Skip to content

Zero Trust Security en

EnerOS Bot edited this page Jul 5, 2026 · 1 revision

中文 | English

Zero-Trust & Security Compliance

Maintained version: v0.51.2 | Last updated: 2026-07-06

EnerOS v0.39.0 introduced a zero-trust architecture, shifting from "perimeter defense" to "never trust, always verify". This page summarizes the trust / ids / audit / compliance security subsystems; for full config see the main repo docs/deployment.md §3.4 + ADR-0007 + docs/compliance/.

Four Security Subsystems

┌──────────────────────────────────────────────────┐
│                  EnerOS instance                  │
│                                                   │
│  ┌─────────────┐  ┌─────────────┐               │
│  │ eneros-trust│  │  eneros-ids │               │
│  │ CA / mTLS   │  │  baseline / │               │
│  │ cert rotate │  │  IOC / IDS  │               │
│  └──────┬──────┘  └──────┬──────┘               │
│         │                │                        │
│  ┌──────┴────────────────┴──────┐               │
│  │       eneros-audit           │               │
│  │  HMAC chain + WORM storage   │               │
│  └──────────────┬───────────────┘               │
│                 │                                 │
│  ┌──────────────┴───────────────┐               │
│  │    eneros-compliance         │               │
│  │  NERC CIP / IEC 62443 /      │               │
│  │  GDPR / PIPL / CCPA          │               │
│  └──────────────────────────────┘               │
└──────────────────────────────────────────────────┘

eneros-trust — Zero-Trust Foundation

Capability Description
Internal CA Self-signed root cert + intermediate CA, issues all service certificates
mTLS mutual auth Inter-service communication enforces mTLS; clients must present valid cert from internal CA
Auto cert rotation Auto-rotates rotation_days_before_expiry (default 30 days) before expiry
Cert revocation CRL + OCSP online revocation checking
[zero_trust]
ca_cert_path = "/etc/eneros/tls/ca.crt"
ca_key_path = "/etc/eneros/tls/ca.key"
cert_dir = "/var/lib/eneros/certs"
rotation_days_before_expiry = 30
mtls_required = true

EventBus broker mTLS (requires mtls feature):

eneros-eventbus-broker --tls-cert /etc/eneros/tls/broker.crt \
                       --tls-key /etc/eneros/tls/broker.key \
                       --tls-ca /etc/eneros/tls/ca.crt

eneros-ids — Intrusion Detection

Capability Description
API behavior baseline Learns normal call patterns for each API endpoint (frequency / params / source)
IOC threat intelligence Loads IOCs (IP / domain / hash) from JSON file, matches real-time traffic
Login lockout Locks for lockout_duration_secs (default 900s) after lockout_threshold (default 5) consecutive failures
Anomaly alert Detects anomalies, sends to event bus, triggers AIOps correlation analysis
[threat_detection]
enable_baseline = true
enable_ids = true
lockout_threshold = 5
lockout_duration_secs = 900
intel_file_path = "/etc/eneros/security/ioc.json"

eneros-audit — WORM Audit Log

Capability Description
WORM storage Linux chattr +a sets append-only attribute, tamper-proof; non-Linux only logs warning
HMAC-SHA256 chain Each record's hash includes the previous hash; tampering with history causes subsequent verification to fail
Auto rotation Auto-rotates when single file exceeds max_size_mb (default 512)
Retention policy Default retains retention_days = 365 days
[audit]
storage_path = "/var/lib/eneros/audit"
max_size_mb = 512
retention_days = 365
hmac_secret = "<32-byte-hex-secret>"

eneros-compliance — Compliance Framework

Standard Scope Documentation
NERC CIP North American power system critical infrastructure protection docs/compliance/nerc-cip.md
IEC 62443-4-1 Industrial automation system security SDLC docs/compliance/iec-62443-4-1-sdlc.md
IEC 62443-4-2 Security level SL matrix docs/compliance/iec-62443-4-2-sl-matrix.md
GDPR EU General Data Protection Regulation v0.47.0 data subject rights
PIPL China Personal Information Protection Law v0.47.0
CCPA California Consumer Privacy Act v0.47.0

Three-Layer Defense

Layer Tool Frequency Trigger
Static analysis SAST (CodeQL / Semgrep) Every PR Critical vulnerability blocks merge
Dependency audit cargo audit Every PR + daily cron RUSTSEC vulnerabilities
License check cargo deny Every PR GPL/AGPL rejected

Known Limitations (v0.51.2)

  • IOC threat intelligence loads from JSON file only; threat intelligence platforms (e.g., MISP) not integrated
  • Behavior baseline covers API layer only; event bus traffic not covered
  • WORM only Linux chattr +a; object storage WORM (e.g., S3 Object Lock) not supported
  • Compliance report generation requires manual trigger; scheduled reports not supported

Related Documentation

Clone this wiki locally