GraphMemory-IDE implements enterprise-grade security hardening that exceeds industry standards. This document provides comprehensive security information, implementation details, and best practices.
- Security Architecture
- Container Security
- mTLS Implementation
- Authentication & Authorization
- Network Security
- Security Monitoring
- Security Testing
- Deployment Security
- Security Best Practices
- Compliance & Standards
- Incident Response
GraphMemory-IDE implements a multi-layered security approach:
┌─────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────┤
│ Application Layer │
│ ├─ JWT Authentication (Port 8080) │
│ ├─ mTLS Authentication (Port 50051) │
│ └─ API Rate Limiting & Validation │
├─────────────────────────────────────────────────────────────┤
│ Container Security Layer │
│ ├─ Read-Only Root Filesystems │
│ ├─ Non-Root User Execution (UID 1000/1001) │
│ ├─ Capability Dropping (CAP_DROP: ALL) │
│ ├─ Seccomp Security Profiles │
│ └─ Resource Limits & Constraints │
├─────────────────────────────────────────────────────────────┤
│ Network Security Layer │
│ ├─ Isolated Bridge Network (memory-net) │
│ ├─ Port Exposure Control │
│ └─ TLS Encryption (mTLS) │
├─────────────────────────────────────────────────────────────┤
│ Infrastructure Security Layer │
│ ├─ Named Volume Isolation │
│ ├─ Secure tmpfs Mounts │
│ └─ Host System Isolation │
└─────────────────────────────────────────────────────────────┘
All containers run with read-only root filesystems to prevent runtime modifications:
# docker-compose.yml
services:
mcp-server:
read_only: true
tmpfs:
- /tmp:noexec,nosuid,size=100m
volumes:
- mcp-logs:/var/log/mcp # Writable logs
- mcp-tmp:/tmp/mcp # Writable tempBenefits:
- Prevents malware persistence
- Blocks runtime file modifications
- Reduces attack surface
- Ensures container immutability
Containers run as non-privileged users:
# Dockerfile
RUN groupadd -r -g 1000 mcpuser && useradd -r -u 1000 -g mcpuser mcpuser
USER mcpuserConfiguration:
- MCP Server: UID 1000 (mcpuser)
- Kestra: UID 1001 (non-root)
- No root privileges in containers
- Eliminates privilege escalation risks
All dangerous capabilities are dropped:
# docker-compose.yml
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE # Only for MCP serverDropped Capabilities:
CAP_SYS_ADMIN: System administrationCAP_SYS_PTRACE: Process tracingCAP_SYS_MODULE: Kernel module loadingCAP_DAC_OVERRIDE: File permission override- And 30+ other dangerous capabilities
Custom seccomp profiles restrict system calls:
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"names": ["read", "write", "open", "close", ...],
"action": "SCMP_ACT_ALLOW"
}
]
}Allowed System Calls (54 categories):
- File operations:
read,write,open,close - Network operations:
socket,bind,listen,accept - Memory operations:
mmap,munmap,brk - Process operations:
fork,exec,wait
Blocked System Calls:
ptrace: Process debuggingmount/umount: Filesystem mountingreboot: System rebootkexec_load: Kernel loading
Containers have strict resource constraints:
# docker-compose.yml
deploy:
resources:
limits:
memory: 1G # MCP Server
cpus: '0.5'
reservations:
memory: 512M
cpus: '0.25'Resource Limits:
- MCP Server: 1GB RAM, 0.5 CPU cores
- Kestra: 2GB RAM, 1.0 CPU cores
- Prevents: Resource exhaustion attacks
- Monitoring: Real-time resource tracking
Complete Public Key Infrastructure for mutual authentication:
Certificate Authority (CA)
├── Server Certificate (mcp-server)
│ ├── Subject: CN=mcp-server
│ ├── SAN: DNS:mcp-server, DNS:localhost, IP:127.0.0.1
│ └── Extended Key Usage: serverAuth
└── Client Certificate (mcp-client)
├── Subject: CN=mcp-client
└── Extended Key Usage: clientAuth
Automated certificate generation with proper security:
# Generate CA private key (4096-bit RSA)
openssl genrsa -out ca-key.pem 4096
# Generate CA certificate (365 days)
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca-cert.pem
# Generate server certificate with SAN
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \
-out server-cert.pem -extfile server-extfile.cnfServer-side mTLS configuration:
# server/mtls_config.py
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=server_cert, keyfile=server_key)
context.load_verify_locations(ca_cert)
context.verify_mode = ssl.CERT_REQUIRED
context.minimum_version = ssl.TLSVersion.TLSv1_2Security Features:
- Mutual Authentication: Both client and server verify certificates
- TLS 1.2+ Only: Modern TLS versions
- Secure Ciphers: ECDHE+AESGCM, ECDHE+CHACHA20
- Certificate Validation: Automated chain validation
- Perfect Forward Secrecy: ECDHE key exchange
File Permissions:
# Private keys: 400 (read-only for owner)
chmod 400 ca-key.pem server-key.pem client-key.pem
# Certificates: 444 (read-only for all)
chmod 444 ca-cert.pem server-cert.pem client-cert.pemCertificate Validation:
