Dashboard GitHub

Security Best Practices

Comprehensive security guidelines for LogFlux deployment and usage

Security Best Practices

LogFlux is built with security as a fundamental principle. This guide provides comprehensive best practices for secure deployment, configuration, and usage of LogFlux components.

Authentication Security

Personal Access Token (PAT) Management

Token Generation

  • Use Strong Tokens: Always generate tokens through the LogFlux dashboard
  • Descriptive Names: Use clear, descriptive names for token identification
  • Appropriate Permissions: Grant minimal necessary permissions (principle of least privilege)
  • Copy Immediately: Tokens are shown only once - copy and store securely immediately

Token Storage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# ✅ SECURE: Use environment variables
export LOGFLUX_PAT="lf_pat_your_token_here"

# ✅ SECURE: Use credential managers
# macOS Keychain
security add-generic-password -a "$USER" -s "LogFlux PAT" -w "lf_pat_your_token_here"

# Linux Secret Service
secret-tool store --label="LogFlux PAT" service logflux username "$USER"

# ❌ INSECURE: Never hardcode in files
api_key: lf_pat_your_token_here  # DON'T DO THIS

Token Rotation

  • Regular Rotation: Rotate tokens every 90 days minimum
  • Immediate Rotation: Rotate immediately if compromise suspected
  • Multiple Tokens: Use separate tokens for different environments
  • Audit Trail: Monitor token usage through dashboard logs

Private Key Security

Key Generation

1
2
3
4
5
6
7
8

# Generate secure 4096-bit RSA keys
openssl genrsa -out ~/.logflux/private_key.pem 4096

# Generate public key
openssl rsa -in ~/.logflux/private_key.pem -pubout -out ~/.logflux/public_key.pem

# Set restrictive permissions
chmod 600 ~/.logflux/private_key.pem  # Owner read/write only

Key Storage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# ✅ SECURE: Proper file permissions
-rw------- 1 user user 3247 private_key.pem
-rw-r--r-- 1 user user  800 public_key.pem

# ✅ SECURE: Secure directory structure
~/.logflux/
├── private_key.pem (600)
├── public_key.pem (644)
└── config/ (700)

# ❌ INSECURE: World-readable private keys
-rw-r--r-- 1 user user 3247 private_key.pem  # DON'T DO THIS

Key Protection

  • Hardware Security: Use hardware security modules (HSMs) for production
  • Key Encryption: Encrypt private keys with passphrases where supported
  • Backup Security: Store key backups in secure, encrypted locations
  • Access Control: Limit who has access to private keys

Network Security

Connection Security

HTTPS/TLS Requirements

  • TLS 1.2+: Minimum TLS version for all connections
  • Certificate Validation: Always validate server certificates
  • Strong Ciphers: Use strong cipher suites only
  • Certificate Pinning: Consider certificate pinning for high-security environments

Proxy Configuration

1
2
3
4
5
6

# Corporate proxy with authentication
export HTTPS_PROXY="https://user:pass@proxy.company.com:8080"
export NO_PROXY="localhost,127.0.0.1,.local"

# SOCKS proxy
export HTTPS_PROXY="socks5://proxy.company.com:1080"

Firewall Configuration

Outbound Rules

1
2
3
4
5
6
7
8
9

# Required outbound connections
# LogFlux API endpoints
*.logflux.io:443/tcp

# DNS resolution
53/udp

# NTP (recommended)
123/udp

Network Segmentation

  • DMZ Deployment: Deploy agents in DMZ where appropriate
  • Internal Networks: Use private networks for sensitive log sources
  • VPN Access: Use VPN for remote administration
  • Network Isolation: Isolate log collection networks from production

Configuration Security

Environment Variables

1
2
3
4
5
6
7
8
9

# ✅ SECURE: Use .env files with proper permissions
echo "LOGFLUX_PAT=lf_pat_your_token_here" > .env
chmod 600 .env

# ✅ SECURE: System environment
export LOGFLUX_PAT="lf_pat_your_token_here"

# ❌ INSECURE: Shell history exposure
echo $LOGFLUX_PAT  # Avoid in scripts

Configuration Files

1
2
3
4
5
6
7

# Secure configuration file permissions
chmod 600 ~/.logflux-inspector.yaml
chmod 600 /etc/logflux-agent/agent.yaml

# Secure directory permissions
chmod 700 ~/.logflux/
chmod 700 /etc/logflux-agent/

Secret Management

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# ✅ SECURE: Reference external secrets
api_key: ${LOGFLUX_PAT}
private_key_file: ${LOGFLUX_PRIVATE_KEY_FILE}

# ✅ SECURE: Use secret management systems
# HashiCorp Vault
api_key: vault:secret/logflux#api_key

# Kubernetes Secrets
api_key: /var/secrets/logflux/api_key

# ❌ INSECURE: Hardcoded secrets
api_key: lf_pat_abcd1234...  # DON'T DO THIS

Data Security

Log Content Security

Sensitive Data Handling

  • Data Classification: Classify log data by sensitivity level
  • PII Scrubbing: Remove or mask personally identifiable information
  • Credential Filtering: Never log passwords, tokens, or keys
  • Regex Filters: Use regex patterns to filter sensitive content
1
2
3
4
5
6
7
8

# Example: Sensitive data filtering
filters:
  - type: regex
    pattern: "password[=:]\\s*\\S+"
    replacement: "password=***REDACTED***"
  - type: regex
    pattern: "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"
    replacement: "****-****-****-****"

Data Minimization

  • Log Level Control: Use appropriate log levels for different environments
  • Retention Policies: Set appropriate retention periods for different data types
  • Selective Logging: Only log necessary information
  • Field Selection: Limit exported fields to required data only

