Security
ServerMind is designed for teams that operate critical infrastructure. Security is not an add-on — it is built into the architecture, the access model, and every layer of the platform.
Security Architecture
Outbound-Only Agents
Agents initiate all connections outbound over port 443. No inbound ports need to be opened on agent machines. No VPN tunnels, no attack surface.
Split-Agent Privilege Isolation
In production, each agent runs as 4 separate processes (Collector, Monitor, Control, Platform), each with minimal privileges. Compromise of one process does not grant access to another.
TLS 1.3 Everywhere
All communication between browser, backend, and agents is encrypted with TLS 1.3. QUIC transport uses UDP with built-in TLS. WebSocket fallback uses WSS.
Encrypted Agent Identity
Agent configuration (server URL, activation token, certificates) is stored in an encrypted identity database on disk — not in plaintext config files.
Self-Hosted / On-Prem
ServerMind runs entirely on your infrastructure. No data leaves your network. No cloud dependency, no external telemetry, no phone-home.
No Inbound Attack Surface
The backend listens on a single port (443). Agents connect outbound. There are no open management ports, no SSH tunnels, no secondary APIs to secure.
Data Handling
- Metrics, logs, and configuration data are collected by the agent and stored in your PostgreSQL database
- No data is transmitted to ServerMind or any third party
- The only external communication is license validation from the on-prem server — agents never connect outside your network
- No telemetry, no usage analytics, no phone-home from agents
- Backup encryption and compression supported for all 9 backup destinations
- Agent local cache uses SQLite and redb — stored on the agent machine only
Access Control
- RBAC with 100+ granular permissions and custom roles
- OIDC, SAML 2.0, LDAP/AD with break-glass local fallback
- MFA/TOTP with enforced enrollment and backup codes
- Session timeout, active session listing, and revocation
- Password policies: complexity, expiration, history, lockout
- Dangerous operation flags — extra confirmation for destructive actions
- Just-in-time (JIT) user provisioning from identity providers
Audit Trail
- Every action logged with timestamp, user, IP address, and user-agent
- Event categories: authentication, user management, config changes, service operations, file operations, security events
- Full audit trail of all AI-initiated operations
- Filtering by action type, user, status, timestamp range
- Retention and export for compliance requirements
Compliance & Monitoring
- CIS Benchmark scanning with auto-remediation and rollback
- File Integrity Monitoring (FIM) with inotify real-time detection
- Security score (0-100) per server with category breakdown
- Compliance posture dashboard with violation tracking
- Incident timeline with event correlation
Supply Chain Security
GPG-Signed Packages
All DEB and RPM packages are signed with our GPG key. Package managers automatically verify signatures during installation.
Public key: packages.servermind.io/gpg.key
SHA256 Checksums
Every release binary is published with a SHA256 checksum file. Verify integrity before deploying to production.
releases.servermind.io/latest/*.sha256
Network Security
Minimal Surface
- Single port (443) for all communication
- No inbound ports required on agent machines
- Works behind NAT, corporate proxies, firewalls
- No VPN tunnels or SSH bastions needed
Transport Security
- QUIC with TLS 1.3 — primary transport
- WebSocket over TLS — automatic fallback
- 0-RTT reconnection without re-handshake
- Cryptographically signed agent connections
Vulnerability Reporting
If you discover a security vulnerability in ServerMind, please report it responsibly.
Please do not open public issues for security vulnerabilities. Use the email above for responsible disclosure.