Skip to content
Oriel

Security Hardening

Prerequisites

Section titled “Prerequisites”
  • Dedicated service identity
  • Protected config and secret files
  • TLS or trusted proxy boundary
  • Database users scoped to Oriel databases

Steps

Section titled “Steps”

Use a dedicated service user:

Terminal window
sudo useradd --system --no-create-home --shell /usr/sbin/nologin oriel

Protect config:

Terminal window
sudo install -m 0640 -o root -g oriel oriel.example.toml /etc/oriel/oriel.toml

Prefer environment variables or external secret management for:

  • ORIEL_METADATA_DSN
  • ORIEL_CLICKHOUSE_DSN
  • ORIEL_AUTH_COOKIE_SECRET
  • ORIEL_AUTH_OIDC_<SLUG>_CLIENT_SECRET

Use TLS or bind plaintext listeners to loopback behind a proxy. Avoid server.insecure = true outside local or tightly controlled networks.

Use the shipped systemd units as the hardening baseline. They set:

  • NoNewPrivileges=true
  • ProtectSystem=strict
  • ProtectHome=true
  • PrivateTmp=true
  • Empty capability sets
  • ReadWritePaths=/var/lib/oriel

Verify

Section titled “Verify”
Terminal window
oriel --config /etc/oriel/oriel.toml doctor
systemctl cat oriel.service
curl -fsS http://localhost:6743/readyz

Review audit logs after role, token, workspace, and member changes.

Rollback/Recover

Section titled “Rollback/Recover”
  • Revoke leaked API or ingest tokens immediately.
  • Rotate auth.cookie_secret only with awareness that in-flight OIDC login transactions may be affected.
  • If a hardening option blocks a needed file path, add a narrow allowlist rather than broadening filesystem access.