feat: Add Redis security enhancements and audit cleanup automation

- Add Redis authentication and TLS configuration to .env.example
- Add Security Features section to README with SQL injection, Redis auth, and audit retention docs
- Add install-audit-cron.sh script for automated audit log cleanup
- Add Redis connection settings (timeout, retries) for production readiness

See memory/SUBREPO_AUDIT_2026-04-04.md for full audit details
This commit is contained in:
John Doe
2026-04-04 00:55:34 -04:00
parent 7d3fe106f6
commit d7d4fdb74c
3 changed files with 250 additions and 0 deletions
+13
View File
@@ -65,6 +65,19 @@ DATABASE_URL=postgresql://heretek:${POSTGRES_PASSWORD}@postgres:5432/heretek
REDIS_URL=redis://redis:6379/0
# Redis authentication (REQUIRED for production)
REDIS_PASSWORD=your-redis-password-change-me
REDIS_USERNAME=default
# Redis TLS configuration (enable for production)
REDIS_TLS=false
# Set to 'true' in production for encrypted connections
# REDIS_TLS=true
# Redis connection settings
REDIS_CONNECT_TIMEOUT=10000 # Connection timeout in milliseconds
REDIS_MAX_RETRIES=3 # Maximum retry attempts
# ==============================================================================
# OLLAMA CONFIGURATION (AMD GPU)
# ==============================================================================
+40
View File
@@ -230,6 +230,46 @@ npm run format
- [Plugins](docs/PLUGINS.md)
- [Operations](docs/OPERATIONS.md)
## Security Features
### SQL Injection Protection
All SQL queries use parameterized queries and identifier escaping via [`lib/sql-utils.ts`](lib/sql-utils.ts):
```typescript
import { escapeTableName, escapeColumnName } from './lib/sql-utils';
const sql = `SELECT * FROM ${escapeTableName(tableName)}
ORDER BY ${escapeColumnName(columnName)} DESC`;
```
### Redis Authentication
Centralized Redis client with authentication, TLS, and reconnection logic:
```bash
# .env configuration
REDIS_PASSWORD=your-secure-password
REDIS_TLS=true # Enable for production
REDIS_CONNECT_TIMEOUT=10000
```
See [`lib/redis-client.ts`](lib/redis-client.ts) for implementation details.
### Audit Log Retention
Automated cleanup of old audit logs with configurable retention policies:
| Event Type | Retention Period |
|------------|------------------|
| debug | 7 days |
| info | 30 days |
| warning | 90 days |
| error | 365 days |
| critical | 5 years |
Cleanup runs every 2 hours via cron. See [`scripts/audit-cleanup.sh`](scripts/audit-cleanup.sh).
## Related Repositories
- [CLI](https://github.com/heretek/heretek-openclaw-cli) - Deployment CLI
+197
View File
@@ -0,0 +1,197 @@
#!/bin/bash
# ==============================================================================
# Heretek OpenClaw — Audit Cleanup Cron Installer
# ==============================================================================
# Installs automated audit log cleanup schedule into system crontab
#
# Usage:
# ./install-audit-cron.sh install # Install cron schedule
# ./install-audit-cron.sh remove # Remove cron schedule
# ./install-audit-cron.sh list # Show current schedule
# ./install-audit-cron.sh test # Test cleanup script
# ==============================================================================
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
AUDIT_CLEANUP_SCRIPT="$SCRIPT_DIR/audit-cleanup.sh"
LOG_DIR="${LOG_DIR:-/var/log/openclaw}"
# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
ensure_log_dir() {
mkdir -p "$LOG_DIR" 2>/dev/null || true
chmod 755 "$LOG_DIR" 2>/dev/null || true
}
install_cron() {
echo ""
echo "=============================================="
echo " Heretek OpenClaw — Audit Cleanup Cron Installer"
echo "=============================================="
echo ""
# Ensure log directory exists
ensure_log_dir
log_info "Log directory: $LOG_DIR"
# Get current crontab
current_crontab=$(crontab -l 2>/dev/null || echo "")
# Check if already installed
if echo "$current_crontab" | grep -q "audit-cleanup"; then
log_warn "Audit cleanup cron schedule already installed"
echo ""
echo "Current schedule:"
echo "$current_crontab" | grep "audit-cleanup"
echo ""
read -p "Do you want to reinstall? (y/N) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 0
fi
# Remove existing entries
echo "$current_crontab" | grep -v "audit-cleanup" | crontab -
log_info "Removed existing schedule"
fi
# Create new cron entry (every 2 hours)
new_crontab="$current_crontab
# ==============================================================================
# Heretek OpenClaw — Audit Log Cleanup
# ==============================================================================
# Clean up old audit log entries based on retention policies
# Runs every 2 hours at minute 0
0 */2 * * * $AUDIT_CLEANUP_SCRIPT >> $LOG_DIR/audit-cleanup.log 2>&1
# ==============================================================================
"
# Install new crontab
echo "$new_crontab" | crontab -
log_info "Audit cleanup cron schedule installed successfully!"
