- Application Security
- No default credentials
- 2FA required for privileged users (TOTP, Webauthn)
- Group and role-based access control
- Logging of security and change events, with syslog support (RFC5424)
- IP ACL lists, and blocking/throttling of failed auth requests
- mTLS support for device-to-server connections
- Platform Security
- AppArmour and systemd sandboxing
- Application dependencies based on Ubuntu LTS, leveraging security updates from distribution
- Service does not establish outbound network connections
- Supply Chain Security
- Signed releases and vcs commits
- Ephemeral and automated build environment
- Signed application updates distributed via private APT repository