Session log: cPanel CVE-2026-41940 IOC scan + remediation on IX/WebSvr
Both servers were already patched (11.110.0.97 and 11.134.0.20) via daily auto-update. IOC scan found 16 flagged sessions across both plus 4 uncommented SSH keys on IX. Critical remediation: - Forensic evidence preserved before any deletion - 4 uncommented SSH keys removed from IX (server-side backup retained) - 16 flagged sessions purged across both servers - Root passwords rotated via chpasswd - New WHM API tokens created; 3 stale transfer-* tokens revoked - Vault entries + 1Password Infrastructure items updated Forensic deep-dive verdict: patch held. All 7 actual CVE exploit attempts (botnet IPs hitting /json-api/version) returned HTTP 403. The "multi-line pass" IOC hits on user sessions were false positives. Unidentified 76.18.103.222 root session traced to routine SSL maintenance (zero sensitive endpoints touched). Skill hardening: - Added MANDATORY service-token directive to .claude/commands/1password.md enforcing OP_SERVICE_ACCOUNT_TOKEN from SOPS for all op CLI calls - Per Mike: memory files alone don't reliably bind agent behavior; baking governance into skill content loaded at moment of use. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -34,16 +34,61 @@ Never ask users to paste API keys, passwords, or tokens into:
|
||||
|
||||
---
|
||||
|
||||
## Setup Check
|
||||
## ⚠️ MANDATORY: Use the SOPS-vaulted service account token, never the desktop session
|
||||
|
||||
Always verify the CLI is ready before any operation:
|
||||
**Every `op` invocation in agent flows must run with `OP_SERVICE_ACCOUNT_TOKEN` set.** The desktop-app integration prompts to unlock the app, which interrupts the agent flow and is unacceptable. The service token is in the SOPS vault at `infrastructure/1password-service-account.sops.yaml` (vault entry kind=`api-key`, name=`1Password Service Account (Agentic-RW)`).
|
||||
|
||||
### Load the token at the start of any 1Password work
|
||||
|
||||
```bash
|
||||
# Decrypt the service token from SOPS (uses the machine's age key)
|
||||
export OP_SERVICE_ACCOUNT_TOKEN=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null \
|
||||
| grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
|
||||
|
||||
# Verify
|
||||
op whoami # expect "User Type: SERVICE_ACCOUNT"
|
||||
```
|
||||
|
||||
After `export`, every subsequent `op` call in the same bash invocation inherits the token. For one-off calls without exporting:
|
||||
|
||||
```bash
|
||||
SVC=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
|
||||
OP_SERVICE_ACCOUNT_TOKEN="$SVC" op item get "Item Name" --vault Infrastructure
|
||||
```
|
||||
|
||||
### Vault path resolution
|
||||
|
||||
The vault lives wherever `.claude/identity.json` says (`vault_path`). On the current Windows workstation it's `C:/Users/guru/vault`, but other machines (Howard's, future workstations) may differ. Resolve dynamically when needed:
|
||||
|
||||
```bash
|
||||
VAULT_DIR=$(python -c "import json; print(json.load(open('/c/Users/guru/ClaudeTools/.claude/identity.json'))['vault_path'])")
|
||||
SVC=$(sops -d "$VAULT_DIR/infrastructure/1password-service-account.sops.yaml" 2>/dev/null | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
|
||||
export OP_SERVICE_ACCOUNT_TOKEN="$SVC"
|
||||
```
|
||||
|
||||
### Service account scope (verified 2026-04-30)
|
||||
|
||||
The Agentic-RW service account has access to: **Clients, Infrastructure, Internal Sites, Managed Websites, MSP Tools, Projects, Sorting**. The Private vault is intentionally NOT shared with the service account — if you need to read from Private, that's a different conversation, not a fallback to desktop session.
|
||||
|
||||
### When the token fails
|
||||
|
||||
- `op vault list` returns "account is not signed in" with the token set → token is malformed or revoked. Decrypt directly via `sops -d` and inspect.
|
||||
- `vault.sh get-field` may fail with "PyYAML not installed" — use direct `sops -d` + grep instead until that wrapper bug is fixed.
|
||||
- Never fall back to the desktop-app session in agent flows. If the service token is unrecoverable, stop and tell Mike.
|
||||
|
||||
---
|
||||
|
||||
## Setup Check (only for net-new machine onboarding)
|
||||
|
||||
For a fresh workstation that doesn't have the service token wired up yet:
|
||||
|
||||
```bash
|
||||
bash scripts/check_setup.sh
|
||||
```
|
||||
|
||||
If not installed: https://developer.1password.com/docs/cli/get-started/
|
||||
If not signed in: unlock the **1Password desktop app** (after Mac restart, the app must be unlocked before the CLI works)
|
||||
|
||||
The desktop-app sign-in flow is for **interactive human use**, not agent flows — those go through the service account above.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user