Kitos
64d64080e0
Critical (1-3): - Replace hardcoded admin credentials with secure auto-generation (seed.py) - Enforce SECRET_KEY configuration, fail in production if missing (config.py) - Add Zip Slip and Zip Bomb protection to all ZIP import services High/Medium (4-9): - Add 50MB file size limit and extension whitelist to evidence uploads - Configure CORS origins via environment variable instead of hardcoded - Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend) - Add rate limiting (5/min) on login endpoint via slowapi - Replace generic dict payloads with Pydantic schemas (mass assignment) Medium (10-17): - Check is_active on login to prevent disabled users from authenticating - Sanitize exception messages in API responses (system, data_sources) - Escape LIKE wildcards in all ilike search filters across 8 routers - Run Docker container as non-root user (appuser) - Make MINIO_SECURE configurable via environment variable - Add password complexity policy (12+ chars, upper/lower/digit/special) - Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min - Replace xml.etree with defusedxml to prevent Billion Laughs attacks Low (18-20): - Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.) - Disable Swagger UI/ReDoc/OpenAPI in production - Restrict /health endpoint to internal networks via Nginx ACL Also: rewrite install.sh as interactive wizard for guided deployment, fix test-from-template validation error (technique_id UUID vs MITRE ID)
45 lines
2.6 KiB
Plaintext
45 lines
2.6 KiB
Plaintext
# =============================================================================
|
|
# Aegis Environment Variables
|
|
# =============================================================================
|
|
# Copy this file to .env and fill in the values BEFORE deploying.
|
|
#
|
|
# Generate secure random values with:
|
|
# openssl rand -hex 32 (for SECRET_KEY)
|
|
# openssl rand -base64 18 (for passwords)
|
|
# =============================================================================
|
|
|
|
# ── Database ─────────────────────────────────────────────────────────────────
|
|
DB_USER=postgres
|
|
DB_PASSWORD= # REQUIRED — set a strong password
|
|
DB_NAME=attackdb
|
|
|
|
# ── Security ─────────────────────────────────────────────────────────────────
|
|
# REQUIRED in production — the app will refuse to start without it.
|
|
# Generate with: openssl rand -hex 32
|
|
SECRET_KEY=
|
|
|
|
TOKEN_EXPIRE_MINUTES=60
|
|
|
|
# ── Initial Admin Account ────────────────────────────────────────────────────
|
|
# If ADMIN_PASSWORD is empty, a random password is auto-generated and
|
|
# printed to the backend container logs on first startup.
|
|
ADMIN_USERNAME=admin
|
|
ADMIN_PASSWORD=
|
|
|
|
# ── MinIO Object Storage ─────────────────────────────────────────────────────
|
|
MINIO_ACCESS_KEY=minioadmin
|
|
MINIO_SECRET_KEY= # REQUIRED — set a strong password
|
|
MINIO_BUCKET=evidence
|
|
MINIO_SECURE=false # Set to true if MinIO is behind TLS
|
|
|
|
# ── CORS ──────────────────────────────────────────────────────────────────────
|
|
# Comma-separated list of allowed frontend origins
|
|
CORS_ORIGINS=https://your-domain.com
|
|
|
|
# ── Frontend ─────────────────────────────────────────────────────────────────
|
|
FRONTEND_PORT=80
|
|
|
|
# ── Environment flag ─────────────────────────────────────────────────────────
|
|
# Set to "production" for production deployments (enforces SECRET_KEY, etc.)
|
|
AEGIS_ENV=production
|