mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 14:28:43 +02:00
160 lines
2.9 KiB
Markdown
160 lines
2.9 KiB
Markdown
# Configuration Profiles
|
|
|
|
[中文](../zh-CN/configuration-profiles.md)
|
|
|
|
These profiles are not full `config.yaml` files. They show the key sections that most affect safety and operability.
|
|
|
|
## Local Development
|
|
|
|
Goal: easy debugging with local capabilities.
|
|
|
|
Common startup:
|
|
|
|
```bash
|
|
chmod +x run.sh && ./run.sh
|
|
```
|
|
|
|
```yaml
|
|
server:
|
|
host: 127.0.0.1
|
|
port: 8080
|
|
tls_enabled: true
|
|
tls_auto_self_sign: true
|
|
auth:
|
|
password: "dev-only-change-me"
|
|
audit:
|
|
enabled: true
|
|
retention_days: 7
|
|
c2:
|
|
enabled: false
|
|
multi_agent:
|
|
enabled: true
|
|
eino_skills:
|
|
filesystem_tools: true
|
|
```
|
|
|
|
Not for shared or public use.
|
|
|
|
## Internal Team
|
|
|
|
Goal: shared team instance with audit and limited high-risk surface.
|
|
|
|
```yaml
|
|
server:
|
|
host: 127.0.0.1
|
|
port: 8080
|
|
tls_enabled: false
|
|
auth:
|
|
password: "<long-random-password>"
|
|
audit:
|
|
enabled: true
|
|
retention_days: 30
|
|
monitor:
|
|
retention_days: 90
|
|
c2:
|
|
enabled: false
|
|
mcp:
|
|
enabled: false
|
|
hitl:
|
|
default_reviewer: human
|
|
tool_whitelist: [read_file, glob, grep, tool_search]
|
|
```
|
|
|
|
Pair with reverse-proxy HTTPS, IP allowlist, and backups.
|
|
|
|
## Knowledge-Only Assistant
|
|
|
|
Goal: use CyberStrikeAI as a knowledge-augmented assistant with minimal attack surface.
|
|
|
|
```yaml
|
|
c2:
|
|
enabled: false
|
|
mcp:
|
|
enabled: false
|
|
knowledge:
|
|
enabled: true
|
|
base_path: knowledge_base
|
|
retrieval:
|
|
top_k: 5
|
|
similarity_threshold: 0.4
|
|
multi_agent:
|
|
eino_skills:
|
|
filesystem_tools: false
|
|
```
|
|
|
|
Use read-only roles and avoid storing sensitive customer data.
|
|
|
|
## High-Audit Production
|
|
|
|
Goal: long-running production red-team or security platform.
|
|
|
|
```yaml
|
|
auth:
|
|
password: "<managed-secret>"
|
|
session_duration_hours: 8
|
|
audit:
|
|
enabled: true
|
|
retention_days: 90
|
|
monitor:
|
|
retention_days: 180
|
|
hitl:
|
|
default_reviewer: human
|
|
retention_days: 180
|
|
tool_whitelist: [read_file, glob, grep, tool_search]
|
|
c2:
|
|
enabled: false
|
|
multi_agent:
|
|
eino_callbacks:
|
|
enabled: true
|
|
mode: log_only
|
|
sse_trace_to_client: false
|
|
```
|
|
|
|
Pair with proxy auth, dedicated OS user, log collection, encrypted backups, and project closeout cleanup.
|
|
|
|
## C2 Exercise Window
|
|
|
|
Goal: temporarily enable C2 only during authorized exercise.
|
|
|
|
```yaml
|
|
c2:
|
|
enabled: true
|
|
hitl:
|
|
default_reviewer: human
|
|
tool_whitelist: [read_file, glob, grep, tool_search]
|
|
audit:
|
|
enabled: true
|
|
monitor:
|
|
retention_days: 180
|
|
```
|
|
|
|
Requirements:
|
|
|
|
- confirm scope before exercise;
|
|
- separate listener ports from admin UI;
|
|
- run C2 cleanup afterward;
|
|
- restore `c2.enabled: false`.
|
|
|
|
## External MCP Automation
|
|
|
|
Goal: connect trusted internal tool services.
|
|
|
|
```yaml
|
|
external_mcp:
|
|
servers: {}
|
|
multi_agent:
|
|
eino_middleware:
|
|
tool_search_enable: true
|
|
tool_search_min_tools: 20
|
|
hitl:
|
|
default_reviewer: audit_agent
|
|
tool_whitelist: [read_file, glob, grep, tool_search]
|
|
```
|
|
|
|
Guidance:
|
|
|
|
- every MCP tool needs clear schema;
|
|
- high-risk MCP tools stay out of allowlist;
|
|
- stdio MCP gets its own working directory;
|
|
- HTTP MCP must authenticate.
|