Security Notes¶
Threat Model¶
This is a developer laptop lab. It is NOT designed for production use.
In scope: Preventing accidental LAN exposure, protecting credentials from git commits, providing TLS for all BOSH/CredHub/Concourse communication.
Out of scope: Multi-tenant isolation, hardened OS images, intrusion detection, audit logging beyond bootstrap logs.
Credential Management¶
Where credentials live¶
| Credential | Location | Generated By |
|---|---|---|
| Director admin password | state/vars-store.yml (path: /admin_password) |
bosh create-env |
| CredHub admin secret | state/vars-store.yml (path: /credhub_admin_client_secret) |
bosh create-env |
| Director CA cert | state/vars-store.yml (path: /director_ssl/ca) |
bosh create-env |
| CredHub TLS cert | state/vars-store.yml (path: /credhub_tls/ca) |
bosh create-env |
| Concourse admin password | state/creds/concourse-vars.yml (path: /admin_password) |
bosh deploy |
| SSH key (mgmt VM) | state/creds/mgmt_ssh |
bootstrap.sh |
Protection¶
./state/is gitignored. It must NEVER be committed.vars-store.ymlcontains ALL secrets for the director. Treat it as a root credential.- The SSH key grants passwordless sudo on the management VM.
- There are no default passwords. Everything is generated at first bootstrap.
Network Exposure¶
Default (local-only)¶
- All services bind to the
10.245.0.0/24NAT network. - The NAT network is not routable from the LAN.
- VNC for the mgmt VM binds to
127.0.0.1(host loopback only). - Concourse UI is only accessible via SSH tunnel.
If you expose to LAN¶
If you change the network to bridge mode or add port forwards:
- All services use self-signed certificates. Browsers will warn.
flyneeds--insecure. - BOSH Director API is unauthenticated for health checks on port 25555. Don't expose this.
- CredHub has no rate limiting. An attacker with network access could brute-force the admin client secret.
- Concourse workers run arbitrary code defined in pipelines. Compromised pipeline = compromised worker VM.
Recommendation: Don't expose to LAN. Use SSH tunnels.
TLS¶
All inter-component communication uses TLS with certificates generated by bosh create-env:
- Director ↔ CLI: TLS with CA from vars-store
- Director ↔ CredHub: TLS with mutual auth
- Director ↔ UAA: TLS
- Concourse Web: Self-signed TLS (generated per deployment)
Certificate rotation: Destroy and re-bootstrap (make reset && make up && make bootstrap). There is no in-place rotation for the MVP.
Supply Chain¶
| Component | Source | Verification |
|---|---|---|
| Ubuntu cloud image | cloud-images.ubuntu.com | SHA256 (manual, not automated in MVP) |
| BOSH CLI | GitHub releases (cloudfoundry/bosh-cli) | GitHub-signed release |
| CredHub CLI | GitHub releases (cloudfoundry/credhub-cli) | GitHub-signed release |
| bosh-deployment | GitHub (cloudfoundry/bosh-deployment) | Pinned commit hash |
| libvirt CPI | GitHub releases (a2geek/libvirt-bosh-cpi) | Pinned version tag |
| Concourse release | bosh.io | Pinned version |
| Stemcells | bosh.io | Pinned version |
Known gap: SHA verification of downloaded binaries is not automated in the MVP. The bootstrap scripts download over HTTPS but do not verify checksums.
What NOT to do¶
- Do NOT commit
./state/to git. - Do NOT expose the libvirt network to the LAN without understanding the implications.
- Do NOT use this lab's certificates for anything other than this lab.
- Do NOT store production secrets in this CredHub instance.
- Do NOT run untrusted Concourse pipelines — workers execute arbitrary code.