-
-
Notifications
You must be signed in to change notification settings - Fork 50
Security and Compliance
Comprehensive security documentation and compliance information for Cortex Linux.
- Security Model
- Kernel Hardening
- Data Privacy
- Compliance Frameworks
- Security Best Practices
- Security Advisories
- Vulnerability Reporting
- Audit and Logging
Cortex Linux implements a defense-in-depth security model with multiple layers of protection.
- AI Engine Isolation: Runs in dedicated process with limited privileges
-
Service User: Dedicated
cortex-aiuser (non-root) - Capability Dropping: Minimal required capabilities (CAP_NET_BIND_SERVICE)
- Namespace Isolation: Optional container/namespace isolation
# Verify service user
id cortex-ai
# uid=1001(cortex-ai) gid=1001(cortex-ai) groups=1001(cortex-ai)
# Check process capabilities
getcap /usr/bin/cortex-aiDirectory Permissions:
/usr/lib/cortex-ai/ # 755, root:cortex-ai
/etc/cortex-ai/ # 644, root:root
/var/log/cortex-ai/ # 640, cortex-ai:cortex-ai
/var/cache/cortex-ai/ # 750, cortex-ai:cortex-ai
/tmp/cortex-ai/ # 700, cortex-ai:cortex-ai (tmpfs)Configuration:
# Verify permissions
find /usr/lib/cortex-ai -type f -exec ls -l {} \;
find /etc/cortex-ai -type f -exec ls -l {} \;Default Configuration:
- HTTP API binds to
127.0.0.1(localhost only) - No external network access by default
- Optional API key authentication
- Rate limiting enabled
Production Configuration:
# /etc/cortex-ai/config.yaml
server:
host: 127.0.0.1 # Localhost only
port: 8080
security:
api_key_required: true
api_key: "your-secure-api-key-here"
allowed_ips: ["10.0.0.0/8"] # Restrict to internal network
rate_limiting:
enabled: true
requests_per_minute: 60
requests_per_hour: 1000- ASLR: Address Space Layout Randomization enabled
- Stack Protection: Stack canaries enabled
- NX Bit: Non-executable stack and heap
- RELRO: Read-only relocations
- PIE: Position Independent Executables
# Verify security features
checksec --file /usr/bin/cortex-ai# /etc/cortex-ai/config.yaml
security:
api_key_required: true
api_key: "changeme-in-production"
# Or use environment variable
# api_key_env: CORTEX_API_KEYUsage:
# With API key
curl -H "X-API-Key: your-api-key" \
http://localhost:8080/reason \
-d '{"query": "test"}'security:
allowed_ips:
- "127.0.0.1"
- "10.0.0.0/8"
- "192.168.1.0/24"Planned feature for multi-user environments with role-based permissions.
Cortex Linux includes SELinux policies for enhanced security.
# Check SELinux status
getenforce
# Enable SELinux (if disabled)
sudo setenforce 1
# Make permanent
sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config# Check Cortex AI SELinux context
ls -Z /usr/bin/cortex-ai
# system_u:object_r:cortex_ai_exec_t:s0
# View policy
sesearch -A -s cortex_ai_t -t cortex_ai_exec_t# Create policy module
cat > cortex_ai.te << 'EOF'
module cortex_ai 1.0;
require {
type cortex_ai_t;
type cortex_ai_exec_t;
class file execute;
}
allow cortex_ai_t cortex_ai_exec_t:file execute;
EOF
# Compile and install
checkmodule -M -m -o cortex_ai.mod cortex_ai.te
semodule_package -o cortex_ai.pp -m cortex_ai.mod
sudo semodule -i cortex_ai.ppAlternative to SELinux, AppArmor profiles are also available.
# Check AppArmor status
sudo aa-status
# Load Cortex AI profile
sudo aa-enforce /etc/apparmor.d/usr.bin.cortex-ai# /etc/apparmor.d/usr.bin.cortex-ai
#include <tunables/global>
/usr/bin/cortex-ai {
#include <abstractions/base>
#include <abstractions/nameservice>
/usr/bin/cortex-ai r,
/usr/lib/cortex-ai/** r,
/etc/cortex-ai/** r,
/var/log/cortex-ai/** w,
/var/cache/cortex-ai/** rw,
# Deny network access (if not needed)
deny network,
# Deny file system access outside allowed paths
deny /root/** rw,
deny /home/** rw,
}# Check kernel security features
cat /proc/sys/kernel/randomize_va_space # Should be 2 (full ASLR)
# Verify kernel hardening
grep -E "CONFIG_(HARDENED_USERCOPY|STACKPROTECTOR|REFCOUNT_FULL)" /boot/config-*Enabled Features:
-
CONFIG_HARDENED_USERCOPY=y: Hardened usercopy -
CONFIG_STACKPROTECTOR_STRONG=y: Strong stack protection -
CONFIG_REFCOUNT_FULL=y: Full reference count validation -
CONFIG_SLAB_FREELIST_HARDENED=y: Hardened slab freelist -
CONFIG_SLAB_FREELIST_RANDOM=y: Randomized slab freelist
# Verify kernel modules are signed
modinfo cortex_scheduler | grep signatureCore Principle: All AI processing happens on-device. No data leaves the system.
