GeoNetAgent, LDAPWeb, server-audit, server-connection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

2.0 KiB

Security

Terakhir Diperbarui: 2026-06-29


Credential Management

Secret Lokasi TIDAK boleh di
DB password /root/geonetagent_dev.credentials di server 10.100.1.25 Repo, log, chat
Agent bearer token .env di server collector (10.100.1.24) Repo
Zabbix API token .env Laravel (Fase 2) Repo
QNAP OSS credentials infra/qnap/README.md (referensi lokasi) Repo
SSH private keys ~/.ssh/ di laptop developer Repo, cloud

Auth Model

Agent → Collector (FastAPI)

  • HTTPS + Authorization: Bearer <agent_token>
  • Token statis per site (config.json di endpoint)
  • Opsi: validasi token ke DB jika AGENT_TOKEN_CHECK_DB=true
  • Produksi: tambah mTLS (rencana)

User → Collector UI

  • Saat ini: tidak ada auth — UI read-only, hanya internal LAN
  • Fase 1: Laravel auth (session / Sanctum)

Zabbix Webhook (Fase 2)

  • Shared secret di header
  • IP allowlist Zabbix server

Aturan AI Agent

  1. Jangan commit secret ke repository
  2. Jangan tampilkan nilai secret di output percakapan
  3. Jangan hardcode credentials di kode
  4. Credentials update di server → via SSH langsung, bukan melalui kode yang di-commit
  5. SSH command ke server wajib minta persetujuan user sebelum dijalankan

Nginx Security Notes

  • agent.gisportal.id: ssi offwajib agar file .ps1 tidak terpotong
  • Jangan taruh $env: literal di file .ps1 yang di-serve Nginx
  • HTTPS via Let's Encrypt (certbot) di 10.100.1.24
  • Internal UI (/ui/) hanya diakses via HTTPS domain, tidak direct IP:port (kecuali internal LAN)

Data Sensitivity

Data Sensitivitas Catatan
Hostname, domain username Medium PII — diaudit akses
Hardware spec (CPU, RAM, GPU) Low Data inventaris
Software list Medium Bisa digunakan untuk targeting
IP/MAC address Medium Network fingerprinting
Serial number Medium Asset tracking
Credentials DB Critical Tidak boleh ada di kode