mirror of
https://github.com/Heretek-AI/heretek-openclaw-core.git
synced 2026-07-01 14:17:57 -04:00
feat: Add Redis security enhancements and audit cleanup automation
- Add Redis authentication and TLS configuration to .env.example - Add Security Features section to README with SQL injection, Redis auth, and audit retention docs - Add install-audit-cron.sh script for automated audit log cleanup - Add Redis connection settings (timeout, retries) for production readiness See memory/SUBREPO_AUDIT_2026-04-04.md for full audit details
This commit is contained in:
@@ -65,6 +65,19 @@ DATABASE_URL=postgresql://heretek:${POSTGRES_PASSWORD}@postgres:5432/heretek
|
||||
|
||||
REDIS_URL=redis://redis:6379/0
|
||||
|
||||
# Redis authentication (REQUIRED for production)
|
||||
REDIS_PASSWORD=your-redis-password-change-me
|
||||
REDIS_USERNAME=default
|
||||
|
||||
# Redis TLS configuration (enable for production)
|
||||
REDIS_TLS=false
|
||||
# Set to 'true' in production for encrypted connections
|
||||
# REDIS_TLS=true
|
||||
|
||||
# Redis connection settings
|
||||
REDIS_CONNECT_TIMEOUT=10000 # Connection timeout in milliseconds
|
||||
REDIS_MAX_RETRIES=3 # Maximum retry attempts
|
||||
|
||||
# ==============================================================================
|
||||
# OLLAMA CONFIGURATION (AMD GPU)
|
||||
# ==============================================================================
|
||||
|
||||
@@ -230,6 +230,46 @@ npm run format
|
||||
- [Plugins](docs/PLUGINS.md)
|
||||
- [Operations](docs/OPERATIONS.md)
|
||||
|
||||
## Security Features
|
||||
|
||||
### SQL Injection Protection
|
||||
|
||||
All SQL queries use parameterized queries and identifier escaping via [`lib/sql-utils.ts`](lib/sql-utils.ts):
|
||||
|
||||
```typescript
|
||||
import { escapeTableName, escapeColumnName } from './lib/sql-utils';
|
||||
|
||||
const sql = `SELECT * FROM ${escapeTableName(tableName)}
|
||||
ORDER BY ${escapeColumnName(columnName)} DESC`;
|
||||
```
|
||||
|
||||
### Redis Authentication
|
||||
|
||||
Centralized Redis client with authentication, TLS, and reconnection logic:
|
||||
|
||||
```bash
|
||||
# .env configuration
|
||||
REDIS_PASSWORD=your-secure-password
|
||||
REDIS_TLS=true # Enable for production
|
||||
REDIS_CONNECT_TIMEOUT=10000
|
||||
```
|
||||
|
||||
See [`lib/redis-client.ts`](lib/redis-client.ts) for implementation details.
|
||||
|
||||
### Audit Log Retention
|
||||
|
||||
Automated cleanup of old audit logs with configurable retention policies:
|
||||
|
||||
| Event Type | Retention Period |
|
||||
|------------|------------------|
|
||||
| debug | 7 days |
|
||||
| info | 30 days |
|
||||
| warning | 90 days |
|
||||
| error | 365 days |
|
||||
| critical | 5 years |
|
||||
|
||||
Cleanup runs every 2 hours via cron. See [`scripts/audit-cleanup.sh`](scripts/audit-cleanup.sh).
|
||||
|
||||
## Related Repositories
|
||||
|
||||
- [CLI](https://github.com/heretek/heretek-openclaw-cli) - Deployment CLI
|
||||
|
||||
Executable
+197
@@ -0,0 +1,197 @@
|
||||
#!/bin/bash
|
||||
# ==============================================================================
|
||||
# Heretek OpenClaw — Audit Cleanup Cron Installer
|
||||
# ==============================================================================
|
||||
# Installs automated audit log cleanup schedule into system crontab
|
||||
#
|
||||
# Usage:
|
||||
# ./install-audit-cron.sh install # Install cron schedule
|
||||
# ./install-audit-cron.sh remove # Remove cron schedule
|
||||
# ./install-audit-cron.sh list # Show current schedule
|
||||
# ./install-audit-cron.sh test # Test cleanup script
|
||||
# ==============================================================================
|
||||
|
||||
set -e
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
AUDIT_CLEANUP_SCRIPT="$SCRIPT_DIR/audit-cleanup.sh"
|
||||
LOG_DIR="${LOG_DIR:-/var/log/openclaw}"
|
||||
|
||||
# Colors
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
RED='\033[0;31m'
|
||||
NC='\033[0m'
|
||||
|
||||
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
|
||||
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
|
||||
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
|
||||
|
||||
ensure_log_dir() {
|
||||
mkdir -p "$LOG_DIR" 2>/dev/null || true
|
||||
chmod 755 "$LOG_DIR" 2>/dev/null || true
|
||||
}
|
||||
|
||||
install_cron() {
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo " Heretek OpenClaw — Audit Cleanup Cron Installer"
|
||||
echo "=============================================="
|
||||
echo ""
|
||||
|
||||
# Ensure log directory exists
|
||||
ensure_log_dir
|
||||
log_info "Log directory: $LOG_DIR"
|
||||
|
||||
# Get current crontab
|
||||
current_crontab=$(crontab -l 2>/dev/null || echo "")
|
||||
|
||||
# Check if already installed
|
||||
if echo "$current_crontab" | grep -q "audit-cleanup"; then
|
||||
log_warn "Audit cleanup cron schedule already installed"
|
||||
echo ""
|
||||
echo "Current schedule:"
|
||||
echo "$current_crontab" | grep "audit-cleanup"
|
||||
echo ""
|
||||
read -p "Do you want to reinstall? (y/N) " -n 1 -r
|
||||
echo
|
||||
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Remove existing entries
|
||||
echo "$current_crontab" | grep -v "audit-cleanup" | crontab -
|
||||
log_info "Removed existing schedule"
|
||||
fi
|
||||
|
||||
# Create new cron entry (every 2 hours)
|
||||
new_crontab="$current_crontab
|
||||
# ==============================================================================
|
||||
# Heretek OpenClaw — Audit Log Cleanup
|
||||
# ==============================================================================
|
||||
# Clean up old audit log entries based on retention policies
|
||||
# Runs every 2 hours at minute 0
|
||||
0 */2 * * * $AUDIT_CLEANUP_SCRIPT >> $LOG_DIR/audit-cleanup.log 2>&1
|
||||
# ==============================================================================
|
||||
"
|
||||
|
||||
# Install new crontab
|
||||
echo "$new_crontab" | crontab -
|
||||
|
||||
log_info "Audit cleanup cron schedule installed successfully!"
