KB-BCDA rev 4
VPS Infrastructure Audit — 2026-02-28
4 min read Revision 4
auditvpsprefect-preinstallsecurity
VPS Infrastructure Audit — 2026-02-28
Performed by: Codex CLI
Reviewed by: AI Council
Scope: Pre-Prefect Installation Audit
1. Overall Assessment
- Risk Level: MEDIUM
- Safe to install Prefect: YES
- No configuration changes were made during audit
2. System Resources
CPU
- Load average: 0.33 / 0.22 / 0.19
- CPU idle: 85.9%
Memory
- Total: 11.9 GiB
- Used: 2.4 GiB
- Available: ~9.3 GiB
Disk
- 32G used / 96G total
- 65G free (34% used)
Conclusion: Sufficient headroom for Prefect.
3. Docker State
Running containers: 8
Largest memory consumers:
- MySQL ~650 MiB
- Agent Data ~511 MiB
- Directus ~152 MiB
PostgreSQL:
- Healthy
- No memory limit set
- No public port
Issue:
- No Docker memory limits enforced on containers
4. Network Exposure
Public ports:
- 22
- 80
- 443
- 3001 (uptime-kuma)
Databases:
- 5432 not public
- 3306 not public
- 6333/6334 not public
Note:
- Port 3001 bypasses Nginx — review necessity.
5. Backup State
PostgreSQL backup:
- Cron configured (02:00 daily)
- Verified manual backup to GCS
- No cron-run history yet
6. Security Findings (cập nhật SEC-CLEAN 2026-02-28)
Critical → FALSE POSITIVE
Plaintext credentials in agent-data-test/scripts/start-agent-data.sh- Thực tế: File đã dùng
gcloud secrets versions access— không có hardcoded creds
High → RESOLVED
World-readable /opt/incomex/docker/.env- Fix:
chmod 600— chỉ root đọc được
Medium → RESOLVED
Hardcoded credential variables in mysql-backup.sh, qdrant-backup.sh, cdn-cache-warm.sh- Fix: 3 scripts rewrite đọc từ .env. .bak files chứa creds đã xóa
Medium (còn mở)
- No Docker memory limits enforced (TD-039)
Conclusion:
- DB exposure good
- Secret hygiene: ✅ CLEAN (sau SEC-CLEAN)
7. Recommendations Before/After Prefect
- Enforce Docker memory limits
- Fix world-readable env files
- Remove plaintext credentials from scripts
- Optionally close port 3001 or proxy via Nginx
8. Capacity Conclusion
Infrastructure capacity ready for Prefect. Security cleanup required as follow-up.
9. Post-Audit Actions
| # | Action | Status | Reference |
|---|---|---|---|
| 1 | PostgreSQL installed for Prefect+Kestra | ✅ Done | knowledge/dev/ssot/postgresql/postgresql-architecture.md |
| 2 | Constitution v1.12 cập nhật cho Prefect+Kestra | ✅ Done | knowledge/dev/ssot/constitution-v1.11e.md |
| 3 | MCP connectivity restored after Codex incident | ✅ Done | Session S-88 |
| 4 | Docker memory limits enforced | ⏳ Open | TD-039 |
| 5 | Plaintext credentials cleanup | ✅ Done | SEC-CLEAN (2026-02-28): SEC-01 false positive, SEC-02 chmod 600, SEC-03 scripts rewrite |
10. Related SSOT Documents
| Document | Path |
|---|---|
| VPS Architecture | knowledge/dev/ssot/vps/vps-architecture.md |
| VPS Operating Rules | knowledge/dev/ssot/vps/vps-operating-rules.md |
| PostgreSQL Architecture | knowledge/dev/ssot/postgresql/postgresql-architecture.md |