mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-14 07:57:26 +02:00
Add files via upload
This commit is contained in:
@@ -212,7 +212,7 @@ The `run.sh` script will automatically:
|
||||
model: "gpt-4o" # or deepseek-chat, claude-3-opus, etc.
|
||||
```
|
||||
- Or edit `config.yaml` directly before launching
|
||||
2. **Login** - Use the auto-generated password shown in the console (or set `auth.password` in `config.yaml`)
|
||||
2. **Login** - On first startup the console prints an auto-generated initial `admin` password; create accounts from **Platform permissions → User management**
|
||||
3. **Install security tools (optional)** - Install tools from `tools/` as needed; missing tools are skipped or substituted at runtime. Common examples:
|
||||
|
||||
**macOS (Homebrew):**
|
||||
@@ -281,7 +281,7 @@ Requirements / tips:
|
||||
|
||||
### Built-in Safeguards
|
||||
- Required-field validation prevents accidental blank API credentials.
|
||||
- Auto-generated strong passwords when `auth.password` is empty.
|
||||
- Auto-generated 24-character initial `admin` password on first startup when no RBAC users exist (stored in the database only, not in `config.yaml`).
|
||||
- Unified auth middleware for every web/API call (Bearer token flow).
|
||||
- Timeout and sandbox guards per tool, plus structured logging for triage.
|
||||
|
||||
@@ -537,7 +537,6 @@ A test SSE MCP server is available at `cmd/test-sse-mcp-server/` for validation
|
||||
|
||||
```yaml
|
||||
auth:
|
||||
password: "change-me"
|
||||
session_duration_hours: 12
|
||||
server:
|
||||
host: "0.0.0.0"
|
||||
|
||||
+2
-3
@@ -211,7 +211,7 @@ chmod +x run.sh && ./run.sh
|
||||
model: "gpt-4o" # 或 deepseek-chat, claude-3-opus 等
|
||||
```
|
||||
- 或启动前直接编辑 `config.yaml` 文件
|
||||
2. **登录系统** - 使用控制台显示的自动生成密码(或在 `config.yaml` 中设置 `auth.password`)
|
||||
2. **登录系统** - 首次启动时控制台会显示自动生成的 `admin` 初始密码;也可在「平台权限 → 用户管理」中创建账号
|
||||
3. **安装安全工具(可选)** - 按需安装 `tools/` 目录中的工具;未安装的工具在执行时会自动跳过或改用替代方案。常用示例:
|
||||
|
||||
**macOS(Homebrew):**
|
||||
@@ -279,7 +279,7 @@ go build -o cyberstrike-ai cmd/server/main.go
|
||||
|
||||
### 默认安全措施
|
||||
- 设置面板内置必填校验,防止漏配 API Key/Base URL/模型。
|
||||
- `auth.password` 为空时自动生成 24 位强口令并写回 `config.yaml`。
|
||||
- 首次启动且无 RBAC 用户时,自动生成 24 位 `admin` 初始密码并在控制台输出(仅存于数据库,不再写入 `config.yaml`)。
|
||||
- 所有 API(除登录外)都需携带 Bearer Token,统一鉴权中间件拦截。
|
||||
- 每个工具执行都带有超时、日志和错误隔离。
|
||||
|
||||
@@ -535,7 +535,6 @@ CyberStrikeAI 支持通过三种传输模式连接外部 MCP 服务器:
|
||||
|
||||
```yaml
|
||||
auth:
|
||||
password: "change-me"
|
||||
session_duration_hours: 12
|
||||
server:
|
||||
host: "0.0.0.0"
|
||||
|
||||
+8
-11
@@ -5,6 +5,7 @@ import (
|
||||
"cyberstrike-ai/internal/app"
|
||||
"cyberstrike-ai/internal/config"
|
||||
"cyberstrike-ai/internal/logger"
|
||||
"cyberstrike-ai/internal/termout"
|
||||
"flag"
|
||||
"fmt"
|
||||
"os"
|
||||
@@ -47,8 +48,7 @@ func main() {
|
||||
return
|
||||
}
|
||||
if localConfig.Created {
|
||||
cfg.Auth.GeneratedPassword = localConfig.GeneratedPassword
|
||||
cfg.Auth.GeneratedPasswordPersisted = true
|
||||
termout.PrintConfigCreated()
|
||||
