Principles
- Use send-only DSNs for alerts. Use agent tokens only for action hosts.
- Run the agent as a dedicated user, not root.
- Expose wrapper scripts, not arbitrary shell access.
- Keep production and staging agents separate.
- Log every approved action with host, user, time, and result.
Systemd hardening baseline
# /etc/systemd/system/nerve-agent.service
[Unit]
Description=Nerve remediation agent
After=network-online.target
[Service]
User=nerve-agent
Group=nerve-agent
EnvironmentFile=/etc/nerve/agent.env
ExecStart=/usr/local/bin/nerve-agent -server api.nerve.ink:443 -token ${NERVE_AGENT_TOKEN}
Restart=on-failure
RestartSec=5
NoNewPrivileges=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=/var/lib/nerve-agent /run/nerve-actions
[Install]
WantedBy=multi-user.targetWrapper scripts
Put the real operational logic in small scripts that can be reviewed, tested, and versioned. The agent action should invoke a named wrapper, not a long command typed on a phone.
#!/bin/sh
# /usr/local/lib/nerve-actions/restart-api
set -eu
systemctl restart api.service
systemctl is-active --quiet api.service
echo "api.service restarted and active"Separate diagnosis from mutation
Start with read-only actions: status, logs tail, disk usage, dependency health. Mutating actions such as restart, rollback, or cache clear should be fewer, named clearly, and tied to a runbook.
Sudoers scope
If an action needs elevated privileges, grant the agent user permission for the wrapper path, not for a broad shell. Review the wrapper the same way you review deploy scripts.
# /etc/sudoers.d/nerve-agent
nerve-agent ALL=(root) NOPASSWD: /usr/local/lib/nerve-actions/restart-api
nerve-agent ALL=(root) NOPASSWD: /usr/local/lib/nerve-actions/collect-api-diagnosticsRotation and incident response
If an agent token leaks, stop the service, rotate the token from the app, inspect the host, and restart with the new token. Do not reuse a token from an unknown machine state.