Hardening an AI Development Environment
Changes: v1.2 โ v1.3
Architecture layer added: Security. Six components deployed, four automated daily checks registered.
Components Added
| Component | Purpose | Install | Status |
|---|---|---|---|
| fail2ban | Intrusion prevention โ bans IPs on auth failure patterns | apt install fail2ban | systemctl is-active โ
|
| ufw | Firewall โ default deny incoming, allow outgoing | apt install ufw && ufw enable | ufw status โ
|
| AppArmor | Mandatory access control โ confines process resource access | apt install apparmor apparmor-utils | aa-status โ
|
| unattended-upgrades | Automated security patches | apt install unattended-upgrades | systemctl is-active โ
|
| rkhunter | Rootkit/binary integrity scanning | apt install rkhunter | rkhunter --version โ
|
| Security check registry | 4 daily automated checks (WSL config, file perms, package updates, Docker bloat) | Custom โ ~/.claude/security-improvements/registry.json | Active โ |
Daily Automated Checks
- WSL configuration validation โ systemd settings, user permissions
- File permission auditing โ sensitive path monitoring
- Package update monitoring โ pending security update detection
- Docker bloat detection โ container disk usage tracking
Audit Pipeline: audit_map.py
Bidirectional verification โ blocks production deploy on any failure.
Phase 1 โ Claims โ Reality:
Every architecture component verified by shell command. Example: systemctl is-active fail2ban. Fail = flagged fabricated.
Phase 2 โ Reality โ Claims: Discovers running services, flags undocumented ones.
Phase 3 โ Changelog consistency: Version entries validated. Referenced blog posts checked for existence and non-draft status.
Phase 4 โ Stack versions: Declared versions compared against installed versions.
Current Results
โ
Passed: 31
โ Failed: 0
๐ซ Fabricated: 0
โ ๏ธ Undocumented: 0
Rationale
AI agents in this stack have filesystem, shell, and network access. Agent-level governance (task registry, permission allowlists, pre-execution hooks) covers the application layer. OS-level hardening covers everything below it. Defense in depth.
Architecture version: v1.2 โ v1.3. All claims verified by scripts/audit_map.py.
Configuration details reflect a production environment at time of writing. Implementation specifics vary based on tooling versions, platform updates, and organizational requirements. Validate approaches against current documentation before deployment.