}
|
||||
|
||||
if *httpsBootstrap {
|
||||
@@ -63,15 +63,12 @@ func main() {
|
||||
if config.MainWebUIUsesHTTPS(&cfg.Server) {
|
||||
scheme = "https"
|
||||
}
|
||||
fmt.Println()
|
||||
fmt.Printf("→ Web 界面: %s://127.0.0.1:%d/\n", scheme, port)
|
||||
if scheme == "https" && cfg.Server.TLSAutoSelfSign {
|
||||
fmt.Println(" (内存自签证书:浏览器首次需确认「继续访问」)")
|
||||
}
|
||||
if scheme == "https" && config.ServerHTTPRedirectEnabled(&cfg.Server) {
|
||||
fmt.Printf(" (http://127.0.0.1:%d/ 将自动跳转到 HTTPS)\n", port)
|
||||
}
|
||||
fmt.Println()
|
||||
termout.PrintStartupWebUI(termout.StartupWebUIOptions{
|
||||
Scheme: scheme,
|
||||
Port: port,
|
||||
SelfSigned: scheme == "https" && cfg.Server.TLSAutoSelfSign,
|
||||
HTTPRedirect: scheme == "https" && config.ServerHTTPRedirectEnabled(&cfg.Server),
|
||||
})
|
||||
|
||||
// MCP 启用且 auth_header_value 为空时,自动生成随机密钥并写回配置
|
||||
if err := config.EnsureMCPAuth(cp, cfg); err != nil {
|
||||
|
||||
@@ -21,7 +21,7 @@ server:
|
||||
tls_enabled: true
|
||||
tls_auto_self_sign: true
|
||||
auth:
|
||||
password: "dev-only-change-me"
|
||||
session_duration_hours: 12
|
||||
audit:
|
||||
enabled: true
|
||||
retention_days: 7
|
||||
@@ -45,7 +45,7 @@ server:
|
||||
port: 8080
|
||||
tls_enabled: false
|
||||
auth:
|
||||
password: "<long-random-password>"
|
||||
session_duration_hours: 12
|
||||
audit:
|
||||
enabled: true
|
||||
retention_days: 30
|
||||
@@ -90,7 +90,6 @@ Goal: long-running production red-team or security platform.
|
||||
|
||||
```yaml
|
||||
auth:
|
||||
password: "<managed-secret>"
|
||||
session_duration_hours: 8
|
||||
audit:
|
||||
enabled: true
|
||||
|
||||
@@ -12,7 +12,6 @@ server:
|
||||
port: 8080
|
||||
tls_enabled: true
|
||||
auth:
|
||||
password: "change-me"
|
||||
session_duration_hours: 12
|
||||
openai:
|
||||
provider: openai
|
||||
@@ -24,7 +23,7 @@ agent:
|
||||
tool_timeout_minutes: 60
|
||||
```
|
||||
|
||||
Change the default password immediately. Use HTTPS or a trusted reverse proxy in any shared environment.
|
||||
Change the initial `admin` password from the Web UI after first login. Use HTTPS or a trusted reverse proxy in any shared environment.
|
||||
|
||||
## Hot-Apply Boundaries
|
||||
|
||||
|
||||
@@ -48,7 +48,7 @@ config.yaml
|
||||
|
||||
```yaml
|
||||
auth:
|
||||
password: "<long-random-password>"
|
||||
session_duration_hours: 12
|
||||
server:
|
||||
host: 127.0.0.1
|
||||
port: 8080
|
||||
|
||||
@@ -6,7 +6,7 @@ This checklist covers pre-production and continuous hardening for CyberStrikeAI.
|
||||
|
||||
## Before Going Live
|
||||
|
||||
- Change `auth.password` to a long random secret.
|
||||
- Change the initial `admin` password from the Web UI after first login.
|
||||
- Use HTTPS or a trusted reverse proxy.
|
||||
- Restrict access by IP, VPN, or bastion.
|
||||
- Enable `audit.enabled`.
|
||||
|
||||
@@ -37,7 +37,7 @@ Page inaccessible:
|
||||
|
||||
Login fails:
|
||||
|
||||
- wrong `auth.password`;
|
||||
- wrong RBAC user password;
|
||||
- config not applied/restarted;
|
||||
- stale cookie;
|
||||
- audit throttling repeated failures.
