Security checklist for Quantara Devnet-0

1.1 — System accounts

• □ Create a dedicated non-root user for the node.
• □ Disable direct root SSH logins.
• □ Ensure each operator has an individual account (no sharing).
• □ Review accounts quarterly and remove old ones.

1.2 — SSH policy

• □ Enforce SSH key-based auth; disable passwords.
• □ Restrict SSH to specific IP ranges or VPN where possible.
• □ Use modern ciphers / key types (e.g., ed25519).
• □ Configure rate limiting / fail2ban on SSH.

1.3 — Privilege boundaries

• □ Use sudo, not direct root, for maintenance tasks.
• □ Limit which users can restart the node service.
• □ Log and periodically review sudo use.
• □ Avoid running additional services on validator hosts.

2.1 — Mnemonics & accounts

• □ Generate stash / controller mnemonics offline.
• □ Store mnemonics in a password manager or HSM.
• □ Never paste mnemonics into random terminals / hosts.
• □ Verify addresses use SS58=73 before funding.

2.2 — Session keys

• □ Generate session keys via node RPC or dedicated tooling.
• □ Store session key material only on validator hosts.
• □ Keep an internal record of key fingerprints.
• □ Practice at least one documented key rotation.

2.3 — Secrets management

• □ Use env files or secret managers, not plain-text configs.
• □ Exclude secret paths from backups you share broadly.
• □ Restrict who can read node keystore directories.
• □ Keep a "break glass" procedure for revocation.

3.1 — OS baseline

• □ Keep OS and packages patched regularly.
• □ Remove unused packages and services.
• □ Set server timezone to UTC.
• □ Configure sensible syslog / journald retention.

3.2 — Firewall & network

• □ Allow only needed ports (p2p, RPC, SSH).
• □ Restrict RPC to trusted IPs / VPN by default.
• □ Drop all inbound traffic by default.
• □ Consider geo / ASN filtering if available.

3.3 — Process isolation

• □ Run the node as a dedicated service user.
• □ Avoid running unrelated apps on validator hosts.
• □ Use systemd unit files with resource limits if needed.
• □ Document how to safely restart and inspect services.

4.1 — Config & infra backups

• □ Keep infra-as-code / shell scripts in a private repo.
• □ Back up systemd unit files and node flags.
• □ Store copies of firewall rules and monitoring configs.
• □ Version your configs so rollbacks are obvious.

4.2 — Keys & secrets backups

• □ Back up mnemonics separately from server configs.
• □ Use at least two independent storage locations.
• □ Periodically verify you can read your backups.
• □ Document who can access which backup locations.

4.3 — Rebuild drills

• □ Perform at least one full rebuild-from-scratch drill.
• □ Time how long it takes to return to healthy validation.
• □ Capture gotchas and update your internal docs.
• □ Repeat before public testnet goes live.

5.1 — Metrics

• □ Expose Prometheus metrics from the node.
• □ Track height, peers, CPU, RAM, disk, and networking.
• □ Watch for unexpected spikes or flatlines.
• □ Save a snapshot URL to your main dashboard.

5.2 — Logs

• □ Configure log rotation for node and system logs.
• □ Ship logs to a central sink if possible.
• □ Tag logs with node / environment identifiers.
• □ Verify you can search by time, node, and error code.

5.3 — Alert rules

• □ Alerts for node down / no blocks / low peers.
• □ Alerts for high CPU, RAM, or disk usage.
• □ Alerts for repeated failed SSH logins.
• □ Route alerts to Slack, Discord, or email you actually monitor.

6.1 — Contacts & communication

• □ Define who is on point for incidents.
• □ Configure a shared email / channel for alerts.
• □ Document how to reach Quantara during incidents.
• □ Decide how you'll communicate with your own users.

6.2 — Runbooks & exercises

• □ Keep local copies of Incident Response and Rollback & Recovery docs.
• □ Run at least one tabletop incident drill per quarter.
• □ After each drill or real incident, capture lessons.
• □ Update your internal SOPs and this checklist with what you've learned.