Add files via upload

This commit is contained in:
公明
2026-07-11 11:30:50 +08:00
committed by GitHub
parent 79d162ccb4
commit 1cf10981ef
14 changed files with 28 additions and 37 deletions
+2 -3
View File
@@ -212,7 +212,7 @@ The `run.sh` script will automatically:
model: "gpt-4o" # or deepseek-chat, claude-3-opus, etc.
```
- Or edit `config.yaml` directly before launching
2. **Login** - Use the auto-generated password shown in the console (or set `auth.password` in `config.yaml`)
2. **Login** - On first startup the console prints an auto-generated initial `admin` password; create accounts from **Platform permissions → User management**
3. **Install security tools (optional)** - Install tools from `tools/` as needed; missing tools are skipped or substituted at runtime. Common examples:
**macOS (Homebrew):**
@@ -281,7 +281,7 @@ Requirements / tips:
### Built-in Safeguards
- Required-field validation prevents accidental blank API credentials.
- Auto-generated strong passwords when `auth.password` is empty.
- Auto-generated 24-character initial `admin` password on first startup when no RBAC users exist (stored in the database only, not in `config.yaml`).
- Unified auth middleware for every web/API call (Bearer token flow).
- Timeout and sandbox guards per tool, plus structured logging for triage.
@@ -537,7 +537,6 @@ A test SSE MCP server is available at `cmd/test-sse-mcp-server/` for validation
```yaml
auth:
password: "change-me"
session_duration_hours: 12
server:
host: "0.0.0.0"
+2 -3
View File
@@ -211,7 +211,7 @@ chmod +x run.sh && ./run.sh
model: "gpt-4o" # 或 deepseek-chat, claude-3-opus 等
```
- 或启动前直接编辑 `config.yaml` 文件
2. **登录系统** - 使用控制台显示自动生成密码(或在 `config.yaml` 中设置 `auth.password`
2. **登录系统** - 首次启动时控制台显示自动生成的 `admin` 初始密码;也可在「平台权限 → 用户管理」中创建账号
3. **安装安全工具(可选)** - 按需安装 `tools/` 目录中的工具;未安装的工具在执行时会自动跳过或改用替代方案。常用示例:
**macOSHomebrew):**
@@ -279,7 +279,7 @@ go build -o cyberstrike-ai cmd/server/main.go
### 默认安全措施
- 设置面板内置必填校验,防止漏配 API Key/Base URL/模型。
- `auth.password` 为空时自动生成 24 位强口令并写回 `config.yaml`。
- 首次启动且无 RBAC 用户时,自动生成 24 位 `admin` 初始密码并在控制台输出(仅存于数据库,不再写入 `config.yaml`
- 所有 API(除登录外)都需携带 Bearer Token,统一鉴权中间件拦截。
- 每个工具执行都带有超时、日志和错误隔离。
@@ -535,7 +535,6 @@ CyberStrikeAI 支持通过三种传输模式连接外部 MCP 服务器:
```yaml
auth:
password: "change-me"
session_duration_hours: 12
server:
host: "0.0.0.0"
+8 -11
View File
@@ -5,6 +5,7 @@ import (
"cyberstrike-ai/internal/app"
"cyberstrike-ai/internal/config"
"cyberstrike-ai/internal/logger"
"cyberstrike-ai/internal/termout"
"flag"
"fmt"
"os"
@@ -47,8 +48,7 @@ func main() {
return
}
if localConfig.Created {
cfg.Auth.GeneratedPassword = localConfig.GeneratedPassword
cfg.Auth.GeneratedPasswordPersisted = true
termout.PrintConfigCreated()
}
if *httpsBootstrap {
@@ -63,15 +63,12 @@ func main() {
if config.MainWebUIUsesHTTPS(&cfg.Server) {
scheme = "https"
}
fmt.Println()
fmt.Printf("→ Web 界面: %s://127.0.0.1:%d/\n", scheme, port)
if scheme == "https" && cfg.Server.TLSAutoSelfSign {
fmt.Println(" (内存自签证书:浏览器首次需确认「继续访问」)")
}
if scheme == "https" && config.ServerHTTPRedirectEnabled(&cfg.Server) {
fmt.Printf(" http://127.0.0.1:%d/ 将自动跳转到 HTTPS\n", port)
}
fmt.Println()
termout.PrintStartupWebUI(termout.StartupWebUIOptions{
Scheme: scheme,
Port: port,
SelfSigned: scheme == "https" && cfg.Server.TLSAutoSelfSign,
HTTPRedirect: scheme == "https" && config.ServerHTTPRedirectEnabled(&cfg.Server),
})
// MCP 启用且 auth_header_value 为空时,自动生成随机密钥并写回配置
if err := config.EnsureMCPAuth(cp, cfg); err != nil {
+2 -3
View File
@@ -21,7 +21,7 @@ server:
tls_enabled: true
tls_auto_self_sign: true
auth:
password: "dev-only-change-me"
session_duration_hours: 12
audit:
enabled: true
retention_days: 7
@@ -45,7 +45,7 @@ server:
port: 8080
tls_enabled: false
auth:
password: "<long-random-password>"
session_duration_hours: 12
audit:
enabled: true
retention_days: 30
@@ -90,7 +90,6 @@ Goal: long-running production red-team or security platform.