|
||||
|
||||
@@ -21,7 +21,7 @@ server:
|
||||
tls_enabled: true
|
||||
tls_auto_self_sign: true
|
||||
auth:
|
||||
password: "dev-only-change-me"
|
||||
session_duration_hours: 12
|
||||
audit:
|
||||
enabled: true
|
||||
retention_days: 7
|
||||
@@ -54,7 +54,7 @@ server:
|
||||
port: 8080
|
||||
tls_enabled: false
|
||||
auth:
|
||||
password: "<long-random-password>"
|
||||
session_duration_hours: 12
|
||||
audit:
|
||||
enabled: true
|
||||
retention_days: 30
|
||||
@@ -107,7 +107,6 @@ multi_agent:
|
||||
|
||||
```yaml
|
||||
auth:
|
||||
password: "<managed-secret>"
|
||||
session_duration_hours: 8
|
||||
audit:
|
||||
enabled: true
|
||||
|
||||
@@ -12,7 +12,6 @@ server:
|
||||
tls_enabled: true
|
||||
tls_auto_self_sign: true
|
||||
auth:
|
||||
password: "change-me"
|
||||
session_duration_hours: 12
|
||||
log:
|
||||
level: info
|
||||
@@ -22,7 +21,7 @@ log:
|
||||
- `version`:前端展示版本。
|
||||
- `server.host/port`:Web 服务监听地址和端口。
|
||||
- `server.tls_*`:HTTPS 配置。生产环境建议使用 `tls_cert_path` 和 `tls_key_path`。
|
||||
- `auth.password`:Web 登录密码,必须改为强密码。
|
||||
- `auth.session_duration_hours`:登录会话有效期(小时)。登录密码由 RBAC 用户管理,首次启动时在控制台输出 `admin` 初始密码。
|
||||
- `auth.session_duration_hours`:登录会话有效期。
|
||||
- `log.output`:可以是 `stdout`、`stderr` 或文件路径。
|
||||
|
||||
|
||||
@@ -48,7 +48,7 @@ config.yaml
|
||||
|
||||
```yaml
|
||||
auth:
|
||||
password: "<long-random-password>"
|
||||
session_duration_hours: 12
|
||||
server:
|
||||
host: 127.0.0.1
|
||||
port: 8080
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
|
||||
## 上线前必做
|
||||
|
||||
- 修改 `auth.password` 为长随机密码。
|
||||
- 首次部署后立即修改 `admin` 初始密码(Web 界面或平台权限 → 用户管理)。
|
||||
- 使用 HTTPS,或放在可信反向代理之后。
|
||||
- 限制来源 IP、VPN 或堡垒机访问。
|
||||
- 开启 `audit.enabled`。
|
||||
|
||||
@@ -16,9 +16,9 @@ CyberStrikeAI 面向授权安全测试场景,内置命令执行、MCP 工具
|
||||
|
||||
## 认证与会话
|
||||
|
||||
`auth.password` 是 Web 登录密码。建议:
|
||||
Web 登录凭据由 RBAC 用户管理(默认内置 `admin` 账号)。建议:
|
||||
|
||||
- 首次部署立即修改默认密码。
|
||||
- 首次部署后立即修改 `admin` 初始密码(控制台首次启动会输出)。
|
||||
- 使用长随机密码,并限制分享范围。
|
||||
- 将服务放在内网、VPN、堡垒机或反向代理认证后面。
|
||||
- 生产环境开启 HTTPS,避免明文传输 Cookie。
|
||||
|
||||
@@ -23,12 +23,12 @@ https://127.0.0.1:8080/
|
||||
|
||||
检查:
|
||||
|
||||
- `config.yaml` 中的 `auth.password`。
|
||||
- 是否修改后未重启或未应用配置。
|
||||
- RBAC 用户密码是否正确(默认 `admin`;首次启动密码见控制台输出)。
|
||||
- 是否修改密码后旧会话已失效,需重新登录。
|
||||
- 浏览器 Cookie 是否异常,可尝试无痕窗口。
|
||||
- 审计日志中是否有登录失败节流。
|
||||
|
||||
生产环境忘记密码时,需要在服务器上修改 `config.yaml` 并重启服务。
|
||||
生产环境忘记密码时,需在服务器上通过 RBAC 用户管理重置,或直接更新数据库中的用户密码哈希。
|
||||
|
||||
## 模型无响应
|
||||
|
||||
|
||||
Reference in New Issue
Block a user