User Query → Local Processing → Response
(No external transmission)
Privacy Guarantees:
- ✅ No network transmission of queries
- ✅ No data storage by third parties
- ✅ No telemetry (configurable)
- ✅ Complete data sovereignty
# /etc/cortex-ai/config.yaml
telemetry:
enabled: false # Disabled by default
endpoint: "" # No external endpointlogging:
# Local logging only
file: /var/log/cortex-ai/cortex-ai.log
max_size_mb: 100
backup_count: 5
# Log rotation
rotate_on_size: true
# Sensitive data handling
redact_sensitive: true
redaction_patterns:
- "api_key"
- "password"
- "token"# /etc/cortex-ai/config.yaml
data_retention:
# Query logs
query_logs_days: 30
# Cache
cache_ttl_seconds: 3600
# Temporary files
temp_file_cleanup_hours: 24Model files and configuration can be encrypted:
# Encrypt model files
sudo cryptsetup luksFormat /usr/lib/cortex-ai/models/sapiens-0.27b.encrypted
sudo cryptsetup luksOpen /usr/lib/cortex-ai/models/sapiens-0.27b.encrypted cortex_model
sudo mount /dev/mapper/cortex_model /mnt/cortex_modelHTTP API supports TLS:
# /etc/cortex-ai/config.yaml
server:
tls:
enabled: true
cert_file: /etc/ssl/certs/cortex-ai.crt
key_file: /etc/ssl/private/cortex-ai.keyGeneral Data Protection Regulation (EU)
✅ Lawfulness: Processing is necessary for system operation ✅ Purpose Limitation: Data used only for AI inference ✅ Data Minimization: Only necessary data processed ✅ Accuracy: AI responses are generated, not stored ✅ Storage Limitation: No long-term storage of queries ✅ Integrity and Confidentiality: On-device processing, encryption available
- Right to Access: Logs can be reviewed (if enabled)
- Right to Erasure: No persistent storage of personal data
- Right to Data Portability: Export functionality available
- Right to Object: Processing can be disabled
# GDPR-compliant configuration
gdpr:
data_minimization: true
storage_limitation_days: 0 # No persistent storage
encryption_at_rest: true
access_logging: false # Disable if not neededHealth Insurance Portability and Accountability Act (US)
✅ Administrative Safeguards: Access controls, audit logs ✅ Physical Safeguards: On-premises deployment ✅ Technical Safeguards: Encryption, access controls
# HIPAA-compliant configuration
hipaa:
encryption:
at_rest: true
in_transit: true
access_controls:
authentication_required: true
audit_logging: true
audit:
enabled: true
retention_days: 365
log_access: trueSystem and Organization Controls 2
✅ Security: Access controls, encryption, monitoring ✅ Availability: High availability, monitoring ✅ Processing Integrity: Accurate processing, error handling ✅ Confidentiality: Data encryption, access controls ✅ Privacy: Data handling, retention policies
# SOC 2 controls
soc2:
security:
access_controls: true
encryption: true
monitoring: true
availability:
monitoring: true
alerting: true
processing_integrity:
error_handling: true
validation: true
confidentiality:
encryption: true
access_logging: true
privacy:
data_retention: true
access_controls: truePayment Card Industry Data Security Standard
✅ Network Security: Firewall, network segmentation ✅ Data Protection: Encryption of cardholder data ✅ Access Control: Unique IDs, access restrictions ✅ Monitoring: Logging and monitoring ✅ Vulnerability Management: Regular updates
Note: Cortex Linux itself doesn't process payment data, but can be deployed in PCI-compliant environments.
