Skip to content

Security: legato3/PHOBOS-NET

Security

docs/SECURITY.md

Security Policy

PHOBOS-NET is a read-only observability platform.

Reporting a Vulnerability

Please do not report security issues via public GitHub issues.

Instead:

  • Open a private security advisory on GitHub
  • Or contact the maintainer directly

Scope

This policy covers:

  • Docker images
  • Ingestion endpoints (Syslog, NetFlow, SNMP)
  • Web UI and APIs

No active mitigation or enforcement is performed by this project.

Authentication and Authorization

As of version 2.5.0, PHOBOS-NET enforces authentication for dashboard pages and operational APIs. The following probe endpoints remain intentionally unauthenticated for infrastructure health checks:

  • /health
  • /metrics

Default Credentials

  • Username: admin
  • Password: phobos-net
  • These are bootstrap credentials for initial access and should be rotated immediately.

Password Rotation (Recommended Workflow)

PHOBOS-NET provides an in-UI password change flow:

  1. Open the operator menu (top-right user icon).
  2. Click Change Password.
  3. Enter current password and the new password.

Admin User Management

Admin operators can also manage local accounts from the operator menu:

  • Create users
  • Assign roles (admin, operator, viewer)
  • Update user roles while preserving at least one admin account

CLI Fallback (Emergency Recovery)

If UI access is unavailable, rotate password directly in SQLite:

docker exec -i phobos-net python3 - <<'PY'
import sqlite3
from passlib.hash import bcrypt

db = "/app/data/netflow-trends.sqlite"
username = "admin"
new_password = "REPLACE_WITH_STRONG_PASSWORD"

conn = sqlite3.connect(db)
conn.execute(
    "UPDATE users SET password_hash = ? WHERE username = ?",
    (bcrypt.hash(new_password), username),
)
conn.commit()
print(f"updated_rows={conn.total_changes}")
conn.close()
PY

Session Management

  • Sessions are managed via encrypted cookies.
  • Ensure the SECRET_KEY environment variable is set to a strong, random value in production to prevent session forgery.

Implementation Details

  • Backend: Python Flask-Login with passlib (Bcrypt).
  • Frontend: Alpine.js state management with centralized session awareness.

Infrastructure Security

Content Security Policy (CSP)

PHOBOS-NET implements a strict CSP to mitigate XSS and injection attacks. Inline scripts are minimized, and data fetching is restricted to the origin server.

Write-Ahead Logging (WAL)

SQLite databases use WAL mode for improved performance and concurrency, reducing the risk of database corruption during high-volume ingestion.

There aren’t any published security advisories