echo ""
echo "Installed schedule:"
echo " - Audit log cleanup: Every 2 hours (at :00)"
echo ""
echo "View logs:"
echo " tail -f $LOG_DIR/audit-cleanup.log"
echo ""
echo "Run manual cleanup:"
echo " $AUDIT_CLEANUP_SCRIPT --dry-run"
echo ""
# Verify installation
echo "Verifying installation..."
crontab -l | grep "audit-cleanup" || echo " Warning: Could not verify installation"
echo ""
log_info "Installation complete!"
}
remove_cron() {
echo ""
echo "=============================================="
echo " Heretek OpenClaw — Audit Cleanup Cron Remover"
echo "=============================================="
echo ""
# Get current crontab
current_crontab=$(crontab -l 2>/dev/null || echo "")
# Check if installed
if ! echo "$current_crontab" | grep -q "audit-cleanup"; then
log_warn "No audit cleanup cron schedule found"
exit 0
fi
# Remove audit cleanup entries
echo "$current_crontab" | grep -v "audit-cleanup" | crontab -
log_info "Audit cleanup cron schedule removed successfully!"
echo ""
echo "Remaining schedules:"
crontab -l 2>/dev/null | head -10 || echo " No other schedules found"
echo ""
}
list_cron() {
echo ""
echo "=============================================="
echo " Heretek OpenClaw — Current Cron Schedules"
echo "=============================================="
echo ""
current_crontab=$(crontab -l 2>/dev/null || echo "No crontab installed")
echo "Current crontab:"
echo "$current_crontab"
echo ""
echo "Audit cleanup schedules:"
echo "$current_crontab" | grep "audit-cleanup" || echo " None found"
echo ""
}
test_script() {
echo ""
echo "=============================================="
echo " Heretek OpenClaw — Audit Cleanup Script Test"
echo "=============================================="
echo ""
ensure_log_dir
# Test audit cleanup script
log_info "Testing audit cleanup script..."
if [ -x "$AUDIT_CLEANUP_SCRIPT" ]; then
echo " Audit cleanup script: Executable ✓"
# Run dry-run test
echo ""
log_info "Running dry-run test..."
if "$AUDIT_CLEANUP_SCRIPT" --dry-run; then
echo " Dry-run test: Passed ✓"
else
log_error "Dry-run test: Failed ✗"
fi
else
log_error "Audit cleanup script not found or not executable: $AUDIT_CLEANUP_SCRIPT"
fi
echo ""
log_info "Test complete!"
}
# Main
case "${1:-}" in
install)
install_cron
;;
remove)
remove_cron
;;
list)
list_cron
;;
test)
test_script
;;
*)
echo "Usage: $0 {install|remove|list|test}"
echo ""
echo "Commands:"
echo " install - Install automated audit cleanup schedule (every 2 hours)"
echo " remove - Remove audit cleanup cron schedule"
echo " list - Show current cron schedules"
echo " test - Test audit cleanup script with dry-run"
;;
esac