mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-18 18:07:32 +02:00
152 lines
7.0 KiB
Markdown
152 lines
7.0 KiB
Markdown
# Asset Management
|
|
|
|
[中文](../zh-CN/asset-management.md)
|
|
|
|
Asset management consolidates domains, IP addresses, ports, and services discovered through manual entry, FOFA, HTTP APIs, and Agent tasks into a maintainable baseline. It answers three questions: what assets exist, which assets have been assessed, and where risk is concentrated.
|
|
|
|
> This feature is designed for security testing and attack-surface governance. It is not a replacement for a full enterprise CMDB. Add and scan only systems you own or are explicitly authorized to test.
|
|
|
|
## Overview
|
|
|
|
Asset management provides three main views:
|
|
|
|
- **Overview**: asset totals, IPs, domains, ports, recent changes, scan coverage, and protocol distribution.
|
|
- **Asset inventory**: identity, service details, source, tags, project ownership, scan history, and risk state.
|
|
- **Reconnaissance**: search FOFA and save confirmed results individually or in batches.
|
|
|
|
Assets can launch single-target analysis or batch scans. After an Agent records findings and completes the scan callback, the inventory displays related vulnerability counts, risk level, and latest scan time.
|
|
|
|
## Asset fields
|
|
|
|
An asset can include:
|
|
|
|
- host, IP address, domain, port, and protocol;
|
|
- page title and service or product fingerprint;
|
|
- country/region, state/province, and city;
|
|
- source, source query, and tags;
|
|
- active or inactive status;
|
|
- project and owner;
|
|
- first seen, last seen, created, and updated timestamps;
|
|
- latest scan time and linked conversation, task queue, and subtask;
|
|
- related vulnerability count and current risk level.
|
|
|
|
At least one of `host`, `ip`, or `domain` is required.
|
|
|
|
## Build an asset baseline
|
|
|
|
### Add an asset manually
|
|
|
|
Go to **Asset Management → Asset Inventory** and select **Add Asset**. Supported target forms include:
|
|
|
|
```text
|
|
https://example.com:8443
|
|
example.com
|
|
192.0.2.10:443
|
|
[2001:db8::1]:443
|
|
```
|
|
|
|
The system attempts to identify the URL, domain, IP address, port, and protocol. You can then add a project, tags, title, service fingerprint, location, and status.
|
|
|
|
### Import from FOFA
|
|
|
|
1. Configure the FOFA email and API key in settings or the configuration file. You can also use the `FOFA_EMAIL` and `FOFA_API_KEY` environment variables.
|
|
2. Open **Asset Management → Reconnaissance**.
|
|
3. Enter or generate a FOFA query and confirm its scope.
|
|
4. Run the query, select results whose ownership has been verified, and choose **Save Selected**.
|
|
5. Review the created, updated, and skipped counts.
|
|
|
|
Internet search results are not automatically your assets. Narrow the query with organization domains, certificates, network ranges, or product fingerprints, then verify authorization before saving results.
|
|
|
|
## Normalization and deduplication
|
|
|
|
Different sources may describe the same target in different forms. The system:
|
|
|
|
- trims surrounding whitespace;
|
|
- normalizes IP addresses, domains, and protocols to lowercase;
|
|
- extracts hostname, protocol, and port from URL-like hosts;
|
|
- fills default HTTP/HTTPS ports when omitted;
|
|
- converts internationalized domains to ASCII/Punycode;
|
|
- removes empty or duplicate tags;
|
|
- supplies default source and status values.
|
|
|
|
Assets use “target + port + protocol” as the service-level deduplication key. The preferred target is the domain, followed by the IP address, then the host. As a result, `80/http` and `443/https` on the same host remain separate assets.
|
|
|
|
When an existing asset is imported again, non-empty incoming fields and the last-seen time are updated. Existing fields omitted by the new record and the original first-seen time are preserved.
