Basic OVOS hardening¶
In order to secure your Open Voice OS instance, few more steps are required and few concepts must be understood.
AppArmor¶
AppArmor and SELinux are examples of Mandatory Access Control (MAC) systems. These systems differ from other security controls which are generally called Discretionary Access Control (DAC) systems in that, generally, the user can't change their operation.
AppArmor packages
AppArmor must be installed on your system before going further. Please refer to your Linux distribution documentation to install it.
Enable AppArmor¶
System must be rebooted to instruct the kernel to load AppArmor during the boot sequence. Once rebooted, check the AppArmor status using the aa-status command.
AppArmor Docker profile¶
AppArmor and Podman support1
AppArmor support for Podman is not yet fully functional.
Docker applies the docker-default AppArmor profile to new containers. In Docker 1.13 and later this profile is created in tmpfs and then loaded into the kernel.
The container engine should now be aware of apparmor as an available security option.
All the containers except ovos_phal_admin should now be confined with the docker-default AppArmor profile.
docker container list --quiet --all --filter "name=ovos" | xargs docker inspect --format "{{ .Name }}: AppArmorProfile={{ .AppArmorProfile }}"
/ovos_skill_volume: AppArmorProfile=docker-default
/ovos_skill_wikipedia: AppArmorProfile=docker-default
/ovos_skill_fallback_unknown: AppArmorProfile=docker-default
/ovos_skill_alerts: AppArmorProfile=docker-default
/ovos_skill_hello_world: AppArmorProfile=docker-default
/ovos_skill_weather: AppArmorProfile=docker-default
/ovos_skill_stop: AppArmorProfile=docker-default
/ovos_skill_date_time: AppArmorProfile=docker-default
/ovos_skill_personal: AppArmorProfile=docker-default
/ovos_listener: AppArmorProfile=docker-default
/ovos_audio: AppArmorProfile=docker-default
/ovos_core: AppArmorProfile=docker-default
/ovos_phal: AppArmorProfile=docker-default
/ovos_phal_admin: AppArmorProfile=unconfined
/ovos_messagebus: AppArmorProfile=docker-default
/ovos_cli: AppArmorProfile=docker-default
ovos_phal_admin container is not confined
The ovos_phal_admin container is not confined as it runs as a privileged container.
Message bus¶
By default, the message bus is listening on address 0.0.0.0 and port 8181 because the ovos_messagebus is created using the --network host option. This could be a security issue as an external device could connect to the message bus and send and/or read messages.
Why using --network host?
Some Open Voice OS skills such as Home Assistant or Sonos require access to your private network in order to communicate with your IoT devices.
To prevent potential security issues, it is recommended to use a firewall the port 8181.
iptables will be demonstrated as an example but if firewalld or ufw services are used, then make sure to be compliant with your distribution.
This will allow connections to port 8181 only from localhost (internal).
Keep your ports closed
Keep in mind to firewall any other ports which should not be exposed outside of the host by using the same IPTables method.
If you really need to connect an external application to the message bus, we recommend to use HiveMind to ensure a proper security exposure.