2.9 KiB
Configuration Profiles
These profiles are not full config.yaml files. They show the key sections that most affect safety and operability.
Local Development
Goal: easy debugging with local capabilities.
Common startup:
chmod +x run.sh && ./run.sh
server:
host: 127.0.0.1
port: 8080
tls_enabled: true
tls_auto_self_sign: true
auth:
password: "dev-only-change-me"
audit:
enabled: true
retention_days: 7
c2:
enabled: false
multi_agent:
enabled: true
eino_skills:
filesystem_tools: true
Not for shared or public use.
Internal Team
Goal: shared team instance with audit and limited high-risk surface.
server:
host: 127.0.0.1
port: 8080
tls_enabled: false
auth:
password: "<long-random-password>"
audit:
enabled: true
retention_days: 30
monitor:
retention_days: 90
c2:
enabled: false
mcp:
enabled: false
hitl:
default_reviewer: human
tool_whitelist: [read_file, glob, grep, tool_search]
Pair with reverse-proxy HTTPS, IP allowlist, and backups.
Knowledge-Only Assistant
Goal: use CyberStrikeAI as a knowledge-augmented assistant with minimal attack surface.
c2:
enabled: false
mcp:
enabled: false
knowledge:
enabled: true
base_path: knowledge_base
retrieval:
top_k: 5
similarity_threshold: 0.4
multi_agent:
eino_skills:
filesystem_tools: false
Use read-only roles and avoid storing sensitive customer data.
High-Audit Production
Goal: long-running production red-team or security platform.
auth:
password: "<managed-secret>"
session_duration_hours: 8
audit:
enabled: true
retention_days: 90
monitor:
retention_days: 180
hitl:
default_reviewer: human
retention_days: 180
tool_whitelist: [read_file, glob, grep, tool_search]
c2:
enabled: false
multi_agent:
eino_callbacks:
enabled: true
mode: log_only
sse_trace_to_client: false
Pair with proxy auth, dedicated OS user, log collection, encrypted backups, and project closeout cleanup.
C2 Exercise Window
Goal: temporarily enable C2 only during authorized exercise.
c2:
enabled: true
hitl:
default_reviewer: human
tool_whitelist: [read_file, glob, grep, tool_search]
audit:
enabled: true
monitor:
retention_days: 180
Requirements:
- confirm scope before exercise;
- separate listener ports from admin UI;
- run C2 cleanup afterward;
- restore
c2.enabled: false.
External MCP Automation
Goal: connect trusted internal tool services.
external_mcp:
servers: {}
multi_agent:
eino_middleware:
tool_search_enable: true
tool_search_min_tools: 20
hitl:
default_reviewer: audit_agent
tool_whitelist: [read_file, glob, grep, tool_search]
Guidance:
- every MCP tool needs clear schema;
- high-risk MCP tools stay out of allowlist;
- stdio MCP gets its own working directory;
- HTTP MCP must authenticate.