|
|
|
|
## Search and filters
|
|
|
|
The Web UI searches hosts, IP addresses, domains, titles, services, and tags, with status and project filters. The backend and Agent tools additionally support:
|
|
|
|
- source, tags, port, and protocol;
|
|
- scanned and never-scanned states;
|
|
- first-seen, last-seen, and latest-scan time ranges;
|
|
- allowlisted sort fields such as latest scan time;
|
|
- paginated queries.
|
|
|
|
Sorting by latest scan time in ascending order places never-scanned assets first, making coverage gaps visible.
|
|
|
|
## Scanning and risk updates
|
|
|
|
### Scan one asset
|
|
|
|
Select **Scan** from the asset inventory. The system:
|
|
|
|
1. creates a conversation containing the target and asset ID;
|
|
2. links the conversation to the asset;
|
|
3. prompts the Agent to inspect exposed services and authorized risks;
|
|
4. stores confirmed findings with `record_vulnerability`;
|
|
5. updates scan state with `complete_asset_scan`.
|
|
|
|
Scan prompts support `{{asset_id}}`, `{{target}}`, `{{host}}`, `{{ip}}`, `{{domain}}`, and `{{port}}`. Adjust scope, ports, test intensity, and validation methods to match the authorization before starting.
|
|
|
|
### Batch scans
|
|
|
|
Select multiple assets and choose **Create Scan Task**. The system creates one subtask per asset and links each asset to its queue and subtask.
|
|
|
|
The current defaults use manual scheduling, one concurrent task, and Eino single-Agent mode to limit load on targets and the local host. You must still confirm the test window, request rate, permitted validation methods, and approval requirements.
|
|
|
|
### Risk calculation
|
|
|
|
Asset risk is calculated dynamically from open vulnerabilities in the latest linked scan:
|
|
|
|
- `critical`, `high`, `medium`, `low`, or `info`: an open finding at that level exists;
|
|
- `normal`: the asset was scanned and has no open risk;
|
|
- `unassessed`: no scan has completed.
|
|
|
|
Resolved, false-positive, and ignored findings remain in historical counts but no longer increase the current risk level.
|
|
|
|
## Agent tools
|
|
|
|
Six built-in tools expose asset operations to Agents:
|
|
|
|
- `create_asset`: create or deduplicate and update an asset;
|
|
- `get_asset`: retrieve full details by ID;
|
|
- `query_assets`: filter, sort, and paginate assets;
|
|
- `update_asset`: partially update an asset;
|
|
- `delete_asset`: delete an asset;
|
|
- `complete_asset_scan`: record scan completion.
|
|
|
|
`query_assets` returns 20 summaries by default and allows at most 50 per page. Use `get_asset` for full details so large inventories do not consume the model context.
|
|
|
|
## Access control
|
|
|
|
Asset permissions are separated into:
|
|
|
|
- `asset:read`: view assets and statistics;
|
|
- `asset:write`: create, import, edit, and update scan state;
|
|
- `asset:delete`: delete assets.
|
|
|
|
Server-side authorization considers the asset owner, explicit resource assignments, the linked project, and permission scope (`all`, `assigned`, or `own`). When a conversation is linked to a project, Agent asset queries are restricted to that project and tool arguments cannot widen the boundary.
|
|
|
|
## Recommended workflow
|
|
|
|
1. Define an explicitly authorized set of domains, IP addresses, or network ranges.
|
|
2. Add a few critical targets manually and verify normalization and deduplication.
|
|
3. Use tags to separate production, testing, critical-business, and internet-facing scopes.
|
|
4. Configure FOFA, begin with narrow queries, and verify ownership.
|
|
5. Test scanning and vulnerability callbacks on one low-risk target.
|
|
6. Use never-scanned and over-30-day filters to identify coverage gaps.
|
|
7. After validating the workflow, expand gradually with small batch tasks.
|
|
|
|
A small, verified baseline is usually more valuable than a large inventory with unclear ownership and inconsistent sources.
|