages and repository
 metadata. Build servers send package hashes to Chelon via HTTPS API and
@@ -81,11 +84,12 @@ chown -R chelon:chelon %{_localstatedir}/lib/%{name} 2>/dev/null || true
 
 %files
 %doc README.md
-%{_datadir}/%{name}/
+%attr(0755, root, root) %{_datadir}/%{name}/
 %{_bindir}/chelon-admin
 %{_unitdir}/chelon.service
-%config(noreplace) %{_sysconfdir}/%{name}/chelon.conf
-%dir %{_localstatedir}/lib/%{name}
+%config(noreplace) %attr(0600, chelon, chelon) %{_sysconfdir}/%{name}/chelon.conf
+%dir %attr(0750, chelon, chelon) %{_localstatedir}/lib/%{name}
+%dir %attr(0750, root, chelon) %{_sysconfdir}/%{name}/
 
 %changelog
 * Tue Jan 06 2026 Atomicorp <support@atomicorp.com> - 1.0.0-1

server/chelon-service.py

@@ -19,6 +19,14 @@
 
 app = Flask(__name__)
 
+# Setup logging (stdout only - journald will capture it)
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
+    handlers=[logging.StreamHandler(sys.stdout)]
+)
+logger = logging.getLogger(__name__)
+
 # Configuration
 CONFIG_FILE = os.environ.get('CHELON_CONFIG', '/etc/chelon/chelon.conf')
 DATA_DIR = '/var/lib/chelon'
@@ -28,6 +36,19 @@ def load_config(path):
     config = {}
     if not os.path.exists(path):
         return config
+    
+    # Security check using stat
+    try:
+        st = os.stat(path)
+        # Check for world access (read/write/execute)
+        if st.st_mode & 0o007:
+            logger.critical(f"Config file {path} is world-accessible ({oct(st.st_mode & 0o777)}).")
+            logger.critical("Please secure it: chmod 600 or 640 " + path)
+            sys.exit(1)
+    except OSError as e:
+        logger.error(f"Error checking config permissions: {e}")
+        sys.exit(1)
+
     try:
         with open(path, 'r') as f:
             for line in f:
@@ -38,28 +59,18 @@ def load_config(path):
                     k, v = line.split('=', 1)
                     config[k.strip()] = v.strip()
     except Exception as e:
-        print(f"Error loading config: {e}")
+        logger.error(f"Error loading config: {e}")
     return config
 
 # Initialize components
 config = load_config(CONFIG_FILE)
 # Log config status
-lp = config.get('LEGACY_PASSPHRASE')
-mp = config.get('MODERN_PASSPHRASE')
-print(f"DEBUG: Config loaded. Legacy PP len: {len(lp) if lp else 0}, Modern PP len: {len(mp) if mp else 0}")
+logger.info("Configuration loaded successfully")
 
 signing_engine = SigningEngine()
 token_auth = TokenAuth(config_file=CONFIG_FILE)
 audit_logger = AuditLogger()
 
-# Setup logging (stdout only - journald will capture it)
-logging.basicConfig(
-    level=logging.INFO,
-    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
-    handlers=[logging.StreamHandler(sys.stdout)]
-)
-logger = logging.getLogger(__name__)
-
 
 def _handle_signing(operation):
     """Common signing logic for both RPMs and repodata"""
@@ -88,6 +99,11 @@ def _handle_signing(operation):
         return jsonify({'error': 'Invalid JSON'}), 400
 
     raw_data_b64 = data.get('data') 
+    
+    # DoS Protection: Limit payload size
+    if raw_data_b64 and len(raw_data_b64) > 10 * 1024 * 1024:  # 10MB limit
+        return jsonify({'error': 'Payload too large (limit 10MB)'}), 413
+
     package_hash = data.get('package_hash')
     repodata_hash = data.get('repodata_hash')
     key_type = data.get('key_type', 'legacy')

systemd/chelon.service

@@ -17,9 +17,27 @@ RestartSec=10
 # Security hardening
 NoNewPrivileges=true
 PrivateTmp=true
+PrivateDevices=yes
 ProtectSystem=strict
 ProtectHome=true
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
 ReadWritePaths=/var/lib/chelon
 
+# Network isolation
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Capability restriction
+CapabilityBoundingSet=
+AmbientCapabilities=
+RestrictSUIDSGID=yes
+
+# Application sandboxing
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+SystemCallFilter=@system-service
+
 [Install]
 WantedBy=multi-user.target

tools/chelon-admin

@@ -4,6 +4,7 @@ Oracle Admin CLI Tool
 Manage tokens and view audit logs
 """
 
+import os
 import sys
 import argparse
 import json