dbbackup

UUXO/dbbackup

Fork 0

Commit Graph

Author	SHA1	Message	Date
Renz	86eee44d14	security: Implement MEDIUM priority security improvements MEDIUM Priority Security Features: - Backup retention policy with automatic cleanup - Connection rate limiting with exponential backoff - Privilege level checks (warn if running as root) - System resource limit awareness (ulimit checks) New Security Modules (internal/security/): - retention.go: Automated backup cleanup based on age and count - ratelimit.go: Connection attempt tracking with exponential backoff - privileges.go: Root/Administrator detection and warnings - resources.go: System resource limit checking (file descriptors, memory) Retention Policy Features: - Configurable retention period in days (--retention-days) - Minimum backup count protection (--min-backups) - Automatic cleanup after successful backups - Removes old archives with .sha256 and .meta files - Reports freed disk space Rate Limiting Features: - Per-host connection tracking - Exponential backoff: 1s, 2s, 4s, 8s, 16s, 32s, max 60s - Automatic reset after successful connections - Configurable max retry attempts (--max-retries) - Prevents brute force connection attempts Privilege Checks: - Detects root/Administrator execution - Warns with security recommendations - Requires --allow-root flag to proceed - Suggests dedicated backup user creation - Platform-specific recommendations (Unix/Windows) Resource Awareness: - Checks file descriptor limits (ulimit -n) - Monitors available memory - Validates resources before backup operations - Provides recommendations for limit increases - Cross-platform support (Linux, BSD, macOS, Windows) Configuration Integration: - All features configurable via flags and .dbbackup.conf - Security section in config file - Environment variable support - Persistent settings across sessions Integration Points: - All backup operations (cluster, single, sample) - Automatic cleanup after successful backups - Rate limiting on all database connections - Privilege checks before operations - Resource validation for large backups Default Values: - Retention: 30 days, minimum 5 backups - Max retries: 3 attempts - Allow root: disabled - Resource checks: enabled Security Benefits: - Prevents disk space exhaustion from old backups - Protects against connection brute force attacks - Encourages proper privilege separation - Avoids resource exhaustion failures - Compliance-ready audit trail Testing: - All code compiles successfully - Cross-platform compatibility maintained - Ready for production deployment	2025-11-25 14:15:27 +00:00

Author

SHA1

Message

Date

Renz

86eee44d14

security: Implement MEDIUM priority security improvements

MEDIUM Priority Security Features:
- Backup retention policy with automatic cleanup
- Connection rate limiting with exponential backoff
- Privilege level checks (warn if running as root)
- System resource limit awareness (ulimit checks)

New Security Modules (internal/security/):
- retention.go: Automated backup cleanup based on age and count
- ratelimit.go: Connection attempt tracking with exponential backoff
- privileges.go: Root/Administrator detection and warnings
- resources.go: System resource limit checking (file descriptors, memory)

Retention Policy Features:
- Configurable retention period in days (--retention-days)
- Minimum backup count protection (--min-backups)
- Automatic cleanup after successful backups
- Removes old archives with .sha256 and .meta files
- Reports freed disk space

Rate Limiting Features:
- Per-host connection tracking
- Exponential backoff: 1s, 2s, 4s, 8s, 16s, 32s, max 60s
- Automatic reset after successful connections
- Configurable max retry attempts (--max-retries)
- Prevents brute force connection attempts

Privilege Checks:
- Detects root/Administrator execution
- Warns with security recommendations
- Requires --allow-root flag to proceed
- Suggests dedicated backup user creation
- Platform-specific recommendations (Unix/Windows)

Resource Awareness:
- Checks file descriptor limits (ulimit -n)
- Monitors available memory
- Validates resources before backup operations
- Provides recommendations for limit increases
- Cross-platform support (Linux, BSD, macOS, Windows)

Configuration Integration:
- All features configurable via flags and .dbbackup.conf
- Security section in config file
- Environment variable support
- Persistent settings across sessions

Integration Points:
- All backup operations (cluster, single, sample)
- Automatic cleanup after successful backups
- Rate limiting on all database connections
- Privilege checks before operations
- Resource validation for large backups

Default Values:
- Retention: 30 days, minimum 5 backups
- Max retries: 3 attempts
- Allow root: disabled
- Resource checks: enabled

Security Benefits:
- Prevents disk space exhaustion from old backups
- Protects against connection brute force attacks
- Encourages proper privilege separation
- Avoids resource exhaustion failures
- Compliance-ready audit trail

Testing:
- All code compiles successfully
- Cross-platform compatibility maintained
- Ready for production deployment

2025-11-25 14:15:27 +00:00

1 Commits