```yaml
auth:
password: "<managed-secret>"
session_duration_hours: 8
audit:
enabled: true
+1 -2
View File
@@ -12,7 +12,6 @@ server:
port: 8080
tls_enabled: true
auth:
password: "change-me"
session_duration_hours: 12
openai:
provider: openai
@@ -24,7 +23,7 @@ agent:
tool_timeout_minutes: 60
```
Change the default password immediately. Use HTTPS or a trusted reverse proxy in any shared environment.
Change the initial `admin` password from the Web UI after first login. Use HTTPS or a trusted reverse proxy in any shared environment.
## Hot-Apply Boundaries
+1 -1
View File
@@ -48,7 +48,7 @@ config.yaml
```yaml
auth:
password: "<long-random-password>"
session_duration_hours: 12
server:
host: 127.0.0.1
port: 8080
+1 -1
View File
@@ -6,7 +6,7 @@ This checklist covers pre-production and continuous hardening for CyberStrikeAI.
## Before Going Live
- Change `auth.password` to a long random secret.
- Change the initial `admin` password from the Web UI after first login.
- Use HTTPS or a trusted reverse proxy.
- Restrict access by IP, VPN, or bastion.
- Enable `audit.enabled`.
+1 -1
View File
@@ -37,7 +37,7 @@ Page inaccessible:
Login fails:
- wrong `auth.password`;
- wrong RBAC user password;
- config not applied/restarted;
- stale cookie;
- audit throttling repeated failures.
+2 -3
View File
@@ -21,7 +21,7 @@ server:
tls_enabled: true
tls_auto_self_sign: true
auth:
password: "dev-only-change-me"
session_duration_hours: 12
audit:
enabled: true
retention_days: 7
@@ -54,7 +54,7 @@ server:
port: 8080
tls_enabled: false
auth:
password: "<long-random-password>"
session_duration_hours: 12
audit:
enabled: true
retention_days: 30
@@ -107,7 +107,6 @@ multi_agent:
```yaml
auth:
password: "<managed-secret>"
session_duration_hours: 8
audit:
enabled: true
+1 -2
View File
@@ -12,7 +12,6 @@ server:
tls_enabled: true
tls_auto_self_sign: true
auth:
password: "change-me"
session_duration_hours: 12
log:
level: info
@@ -22,7 +21,7 @@ log:
- `version`:前端展示版本。
- `server.host/port`Web 服务监听地址和端口。
- `server.tls_*`HTTPS 配置。生产环境建议使用 `tls_cert_path``tls_key_path`
- `auth.password`Web 登录密码,必须改为强密码。
- `auth.session_duration_hours`:登录会话有效期(小时)。登录密码由 RBAC 用户管理,首次启动时在控制台输出 `admin` 初始密码。
- `auth.session_duration_hours`:登录会话有效期。
- `log.output`:可以是 `stdout``stderr` 或文件路径。
+1 -1
View File
@@ -48,7 +48,7 @@ config.yaml
```yaml
auth:
password: "<long-random-password>"
session_duration_hours: 12
server:
host: 127.0.0.1
port: 8080
+1 -1
View File
@@ -6,7 +6,7 @@
## 上线前必做
- 修改 `auth.password` 为长随机密码
- 首次部署后立即修改 `admin` 初始密码(Web 界面或平台权限 → 用户管理)
- 使用 HTTPS,或放在可信反向代理之后。
- 限制来源 IP、VPN 或堡垒机访问。
- 开启 `audit.enabled`
+2 -2
View File
@@ -16,9 +16,9 @@ CyberStrikeAI 面向授权安全测试场景,内置命令执行、MCP 工具
## 认证与会话
`auth.password` 是 Web 登录密码。建议:
Web 登录凭据由 RBAC 用户管理(默认内置 `admin` 账号)。建议:
- 首次部署立即修改默认密码
- 首次部署立即修改 `admin` 初始密码(控制台首次启动会输出)
- 使用长随机密码,并限制分享范围。
- 将服务放在内网、VPN、堡垒机或反向代理认证后面。
- 生产环境开启 HTTPS,避免明文传输 Cookie。
+3 -3
View File
@@ -23,12 +23,12 @@ https://127.0.0.1:8080/
检查:
- `config.yaml` 中的 `auth.password`
- 是否修改后未重启或未应用配置
- RBAC 用户密码是否正确(默认 `admin`;首次启动密码见控制台输出)
- 是否修改密码后旧会话已失效,需重新登录
- 浏览器 Cookie 是否异常,可尝试无痕窗口。
- 审计日志中是否有登录失败节流。
生产环境忘记密码时,需在服务器上修改 `config.yaml` 并重启服务
生产环境忘记密码时,需在服务器上通过 RBAC 用户管理重置,或直接更新数据库中的用户密码哈希
## 模型无响应