Security Overview
Security Overview — BasicAS Group
Last Updated: 2026-02-10 Security Lead: John (AI Director) Approval Authority: Alem (CEO)
Executive Summary
This document provides a high-level overview of security practices, policies, and systems for BasicAS Group. It consolidates information from multiple security workstreams and serves as a navigation hub for detailed security documentation.
Security Posture
Current State (2026-02-10)
- ✅ System Integrity Protection (SIP): Enabled
- ✅ Credential Rotation Infrastructure: Complete (awaiting execution)
- ✅ Network Hardening Configuration: Complete (awaiting deployment)
- ✅ Docker Security: Containers run with least privilege
- ✅ API Security: Token-based authentication for all services
- ⚠️ Firewall: Not yet enabled (deployment blocked, sudo required)
- ⚠️ SSH: May be enabled (needs verification)
- ⚠️ Secrets Management: Some plaintext passwords in docker-compose.yml (task #310)
- ⚠️ MFA: Not yet enabled for Mattermost external access (task #309)
Risk Level: MEDIUM
- High-risk items: Plaintext secrets, no firewall, SSH possibly enabled
- Mitigation: LAN-only access + Cloudflare Tunnel for external services
- Timeline: Deploy hardening + secrets management within 30 days
Security Domains
1. Network Security
Status: Configuration ready, deployment blocked
Key Controls:
- macOS Application Layer Firewall (ALF) - configured, not yet enabled
- Cloudflare Tunnel for external access (Mattermost, Planka, Documenso)
- Service port binding (localhost vs. 0.0.0.0)
- SSH remote access disablement
- Bluetooth disablement
See: network-hardening.md
2. Credential Management
Status: Infrastructure complete, awaiting execution
Key Controls:
- API key rotation (90-day cycle)
- macOS Keychain storage (encrypted at rest)
- Automated import tool (credential-import.js)
- Secure deletion of temp files (7-pass shred)
Services Covered:
- Anthropic, ElevenLabs, Telegram, Discord, Z.ai
- one.com SMTP, Cloudflare API
3. Application Security
Docker Services
| Service | Port | External Access | Auth Method |
|---|---|---|---|
| Mattermost | 8065 | Cloudflare Tunnel | Password + optional MFA |
| Planka | 3100 | Cloudflare Tunnel | Password |
| Documenso | 3003 | Cloudflare Tunnel | Password |
| BookStack | 6875 | LAN only | Password + API token |
| MC Dashboard | 3030 | LAN only | No auth (trusted network) |
Security Gaps:
- MC Dashboard has no authentication (LAN-only, consider adding auth)
- BookStack admin password is default (
password) - MUST change - Planka token expiry is 365 days (too long, consider 30-90 days)
- Documenso public signup enabled (consider invite-only)
Recommendations:
- Change all default passwords
- Enable MFA for external-facing services
- Add authentication to MC Dashboard
- Shorten token expiry periods
- Disable public signup where not needed
4. Data Security
Databases
All databases are:
- ✅ Internal-only (not exposed to internet)
- ✅ Password-protected
- ✅ Backed up regularly
- ⚠️ Passwords in plaintext in docker-compose.yml (task #310)
Backups
- Location: ~/backups/ + external disk (when Full Disk Access fixed)
- Frequency: Manual (needs automation - task #262)
- Encryption: Not yet implemented (consider encrypting backups)
Sensitive Data Storage
- API Keys: macOS Keychain (encrypted)
- Passwords: docker-compose.yml (plaintext) ← FIX THIS
- User Data: PostgreSQL/MariaDB (internal)
- Documents: MinIO (Documenso), file system (BookStack)
5. Access Control
User Management
| User | Role | Services |
|---|---|---|
| Alem | Admin | All services (full access) |
| John (AI) | System Admin | CLI tools, read-only on critical files |
| Edita (AI) | Assistant | Limited access via John delegation |
| External users | Team members | Mattermost, Planka (invite-only) |
API Access
- BookStack: Token-based (read/write API)
- Mattermost: OAuth + personal access tokens
- Planka: JWT tokens (365-day expiry)
- Documenso: Session-based
6. Monitoring & Logging
Current Logging
- ✅ Docker logs: All containers (30-day retention)
- ✅ Mission Control: Task audit trail (SQLite)
- ✅ LaunchAgent logs: mc-dashboard, mc-session-worker
- ❌ Firewall logs: Not yet enabled (awaiting deployment)
- ❌ Intrusion detection: Not implemented
Log Locations
- Docker:
docker logs <container> - Mission Control: ~/system/databases/mission-control.db (history table)
- LaunchAgents: ~/system/logs/
- System:
/var/log/(requires sudo)
Monitoring Gaps
- No real-time alerting (task #259 - health check daemon)
- No centralized log aggregation
- No security event correlation
- No automated anomaly detection
Recommendation: Implement health check daemon + log aggregation (ELK stack or Loki)
7. Incident Response
Current Procedures
- Detection: Manual monitoring, user reports
- Triage: John investigates, escalates to Alem
- Containment: Stop affected service, isolate system
- Recovery: Restore from backup, rotate credentials
- Post-Mortem: Document in ~/system/reports/security/
Gaps
- No formal incident response plan (IRP)
- No on-call rotation (single point of failure: Alem)
- No security incident tracking system
- No runbook for common incidents
Recommendation: Create formal IRP + incident runbooks (task #323-326)
8. Compliance & Governance
Policies (In Development)
- Information Security Policy (ISO 27001 aligned) - task #323
- Business Continuity Plan (BCP) - task #325
- Disaster Recovery Plan (DRP) - task #326
- Data Processing Agreements (DPA) - task #278
- Privacy Policy (GDPR) - not yet started
Compliance Frameworks
- ISO 27001: Targeted (not yet certified)
- GDPR: Applicable (EU clients, data processing)
- SOC 2: Not yet pursued
- PCI-DSS: Not applicable (no payment card processing)
Security Roadmap
Immediate (Next 30 Days)
- Deploy network hardening - Alem to execute firewall + SSH disablement (15 min)
- Rotate all credentials - Follow credential-rotation.md process (30 min)
- Change default passwords - BookStack, Planka, Documenso (10 min)
- Enable Mattermost MFA - task #309 (30 min)
- Move Docker secrets - Extract from docker-compose.yml - task #310 (2 hours)
Short-Term (Next 90 Days)
- Automated backups - task #262 (cron + rsync to external disk)
- Health check daemon - task #259 (monitor all services)
- Security policies - tasks #323-326 (ISO 27001 alignment)
- Incident response plan - Formal IRP + runbooks
- MC Dashboard auth - Add password or token-based access
Long-Term (Next 180 Days)
- Central secrets vault - Migrate to HashiCorp Vault or 1Password
- Log aggregation - ELK stack or Loki + Grafana
- Intrusion detection - Deploy Snort or Suricata
- Zero-trust architecture - mTLS for service-to-service comms
- ISO 27001 certification - External audit + certification
Security Contacts
Internal
- Security Lead: John (AI Director) - via Mission Control or Mattermost
- Executive Approval: Alem (CEO) - direct escalation
- Emergency Contact: Alem mobile (for after-hours incidents)
External
- Cloud Provider: Cloudflare (DDoS protection, tunnel)
- Domain Registrar: one.com (DNS, email)
- Infrastructure: Self-hosted (Mac Studio)
Security Tools & Resources
Tools In Use
- macOS Keychain: Credential storage
- Docker: Service isolation
- Cloudflare Tunnel: Secure external access
- BookStack API: Documentation access control
- Mission Control: Task audit trail
Tools Planned
- HashiCorp Vault: Centralized secrets management
- ELK/Loki: Log aggregation
- Snort/Suricata: Intrusion detection
- WireGuard/Tailscale: VPN for remote access
Related Documents
Security Documentation
- Credential Rotation: credential-rotation.md
- Network Hardening: network-hardening.md
- Security Standards: ~/system/rules/security.md
- Anti-Hallucination Rules: ~/system/rules/agent-anti-hallucination.md
Operational Documentation
- Infrastructure Runbook: ~/system/context/docs/runbooks/infrastructure.md
- Service Runbooks: ~/system/context/docs/runbooks/
- Ops Agent: ~/system/context/docs/runbooks/ops-agent.md
Governance
- GOVERNANCE.md: ~/system/context/org/GOVERNANCE.md
- Task Management: ~/system/rules/task-management.md
- Mission Control: ~/system/databases/mission-control.db
Audit Log
| Date | Change | Author | Approval |
|---|---|---|---|
| 2026-01-31 | Credential rotation infrastructure built | John | Alem |
| 2026-01-31 | Network hardening config prepared | John | Alem |
| 2026-02-10 | Security docs consolidated | John | Pending |
| TBD | Network hardening deployed | Alem | - |
| TBD | Credentials rotated | Alem | - |
Maintained by: John (AI Director) Reviewed by: Alem (CEO) Next Review: 2026-03-10 (monthly)