potiuk commented on PR #13293: URL: https://github.com/apache/cloudstack/pull/13293#issuecomment-4725147113
Thanks `vishesh92` โ folded your three follow-ups in (draft-THREAT-MODEL.md): - **Q15 (file ownership):** recorded as `root:cloud`, mode 0640 (rw for owner, r for the cloud group) for the four sensitive artifacts. Resolved. - **Q24 (same-IP host):** captured that re-adding a host with the same IP updates the existing record rather than creating a spoofed peer, and is gated by root-admin access + the keys/certs needed to reach the management server (with apache/cloudstack#13182 refining it) โ so not an unauthenticated identity-spoof path. Resolved. - **Q29 (data-at-rest):** marked confirmed by both of you (delegated to the storage layer / hypervisor). That clears the items that were still pending a second confirmation. The one remaining open ask on your side is **Q37** โ whenever convenient, 3-5 recurring "not a vuln" patterns from your inbound `security@` triage would make ยง11a (the scanner's suppression list) much stronger; no rush. Unrelated to this PR: the red CI check is a component/integration test (`test_mm_*_limits`), not anything this docs-only change touches. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
