GuardARC runs with elevated privileges (it signals processes, tears down sockets,
and installs nftables rules), so bugs in those paths are security-sensitive.
- The monitoring/alerting path needs only read access to local socket state
(
ss) and the ability to run the Slack helper. - The enforcement path (
SIGSTOP/SIGCONT,ss --kill,nftinstall/remove) needs root. Grant the narrowest privilege that works for your deployment. - GuardARC never authenticates to or connects to a monitored server. It must never hold remote credentials.
- Signalling is strictly by PID, never pattern-based — the guard must never be able to kill itself or an unrelated process.
- The guard self-excludes its own PID from counting and enforcement.
- All destructive actions are scoped to a specific target peer and owning PID.
Report privately to the maintainers (Dana Research Group, Technion) rather than opening a public issue. Include the version, platform, and a minimal reproduction.