Edmon is a monitoring solution for tracking system resources and services. As a monitoring tool that collects and displays system information, Edmon requires proper security configuration to prevent unauthorized access and information disclosure. This guide covers security measures for production Edmon deployments.
Edmon architecture includes these security-sensitive components:
Key security concerns include web interface protection, API access control, system information disclosure, and data protection.
Configure firewall rules for Edmon:
# Edmon web interface (adjust port as needed)
ufw allow from 10.0.0.0/8 to any port 8080 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Block external access
ufw deny from any to any port 8080 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: edmon-network-policy
spec:
podSelector:
matchLabels:
app: edmon
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 8080
Configure Edmon binding:
# /etc/edmon/config.ini
[server]
host = 127.0.0.1
port = 8080
# Or for specific interface
# host = 10.0.1.100
# port = 8080
Configure reverse proxy:
# /etc/nginx/sites-available/edmon
server {
listen 80;
server_name edmon.company.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name edmon.company.com;
ssl_certificate /etc/nginx/certs/edmon.crt;
ssl_certificate_key /etc/nginx/certs/edmon.key;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Configure authentication via reverse proxy:
Nginx with Basic Auth:
location / {
auth_basic "Edmon Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Manage users:
# Create admin user
htpasswd -c /etc/nginx/.htpasswd admin
# Add additional users
htpasswd /etc/nginx/.htpasswd username
Configure user roles (if supported):
Role Permissions:
- admin: Full access including configuration
- operator: Can view metrics and acknowledge alerts
- viewer: Read-only access to dashboards
Secure API access:
# If Edmon supports API keys
# Generate API token
edmon api token create --name "Monitoring Integration"
# Use token for API access
curl -H "Authorization: Bearer ${API_TOKEN}" \
http://localhost:8080/api/v1/metrics
Configure session security:
# /etc/edmon/config.ini
[security]
session_timeout = 3600
session_secure = true
session_httponly = true
Configure HTTPS via reverse proxy:
# /etc/nginx/sites-available/edmon
server {
listen 443 ssl http2;
server_name edmon.company.com;
ssl_certificate /etc/nginx/certs/edmon.crt;
ssl_certificate_key /etc/nginx/certs/edmon.key;
ssl_trusted_certificate /etc/nginx/certs/ca-bundle.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
auth_basic "Edmon Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Generate and manage certificates:
# Generate self-signed certificate
openssl req -new -x509 -days 365 -nodes \
-out /etc/nginx/certs/edmon.crt \
-keyout /etc/nginx/certs/edmon.key \
-subj "/CN=edmon.company.com/O=Company"
# Or use Let's Encrypt
certbot --nginx -d edmon.company.com
Configure web application security:
# /etc/edmon/config.ini
[security]
# CSRF protection
csrf_enabled = true
# Content Security Policy
csp_enabled = true
# Rate limiting
rate_limit = 100
Secure API endpoints:
| Endpoint | Risk Level | Access Control |
|---|---|---|
GET /api/v1/metrics |
Low | Authenticated |
GET /api/v1/status |
Low | Authenticated |
POST /api/v1/config |
High | Admin only |
PUT /api/v1/settings |
High | Admin only |
DELETE /api/v1/data |
Critical | Admin only |
Implement API rate limiting:
# Nginx rate limiting for Edmon API
limit_req_zone $binary_remote_addr zone=edmon_api:10m rate=30r/s;
location /api/ {
limit_req zone=edmon_api burst=50 nodelay;
proxy_pass http://localhost:8080;
}
Limit exposed system information:
# /etc/edmon/config.ini
[collectors]
# Disable sensitive collectors
# system_users = false
# process_details = false
# Limit metric detail
metric_detail = summary
Secure Edmon database:
-- If using PostgreSQL
CREATE USER edmon WITH PASSWORD '${DB_PASSWORD}';
CREATE DATABASE edmon OWNER edmon;
GRANT ALL PRIVILEGES ON DATABASE edmon TO edmon;
-- Enable SSL requirement
ALTER USER edmon WITH PASSWORD '${DB_PASSWORD}';
Enable data encryption:
# /etc/edmon/config.ini
[storage]
# Enable encryption
encryption_enabled = true
encryption_key = ${ENCRYPTION_KEY}
# Or use encrypted filesystem
# data_path = /encrypted/edmon/data
Secure sensitive configuration:
# /etc/edmon/config.ini
[database]
# Use environment variable
password = ${DB_PASSWORD}
# Or use external secrets file
# include = /etc/edmon/secrets.ini
Protect secrets file:
# Set restrictive permissions
chown root:edmon /etc/edmon/secrets.ini
chmod 640 /etc/edmon/secrets.ini
Secure Edmon logs:
# Set restrictive permissions
chown edmon:adm /var/log/edmon
chmod 750 /var/log/edmon
# Configure log rotation
cat > /etc/logrotate.d/edmon << EOF
/var/log/edmon/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 edmon adm
}
EOF
Enable logging:
# /etc/edmon/config.ini
[logging]
level = INFO
file = /var/log/edmon/edmon.log
# Audit logging
audit_enabled = true
audit_file = /var/log/edmon/audit.log
Configure reverse proxy access logging:
# /etc/nginx/sites-available/edmon
access_log /var/log/nginx/edmon_access.log combined;
error_log /var/log/nginx/edmon_error.log warn;
Monitor Edmon for security events:
#!/bin/bash
# /usr/local/bin/check-edmon-security.sh
# Check for failed authentication
FAILED_AUTH=$(grep -c "authentication failed" /var/log/edmon/edmon.log 2>/dev/null || echo 0)
if [ "$FAILED_AUTH" -gt 10 ]; then
echo "CRITICAL: Multiple authentication failures"
exit 2
fi
# Check for configuration changes
CONFIG_CHANGES=$(grep -c "configuration changed" /var/log/edmon/audit.log 2>/dev/null || echo 0)
if [ "$CONFIG_CHANGES" -gt 20 ]; then
echo "WARNING: High number of configuration changes"
exit 1
fi
Forward logs to SIEM:
# /etc/rsyslog.d/edmon.conf
:programname, isequal, "edmon" /var/log/edmon/syslog.log
:programname, isequal, "edmon" @siem.company.com:514