|
||||
echo ""
|
||||
echo "Installed schedule:"
|
||||
echo " - Audit log cleanup: Every 2 hours (at :00)"
|
||||
echo ""
|
||||
echo "View logs:"
|
||||
echo " tail -f $LOG_DIR/audit-cleanup.log"
|
||||
echo ""
|
||||
echo "Run manual cleanup:"
|
||||
echo " $AUDIT_CLEANUP_SCRIPT --dry-run"
|
||||
echo ""
|
||||
|
||||
# Verify installation
|
||||
echo "Verifying installation..."
|
||||
crontab -l | grep "audit-cleanup" || echo " Warning: Could not verify installation"
|
||||
echo ""
|
||||
log_info "Installation complete!"
|
||||
}
|
||||
|
||||
remove_cron() {
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo " Heretek OpenClaw — Audit Cleanup Cron Remover"
|
||||
echo "=============================================="
|
||||
echo ""
|
||||
|
||||
# Get current crontab
|
||||
current_crontab=$(crontab -l 2>/dev/null || echo "")
|
||||
|
||||
# Check if installed
|
||||
if ! echo "$current_crontab" | grep -q "audit-cleanup"; then
|
||||
log_warn "No audit cleanup cron schedule found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Remove audit cleanup entries
|
||||
echo "$current_crontab" | grep -v "audit-cleanup" | crontab -
|
||||
|
||||
log_info "Audit cleanup cron schedule removed successfully!"
|
||||
echo ""
|
||||
echo "Remaining schedules:"
|
||||
crontab -l 2>/dev/null | head -10 || echo " No other schedules found"
|
||||
echo ""
|
||||
}
|
||||
|
||||
list_cron() {
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo " Heretek OpenClaw — Current Cron Schedules"
|
||||
echo "=============================================="
|
||||
echo ""
|
||||
|
||||
current_crontab=$(crontab -l 2>/dev/null || echo "No crontab installed")
|
||||
|
||||
echo "Current crontab:"
|
||||
echo "$current_crontab"
|
||||
echo ""
|
||||
|
||||
echo "Audit cleanup schedules:"
|
||||
echo "$current_crontab" | grep "audit-cleanup" || echo " None found"
|
||||
echo ""
|
||||
}
|
||||
|
||||
test_script() {
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo " Heretek OpenClaw — Audit Cleanup Script Test"
|
||||
echo "=============================================="
|
||||
echo ""
|
||||
|
||||
ensure_log_dir
|
||||
|
||||
# Test audit cleanup script
|
||||
log_info "Testing audit cleanup script..."
|
||||
if [ -x "$AUDIT_CLEANUP_SCRIPT" ]; then
|
||||
echo " Audit cleanup script: Executable ✓"
|
||||
|
||||
# Run dry-run test
|
||||
echo ""
|
||||
log_info "Running dry-run test..."
|
||||
if "$AUDIT_CLEANUP_SCRIPT" --dry-run; then
|
||||
echo " Dry-run test: Passed ✓"
|
||||
else
|
||||
log_error "Dry-run test: Failed ✗"
|
||||
fi
|
||||
else
|
||||
log_error "Audit cleanup script not found or not executable: $AUDIT_CLEANUP_SCRIPT"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
log_info "Test complete!"
|
||||
}
|
||||
|
||||
# Main
|
||||
case "${1:-}" in
|
||||
install)
|
||||
install_cron
|
||||
;;
|
||||
remove)
|
||||
remove_cron
|
||||
;;
|
||||
list)
|
||||
list_cron
|
||||
;;
|
||||
test)
|
||||
test_script
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {install|remove|list|test}"
|
||||
echo ""
|
||||
echo "Commands:"
|
||||
echo " install - Install automated audit cleanup schedule (every 2 hours)"
|
||||
echo " remove - Remove audit cleanup cron schedule"
|
||||
echo " list - Show current cron schedules"
|
||||
echo " test - Test audit cleanup script with dry-run"
|
||||
;;
|
||||
esac
|
||||
Reference in New Issue
Block a user