mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 14:28:43 +02:00
2.7 KiB
2.7 KiB
Security Hardening
This checklist covers pre-production and continuous hardening for CyberStrikeAI.
Before Going Live
- Change
auth.passwordto a long random secret. - Use HTTPS or a trusted reverse proxy.
- Restrict access by IP, VPN, or bastion.
- Enable
audit.enabled. - Set
c2.enabled: falsewhen C2 is not required. - Do not expose standalone HTTP MCP without strong auth and network isolation.
- Connect only trusted external MCP services.
- Back up
config.yaml,data/, and custom resource directories.
Reverse Proxy Baseline
client_max_body_size 200m;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Recommended security headers:
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy no-referrer;
add_header X-Frame-Options DENY;
HITL Allowlist Baseline
Minimal allowlist:
hitl:
tool_whitelist:
- read_file
- glob
- grep
- tool_search
Do not globally allowlist:
execute;- WebShell write/execute tools;
- C2 task/payload tools;
- high-risk external MCP tools;
- delete, write, upload, persistence tools.
File Permissions
chmod 600 config.yaml
chmod 700 data
Run under a dedicated OS user. Avoid root unless explicitly required.
External MCP Review
Before connecting:
- Can it execute commands?
- Can it read/write local files?
- Does it send data to third parties?
- Does it authenticate?
- Can output contain untrusted model/web content?
- Should it run in a container or separate user?
After connecting:
- keep high-risk tools out of allowlist;
- review tool list changes;
- audit config changes.
C2 and WebShell
C2:
- disabled by default;
- enabled only during authorized window;
- listener ports separated from admin UI;
- cleanup payloads, sessions, tasks, and events.
WebShell:
- authorized targets only;
- clear naming;
- write/delete/execute requires approval;
- delete connections after project end.
Retention
Suggested:
- audit: 30-90 days;
- monitor: 90-180 days;
- uploads: clean after project;
- C2/WebShell outputs: keep only report evidence;
- knowledge base: no real credentials or customer secrets.
Periodic Review
Weekly:
- failed logins and unusual IPs;
- config changes;
- external MCP changes;
- long-running tools;
- unexpected C2 enablement;
- stale WebShell connections;
- disk and DB size.
Project closeout:
- clean temp workspaces;
- delete unnecessary uploads;
- archive evidence;
- delete stale WebShell/C2 resources;
- export audit records.