# Verify certificate chain
openssl verify -CAfile ca-cert.pem server-cert.pem
openssl verify -CAfile ca-cert.pem client-cert.pem
# Check certificate expiration
openssl x509 -in server-cert.pem -text -noout | grep "Not After"Secure token-based authentication:
# Token generation
token = jwt.encode({
"sub": username,
"exp": datetime.utcnow() + timedelta(minutes=30),
"iat": datetime.utcnow()
}, secret_key, algorithm="HS256")Security Features:
- HS256 Algorithm: HMAC with SHA-256
- Token Expiration: 30-minute default lifetime
- Secure Secret: Generated with
openssl rand -hex 32 - Stateless: No server-side session storage
- OAuth2 Compatible: Standard password flow
Development Mode:
export JWT_ENABLED=false # Disable authenticationProduction Mode:
export JWT_ENABLED=true
export JWT_SECRET_KEY=$(openssl rand -hex 32)
export JWT_ACCESS_TOKEN_EXPIRE_MINUTES=30Default test users with bcrypt password hashing:
users_db = {
"testuser": {
"username": "testuser",
"hashed_password": bcrypt.hashpw(b"testpassword", bcrypt.gensalt()),
},
"admin": {
"username": "admin",
"hashed_password": bcrypt.hashpw(b"adminpassword", bcrypt.gensalt()),
}
}Containers run in isolated bridge network:
# docker-compose.yml
networks:
memory-net:
driver: bridge
driver_opts:
com.docker.network.bridge.name: memory-bridge
ipam:
config:
- subnet: 172.20.0.0/16Network Security:
- Isolated Subnet: 172.20.0.0/16
- Bridge Network: Container-to-container communication
- Port Control: Only required ports exposed
- No Host Network: Containers isolated from host
Minimal port exposure:
# docker-compose.yml
ports:
- "8080:8080" # HTTP API
- "50051:50051" # mTLS API (optional)
- "8081:8080" # Kestra UIPort Security:
- HTTP API (8080): JWT authentication
- mTLS API (50051): Mutual TLS authentication
- Kestra UI (8081): Internal workflow management
- No SSH: No remote shell access
Comprehensive security monitoring script:
# monitoring/resource-monitor.sh
./monitoring/resource-monitor.sh
# Continuous monitoring
watch -n 30 ./monitoring/resource-monitor.shMonitoring Features:
- Resource Usage: Memory, CPU, network I/O
- Security Status: User privileges, filesystem permissions
- Capability Verification: Dropped capabilities, security options
- Network Health: HTTP and mTLS endpoint connectivity
- Alert System: Automated security violation alerts
- Log Analysis: Security event logging
Container Security Metrics:
- User ID verification (non-root)
- Filesystem read-only status
- Capability verification
- Resource usage thresholds
- Security option validation
Network Security Metrics:
- Endpoint accessibility
- Certificate validity
- TLS connection health
- Authentication success rates
Automated alerting for security violations:
# High memory usage alert
if (( $(echo "$MEM_PERC > $ALERT_MEMORY_THRESHOLD" | bc -l) )); then
log_message "ALERT: High memory usage detected: $line"
fi
# Security violation alert
if [ "$USER_ID" = "0" ]; then
log_message "SECURITY: Container $container running as root"
fiSecurity test coverage:
# Run security tests
pytest tests/test_security.py -v
# Run with coverage
pytest tests/test_security.py --cov=server --cov-report=htmlTest Categories:
-
Container Security Tests:
- Non-root user execution
- Read-only filesystem validation
- Capability verification
- Resource limit enforcement
- Security option validation
-
mTLS Implementation Tests:
- Certificate file existence
- Certificate permissions
- Certificate chain validation
- mTLS connection testing
- Client certificate requirement
-
Network Security Tests:
- HTTP endpoint accessibility
- Network isolation validation
- Port exposure verification
- Docker socket security
-
Authentication Tests:
- JWT token generation
- Token validation
- Authentication bypass testing
- Invalid token rejection
Container Security Validation:
- ✅ Non-root user execution (UID 1000/1001)
- ✅ Read-only root filesystems
- ✅ Writable volume functionality
- ✅ Capability dropping verification
- ✅ Security option validation
- ✅ Resource limit enforcement
mTLS Implementation Validation:
- ✅ Certificate generation and validation
- ✅ Proper file permissions (400/444)
- ✅ Certificate chain verification
- ✅ mTLS connection establishment
- ✅ Client certificate requirement
Network Security Validation:
- ✅ HTTP endpoint accessibility
- ✅ Network isolation verification
- ✅ No Docker socket exposure
- ✅ Port security validation
Automated secure deployment with validation:
# Full secure deployment
./scripts/deploy-secure.sh
# Deployment with mTLS
MTLS_ENABLED=true ./scripts/deploy-secure.sh
# Security validation only
./scripts/deploy-secure.sh validateDeployment Security Features:
- Environment Validation: Docker, OpenSSL, dependencies
- Certificate Management: Automated PKI setup
- Security Configuration: Hardened container deployment
- Health Checks: Service and security validation
- Automated Testing: Security test execution
