Skip to main content

Agent Security

The PatchCTL agent is designed with minimal attack surface.

Command Whitelist

The agent only executes predefined operations:

CommandDescription
check_updatesRefresh package lists
install_updatesApply approved updates
get_package_infoQuery package details
health_checkSystem health verification
No Arbitrary Execution

The agent cannot execute arbitrary shell commands. All operations are validated against a strict whitelist.

Privilege Model

Why Root Access?

The agent requires root access because:

  • Package managers need root to install updates
  • System information requires elevated privileges
  • Service management needs root

Privilege Minimization

Despite running as root:

  • Only whitelisted operations execute
  • No shell command injection possible
  • Input validation on all parameters
  • Sandboxed execution environment

Network Security

Outbound Only

  • Agent never accepts inbound connections
  • Only HTTPS (port 443) outbound required
  • No listening ports opened

Connection Security

  • TLS 1.3 encryption
  • Certificate validation
  • No self-signed certs accepted

Binary Security

Signed Binaries

  • Binaries verified by checksum
  • Downloaded from secure CDN
  • Integrity checked before execution

Update Security

  • Self-updates verify checksums
  • Rollback on verification failure
  • No unsigned code execution

Data Handling

What the Agent Sends

  • System identification (hostname, IP, OS)
  • Hardware specs (CPU, RAM, disk)
  • Package list and versions
  • Update availability status
  • Command execution results

What the Agent Does NOT Send

  • File contents
  • User data or credentials
  • Network traffic
  • Process listings
  • Environment variables

Local Security

File Permissions

/opt/patchctl/bin/patchctl-agent  # 755 root:root
/etc/patchctl/config.json         # 600 root:root

Configuration Protection

  • Config file readable only by root
  • License key protected
  • No sensitive data in logs

Audit Logging

The agent logs:

  • All commands received
  • Execution results
  • Errors and warnings
  • Connection status

Logs available via journald:

sudo journalctl -u patchctl