Encryption in Transit

  • End-to-End Encryption: All data encrypted from client to LogFlux platform
  • Perfect Forward Secrecy: Use cipher suites supporting PFS
  • Certificate Validation: Always validate server certificates
  • No Plaintext: No plaintext log data transmitted over network

Encryption at Rest

  • Client-Side Encryption: All logs encrypted before transmission
  • Key Management: Secure private key storage and rotation
  • Zero-Knowledge: LogFlux cannot decrypt your logs without your private key
  • Local Encryption: Temporary files encrypted on disk

Operational Security

Access Control

Principle of Least Privilege

  • Minimal Permissions: Grant only necessary permissions to users and systems
  • Role-Based Access: Use role-based access control (RBAC) where available
  • Separation of Duties: Separate administrative and operational roles
  • Regular Reviews: Periodically review and audit access permissions

User Management

  • Strong Authentication: Use multi-factor authentication (MFA) where possible
  • Regular Audits: Audit user access and activity regularly
  • Offboarding: Immediately revoke access for departing users
  • Shared Accounts: Avoid shared accounts; use individual user accounts

Monitoring and Auditing

Security Monitoring

1
2
3
4
5
6
7
8

# Monitor authentication events
logflux-inspector search --level error --contains "authentication"

# Monitor access patterns
logflux-inspector search --contains "login" --since "24h"

# Monitor configuration changes
logflux-inspector search --contains "config" --level notice

Audit Logging

  • Authentication Events: Log all authentication attempts and outcomes
  • Configuration Changes: Log all configuration modifications
  • Access Patterns: Monitor unusual access patterns or behaviors
  • Error Tracking: Monitor and investigate security-related errors

Incident Response

Preparation

  • Security Contacts: Maintain updated security contact information
  • Response Plan: Develop and test incident response procedures
  • Communication Plan: Establish secure communication channels
  • Evidence Preservation: Plan for log preservation during incidents

Response Actions

  1. Immediate Actions:

    • Rotate compromised tokens and keys immediately
    • Review access logs for suspicious activity
    • Isolate affected systems if necessary
    • Notify relevant stakeholders

  2. Investigation:

    • Preserve audit logs and evidence
    • Analyze access patterns and timelines
    • Identify scope and impact of incident
    • Document findings and lessons learned

Environment-Specific Security

Development Environment

1
2
3
4
5
6
7
8

# Use separate tokens for development
export LOGFLUX_PAT="lf_pat_dev_token_here"

# Use mock endpoints for testing
export LOGFLUX_MOCK_MODE=true

# Limit log levels in development
export LOGFLUX_LOG_LEVEL=debug

Staging Environment

1
2
3
4
5
6
7
8

# Use staging-specific tokens
export LOGFLUX_PAT="lf_pat_staging_token_here"

# Enable additional monitoring
export LOGFLUX_VERBOSE=true

# Use staging-specific private keys
export LOGFLUX_PRIVATE_KEY_FILE="/etc/logflux/staging-private-key.pem"

Production Environment

1
2
3
4
5
6
7
8

# Use production tokens with minimal permissions
export LOGFLUX_PAT="lf_pat_prod_token_here"

# Enable security hardening
export LOGFLUX_SECURITY_HARDENED=true

# Use production-specific configurations
export LOGFLUX_CONFIG="/etc/logflux/production.yaml"

Container and Cloud Security

Docker Security

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Use non-root user
RUN groupadd -r logflux && useradd -r -g logflux logflux
USER logflux

# Secure file permissions
COPY --chown=logflux:logflux config/ /etc/logflux/
RUN chmod 600 /etc/logflux/private_key.pem

# Use secrets for sensitive data
RUN --mount=type=secret,id=logflux_pat \
    export LOGFLUX_PAT=$(cat /run/secrets/logflux_pat)

Kubernetes Security

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# Use secrets for sensitive data
apiVersion: v1
kind: Secret
metadata:
  name: logflux-credentials
type: Opaque
data:
  pat: <base64-encoded-token>
  private-key: <base64-encoded-key>

---
# Security context
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
      containers:
      - name: logflux-agent
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL

Cloud Security

  • IAM Roles: Use cloud IAM roles instead of long-lived credentials where possible
  • Encryption: Use cloud-native encryption for storage and transit
  • Network Policies: Implement cloud network security groups and policies
  • Monitoring: Use cloud security monitoring and alerting services

Compliance Considerations

Data Protection Regulations

  • GDPR Compliance: Ensure proper handling of personal data
  • Data Residency: Understand data location requirements
  • Right to Erasure: Implement data deletion capabilities
  • Privacy by Design: Build privacy considerations into system design

Industry Standards

  • SOC 2: Implement controls for security, availability, and confidentiality
  • ISO 27001: Follow information security management best practices
  • NIST Framework: Apply NIST cybersecurity framework guidelines
  • Industry-Specific: Follow industry-specific compliance requirements

Security Checklist

Initial Setup

  • Generate strong RSA keys (4096-bit minimum)
  • Set proper file permissions (600 for private keys)
  • Configure secure token storage (environment variables/credential managers)
  • Enable TLS 1.2+ for all connections
  • Configure firewall rules for outbound HTTPS only

Ongoing Operations

  • Rotate tokens every 90 days maximum
  • Monitor authentication and access logs
  • Regular security audits and reviews
  • Keep systems and dependencies updated
  • Test incident response procedures

Pre-Production

  • Security testing and vulnerability scanning
  • Configuration review and hardening
  • Access control verification
  • Monitoring and alerting setup
  • Backup and recovery testing

Getting Help

Security Issues

  • Report Security Issues: Contact security@logflux.io for security vulnerabilities
  • Emergency Response: Use emergency contact procedures for active incidents
  • Security Documentation: Review LogFlux security architecture documentation
  • Best Practices: Follow industry security best practices and standards

Resources