Federal Risk and Authorization Management Program (US)
✅ Security Controls: NIST 800-53 controls ✅ Continuous Monitoring: Security monitoring ✅ Incident Response: Security incident handling ✅ Audit Logging: Comprehensive audit logs
# FedRAMP controls
fedramp:
nist_800_53:
ac: true # Access Control
au: true # Audit and Accountability
ca: true # Security Assessment
cm: true # Configuration Management
cp: true # Contingency Planning
ia: true # Identification and Authentication
ir: true # Incident Response
ma: true # Maintenance
mp: true # Media Protection
pe: true # Physical and Environmental Protection
pl: true # Planning
ps: true # Personnel Security
ra: true # Risk Assessment
sa: true # System and Services Acquisition
sc: true # System and Communications Protection
si: true # System and Information Integrity-
Verify ISO Integrity
# Download checksums wget https://releases.cortexlinux.org/SHA256SUMS # Verify ISO sha256sum -c SHA256SUMS cortex-linux-1.0.0.iso
-
Secure Boot (if supported)
# Verify secure boot mokutil --sb-state -
Minimal Installation
- Install only required packages
- Remove unnecessary services
- Disable unused network ports
-
Change Default Passwords
# Change root password sudo passwd root # Change user passwords sudo passwd username
-
Secure API Keys
# Generate secure API key openssl rand -hex 32 # Set in configuration sudo nano /etc/cortex-ai/config.yaml
-
Firewall Configuration
# Configure UFW sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp # SSH sudo ufw allow 8080/tcp from 10.0.0.0/8 # Cortex API (internal only) sudo ufw enable
-
Regular Updates
# Update system sudo apt update sudo apt upgrade -y # Update Cortex AI sudo apt install --only-upgrade cortex-ai
-
Monitor Logs
# Monitor Cortex AI logs sudo tail -f /var/log/cortex-ai/cortex-ai.log # Monitor system logs sudo journalctl -u cortex-ai -f
-
Security Scanning
# Install security tools sudo apt install rkhunter chkrootkit # Run scans sudo rkhunter --check sudo chkrootkit
-
Restrict Network Access
# /etc/cortex-ai/config.yaml server: host: 127.0.0.1 # Localhost only
-
Use TLS/SSL
server: tls: enabled: true cert_file: /etc/ssl/certs/cortex-ai.crt key_file: /etc/ssl/private/cortex-ai.key
-
VPN/Network Segmentation
- Deploy behind VPN
- Use network segmentation
- Restrict access to internal networks
Security advisories are published for critical vulnerabilities:
CORTEX-SA-2024-001: Remote Code Execution in HTTP API
- Severity: Critical
- CVSS Score: 9.8
- Affected Versions: < 1.0.1
- Fixed In: 1.0.1
- CVE: CVE-2024-XXXXX
None at this time.
All known vulnerabilities have been addressed in the current release.
- GitHub Security Advisories: github.com/cortexlinux/cortex/security/advisories
- Mailing List: security@cortexlinux.org
- RSS Feed: releases.cortexlinux.org/security-advisories.xml
We encourage responsible disclosure of security vulnerabilities.
- Email: security@cortexlinux.org
- Encryption: Use GPG key (see below)
- Response Time: We aim to respond within 48 hours
- Resolution: Critical issues addressed within 7 days
# Import GPG key
gpg --recv-keys 0xSECURITY_KEY_ID
# Encrypt report
gpg --encrypt --recipient security@cortexlinux.org report.txt- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Your contact information
We offer recognition (no monetary rewards at this time) for responsible disclosure:
- Credit in security advisories
- Contributor recognition
- Early access to fixes
# Install auditd
sudo apt install auditd
# Configure audit rules
sudo nano /etc/audit/rules.d/cortex-ai.rulesAudit Rules:
# Monitor Cortex AI binary execution
-w /usr/bin/cortex-ai -p x -k cortex_ai_exec
# Monitor configuration changes
-w /etc/cortex-ai/ -p wa -k cortex_ai_config
# Monitor log access
-w /var/log/cortex-ai/ -p rwa -k cortex_ai_logs
# /etc/cortex-ai/config.yaml
audit:
enabled: true
log_file: /var/log/cortex-ai/audit.log
events:
- authentication
- authorization
- configuration_changes
- errors# View audit logs
sudo ausearch -k cortex_ai_exec
# Analyze Cortex AI logs
sudo grep "ERROR" /var/log/cortex-ai/cortex-ai.log
# Monitor in real-time
sudo tail -f /var/log/cortex-ai/audit.log# /etc/cortex-ai/config.yaml
logging:
retention:
days: 90
max_size_mb: 1000
compression: true- Verify ISO checksums
- Enable SELinux or AppArmor
- Configure firewall
- Change default passwords
- Generate secure API keys
- Configure TLS/SSL
- Enable audit logging
- Review security configuration
- Regular security updates
- Monitor security logs
- Review access logs
- Run security scans
- Test backup/restore
- Review compliance requirements
- Document security procedures
- Weekly security updates
- Monthly security reviews
- Quarterly penetration testing
- Annual security audit
- Monitor security advisories
- Installation: Installation Guide
- Configuration: AI Integration Guide
- Technical Details: Technical Specifications
Last updated: 2024