- Deployment Summary: Complete security status
Pre-deployment Checklist:
- Generate secure JWT secret:
openssl rand -hex 32 - Enable mTLS:
MTLS_ENABLED=true - Configure resource limits
- Set up monitoring and alerting
- Validate security tests pass
- Review certificate expiration dates
- Configure backup and recovery
Production Environment Variables:
export JWT_SECRET_KEY=$(openssl rand -hex 32)
export JWT_ENABLED=true
export MTLS_ENABLED=true
export KUZU_READ_ONLY=false
export MTLS_PORT=50051
export JWT_ACCESS_TOKEN_EXPIRE_MINUTES=30Development Environment:
# Disable authentication for development
export JWT_ENABLED=false
export MTLS_ENABLED=false
# Use development override
cat > docker/docker-compose.override.yml << EOF
services:
mcp-server:
environment:
- JWT_ENABLED=false
EOFProduction Hardening:
- Use secure deployment script:
./scripts/deploy-secure.sh - Enable mTLS: Set
MTLS_ENABLED=true - Generate secure JWT secret: Use
openssl rand -hex 32 - Monitor resources: Run
./monitoring/resource-monitor.sh - Run security tests: Execute
pytest tests/test_security.py - Validate certificates: Check expiration dates regularly
- Review logs: Monitor for security events and alerts
- Update regularly: Keep containers and dependencies updated
Certificate Lifecycle:
- Generation: Use
./scripts/setup-mtls.sh - Validation: Verify certificate chain
- Deployment: Secure file permissions
- Monitoring: Check expiration dates
- Renewal: Regenerate before expiration
- Revocation: Remove compromised certificates
Certificate Security:
- Use 4096-bit RSA keys
- Set appropriate validity periods (365 days)
- Implement proper file permissions
- Store certificates securely
- Monitor for expiration
- Implement certificate rotation
OWASP Container Security:
- ✅ Use minimal base images
- ✅ Run as non-root user
- ✅ Use read-only filesystems
- ✅ Drop unnecessary capabilities
- ✅ Implement resource limits
- ✅ Use security profiles (seccomp)
- ✅ Scan for vulnerabilities
- ✅ Implement proper logging
CIS Docker Benchmark:
- ✅ 2.1: Run containers as non-root user
- ✅ 2.2: Set container resource limits
- ✅ 2.3: Use read-only root filesystems
- ✅ 2.4: Drop unnecessary capabilities
- ✅ 2.5: Use security profiles
- ✅ 2.6: Implement proper logging
- ✅ 2.7: Use trusted base images
NIST Cybersecurity Framework:
- ✅ Identify: Asset inventory and risk assessment
- ✅ Protect: Access controls and security hardening
- ✅ Detect: Security monitoring and alerting
- ✅ Respond: Incident response procedures
- ✅ Recover: Backup and recovery capabilities
Zero Trust Principles:
- Never Trust, Always Verify: mTLS mutual authentication
- Least Privilege Access: Minimal capabilities and permissions
- Assume Breach: Defense in depth with multiple security layers
- Verify Explicitly: Certificate-based authentication
- Continuous Monitoring: Real-time security monitoring
Container Security Incidents:
- Root privilege escalation
- Filesystem modification attempts
- Resource exhaustion attacks
- Capability abuse
Network Security Incidents:
- Unauthorized access attempts
- Certificate validation failures
- TLS connection anomalies
- Authentication bypass attempts
Immediate Response:
- Isolate: Stop affected containers
- Assess: Determine scope and impact
- Contain: Prevent further damage
- Investigate: Analyze logs and evidence
- Remediate: Fix vulnerabilities
- Recover: Restore normal operations
Investigation Tools:
# Container forensics
docker logs docker-mcp-server-1
docker inspect docker-mcp-server-1
# Security monitoring
./monitoring/resource-monitor.sh
tail -f /tmp/resource-monitor.log
# Network analysis
docker network inspect docker_memory-net
netstat -tulpn | grep -E "(8080|50051)"Container Recovery:
# Stop compromised containers
docker compose down
# Rebuild with latest security
./scripts/deploy-secure.sh
# Validate security configuration
pytest tests/test_security.py -vCertificate Recovery:
# Regenerate certificates
rm -rf certs/
./scripts/setup-mtls.sh
# Redeploy with new certificates
MTLS_ENABLED=true ./scripts/deploy-secure.shFor security issues and vulnerabilities:
- Do not create public GitHub issues for security vulnerabilities
- Email: [email protected] (if available)
- Encrypted Communication: Use PGP for sensitive information
- Response Time: Security issues will be addressed within 24 hours
- ✅ Container security hardening implementation
- ✅ mTLS authentication with PKI infrastructure
- ✅ Security monitoring and alerting system
- ✅ Comprehensive security test suite
- ✅ Automated secure deployment scripts
- ✅ Security documentation and best practices
- 🔄 Vulnerability scanning integration
- 🔄 Security audit logging
- 🔄 Advanced threat detection
- 🔄 Security metrics dashboard
- 🔄 Automated security updates
Last Updated: January 2025
Security Review: Completed
Next Review: Quarterly security assessment scheduled