# Security > **Terakhir Diperbarui:** 2026-06-29 --- ## Credential Management | Secret | Lokasi | TIDAK boleh di | |--------|--------|----------------| | DB password | `/root/geonetagent_dev.credentials` di server 10.100.1.25 | Repo, log, chat | | Agent bearer token | `.env` di server collector (10.100.1.24) | Repo | | Zabbix API token | `.env` Laravel (Fase 2) | Repo | | QNAP OSS credentials | `infra/qnap/README.md` (referensi lokasi) | Repo | | SSH private keys | `~/.ssh/` di laptop developer | Repo, cloud | --- ## Auth Model ### Agent → Collector (FastAPI) - HTTPS + `Authorization: Bearer ` - Token statis per site (`config.json` di endpoint) - Opsi: validasi token ke DB jika `AGENT_TOKEN_CHECK_DB=true` - Produksi: tambah mTLS (rencana) ### User → Collector UI - Saat ini: **tidak ada auth** — UI read-only, hanya internal LAN - Fase 1: Laravel auth (session / Sanctum) ### Zabbix Webhook (Fase 2) - Shared secret di header - IP allowlist Zabbix server --- ## Aturan AI Agent 1. **Jangan commit secret** ke repository 2. **Jangan tampilkan nilai secret** di output percakapan 3. Jangan hardcode credentials di kode 4. Credentials update di server → via SSH langsung, bukan melalui kode yang di-commit 5. SSH command ke server **wajib minta persetujuan user** sebelum dijalankan --- ## Nginx Security Notes - `agent.gisportal.id`: `ssi off` — **wajib** agar file `.ps1` tidak terpotong - Jangan taruh `$env:` literal di file `.ps1` yang di-serve Nginx - HTTPS via Let's Encrypt (certbot) di 10.100.1.24 - Internal UI (`/ui/`) hanya diakses via HTTPS domain, tidak direct IP:port (kecuali internal LAN) --- ## Data Sensitivity | Data | Sensitivitas | Catatan | |------|-------------|---------| | Hostname, domain username | Medium | PII — diaudit akses | | Hardware spec (CPU, RAM, GPU) | Low | Data inventaris | | Software list | Medium | Bisa digunakan untuk targeting | | IP/MAC address | Medium | Network fingerprinting | | Serial number | Medium | Asset tracking | | Credentials DB | **Critical** | Tidak boleh ada di kode |