cba2ff47f3
## New Security Documentation Structure
/security/
├── README.md # Security overview & contacts
├── forensics-checklist.md # Incident investigation guide
├── persistence-scan.sh # Quick persistence detector
├── runtime-detector.sh # Mining/suspicious process detector
└── hardening/
├── docker.md # Docker security baseline
├── kubernetes.md # K8s policies (future reference)
└── cloud.md # Hetzner-specific hardening
## Key Components
### Forensics Checklist
- Process analysis commands
- Persistence mechanism detection
- Network connection analysis
- File system inspection
- Authentication audit
- Decision matrix for threat response
### Scripts
- persistence-scan.sh: Cron, systemd, executables, SSH keys
- runtime-detector.sh: Mining process detection with --kill option
### Hardening Guides
- Docker: Secure compose template, Dockerfile best practices
- Kubernetes: NetworkPolicy, PodSecurityStandard, Falco rules
- Cloud: Egress firewall, SSH hardening, fail2ban, monitoring
## Post-Incident Documentation
Based on lessons learned from Incidents #1 and #2 (Jan 2026)
Co-authored-by: Cursor Agent <agent@cursor.sh>
🔐 Security — DAARION Infrastructure
Версія: 1.0.0
Останнє оновлення: 2026-01-09
Статус: Production Active
📋 Зміст
| Документ | Призначення |
|---|---|
| forensics-checklist.md | Чекліст розслідування інцидентів |
| persistence-scan.sh | Скрипт виявлення persistence |
| runtime-detector.sh | Детектор підозрілих процесів |
| hardening/docker.md | Docker security baseline |
| hardening/kubernetes.md | Kubernetes security policies |
| hardening/cloud.md | Cloud security (Hetzner) |
🎯 Принципи безпеки DAARION
1. Defense in Depth
[Network] → [Container] → [Process] → [Data]
↓ ↓ ↓ ↓
Firewall read-only runtime encrypt
egress cap_drop detection at rest
2. Zero Trust
- Кожен сервіс має мінімальні привілеї
- Мережевий доступ deny-by-default
- Аутентифікація для всіх internal API
3. Detect → Respond → Prevent
[Incident] → [Forensics] → [Root Cause] → [Hardening] → [Monitoring]
🚨 Incident Response Flow
При виявленні підозрілої активності:
# 1. Detect
./security/persistence-scan.sh
./security/runtime-detector.sh
# 2. Contain
docker stop <container>
iptables -I OUTPUT -d 0.0.0.0/0 -j DROP # emergency
# 3. Investigate
./security/forensics-checklist.md # follow checklist
# 4. Remediate
# Based on findings
# 5. Document
# Update INFRASTRUCTURE.md with incident details
📊 Security Metrics
| Metric | Target | Current |
|---|---|---|
Containers with read_only |
100% | 🔄 In progress |
Services with cap_drop: ALL |
100% | 🔄 In progress |
| Egress firewall rules | Active | ✅ Active |
| Runtime detection | Active | 🔄 Planned |
| Vulnerability scan frequency | Weekly | 🔄 Planned |
📞 Security Contacts
- Security Lead: admin@daarion.city
- Hetzner Abuse: abuse@hetzner.com
- Emergency: Submit statement via Hetzner Robot
📚 Related Documents
- INFRASTRUCTURE.md — Infrastructure overview + Incident history
- SECURITY-REBUILD-REPORT.md — daarion-web incident analysis
- TASK_REBUILD_DAARION_WEB.md — Rebuild task details