Recommendations on a Secure Parsec Deployment
The following recommendations should be applied in order for Parsec to respect some of the operational mitigations. These recommendations have been thought of for a Linux system and should be modified/ported for other operating systems. The Domain Socket Listener and the On-Disk Key Info manager are assumed to be used.
The linked operational mitigations
are noted with
- The service must be running as the
- Key mappings must be located at
/var/lib/parsec/mappingsand must only be read/write by the
- The logs must be redirected to a file only readable by the
- The configuration file must be located at
/etc/parsec/config.tomland must only be read/write by the
- The socket folder must be located at
/run/parsec/(O-2) and must only be writable by the
- In a deployment using Direct authentication with mutually trusted clients, the socket folder
must be group owned by the
parsec-clientsgroup which has only read and execute permission on it (O-10). Everyone else must have no permission on the folder. The
parsec-clientsgroup is composed of mutually trusted clients only. This group must be continuously maintained to contain the mutually trusted clients.
- In a deployment using Unix Peer Credentials authentication, everyone else can have read and execute permission on the socket folder.
- In a deployment using Unix Peer Credentials authentication, when a Unix account is deleted,
all of its Parsec keys must also be deleted (O-11). This can be done using a Parsec Client
library or the
parsec-tool. Warning: delete keys with caution and with the knowledge that they will never be needed again, as after this you will not be able to use them ever again.
- In a deployment using JWT-SVID authentication, the the Workload API Endpoint location must exist before the Parsec service is started and originate from a genuine SPIFFE implementation. It must exist as long as the Parsec service is running using this location.
- The Parsec configuration must not be reloaded with a different authenticator if Parsec is
currently storing keys (O-12). To use a different authenticator the
mappingsfolder should point to a new, unused, location. Alternatively, all keys should be deleted.
Installing Parsec using systemd with the unit files provided and following the guide will make sure that the recommendations above are respected.
Copyright 2020 Contributors to the Parsec project.