Recommendations on a Secure Parsec Deployment

The following recommendations should be applied in order for Parsec to respect some of the operational mitigations. These recommendations have been thought of for a Linux system and should be modified/ported for other operating systems. The Domain Socket Listener and the On-Disk Key Info manager are assumed to be used.

The linked operational mitigations are noted with O-n.

  • The service must be running as the parsec user (O-0).
  • Key mappings must be located at /var/lib/parsec/mappings and must only be read/write by the parsec user (O-3).
  • The logs must be redirected to a file only readable by the parsec user (O-5).
  • The configuration file must be located at /etc/parsec/config.toml and must only be read/write by the parsec user (O-6).
  • The socket folder must be located at /run/parsec/ (O-2) and must only be writable by the parsec user (O-9).
  • In a deployment using Direct authentication with mutually trusted clients, the socket folder must be group owned by the parsec-clients group which has only read and execute permission on it (O-10). Everyone else must have no permission on the folder. The parsec-clients group is composed of mutually trusted clients only. This group must be continuously maintained to contain the mutually trusted clients.
  • In a deployment using Unix Peer Credentials authentication, everyone else can have read and execute permission on the socket folder.
  • In a deployment using Unix Peer Credentials authentication, when a Unix account is deleted, all of its Parsec keys must also be deleted (O-11). This can be done using a Parsec Client library or the parsec-tool. Warning: delete keys with caution and with the knowledge that they will never be needed again, as after this you will not be able to use them ever again.
  • In a deployment using JWT-SVID authentication, the the Workload API Endpoint location must exist before the Parsec service is started and originate from a genuine SPIFFE implementation. It must exist as long as the Parsec service is running using this location.
  • The Parsec configuration must not be reloaded with a different authenticator if Parsec is currently storing keys (O-12). To use a different authenticator the mappings folder should point to a new, unused, location. Alternatively, all keys should be deleted.

Using systemd

Installing Parsec using systemd with the unit files provided and following the guide will make sure that the recommendations above are respected.

Copyright 2020 Contributors to the Parsec project.