Skip to content

P1.4 — Move the HMAC audit signing key out-of-band from the tool runner #4

Description

@gesh75

The recent fix stopped the key leaking into child tools, but the orchestrator process still holds the signing key while it spawns offensive tools.

Short term: enforce SECURITY.md's own guidance in code — refuse to start if the audit key path is owned by the same uid as the runner or has loose perms (fail-to-start, don't bypass).

Longer term: a small out-of-band signer the orchestrator sends entries to but never holds the key for.

Best practice: "the agent never touches the signing keys" — ROE Gate (reference-monitor pattern, Anderson 1972); "the key sits outside the log volume so an attacker who can write the log can't read or rotate it" — bernstein audit-log ops doc.

Tracked from aegis/docs/NEXT_STEPS.md (P1.4).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions