GeneralBots/gb
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gb/prompts/SECURITY_CHECKLIST.md
Rodrigo Rodriguez (Pragmatismo) 334bb9239b
Some checks failed
BotServer CI / build (push) Failing after 9s
Details
chore: Update botui submodule - Fix desktop title branding 
Update botui to latest commit which changes desktop title from
'Agent Farm' to 'General Bots' for brand consistency.
2026-03-03 08:42:30 -03:00

156 lines
4.8 KiB
Markdown
Raw Blame History

# General Bots Security Checklist
## Critical (P1) - Must Fix Immediately
### Authentication & Authorization
- [ ] **SecurityManager Integration** - Initialize in bootstrap
- [ ] **CSRF Protection** - Enable for all state-changing endpoints
- [ ] **Error Handling** - Replace all `unwrap()`/`expect()` calls
- [ ] **Security Headers** - Apply to all HTTP routes
### Data Protection
- [ ] **TLS/MTLS** - Ensure certificates are generated and validated
- [ ] **SafeCommand Usage** - Replace all `Command::new()` calls
- [ ] **Error Sanitization** - Use `ErrorSanitizer` for all HTTP errors
## High Priority (P2) - Fix Within 2 Weeks
### Authentication
- [ ] **Passkey Support** - Complete WebAuthn implementation
- [ ] **MFA Enhancement** - Add backup codes and recovery flows
- [ ] **API Key Management** - Implement rotation and expiration
### Monitoring & Detection
- [ ] **Security Monitoring** - Integrate `SecurityMonitor` with app events
- [ ] **DLP Policies** - Configure default policies for PII/PCI/PHI
- [ ] **Rate Limiting** - Apply consistent limits across all endpoints
## Medium Priority (P3) - Fix Within 1 Month
### Infrastructure
- [ ] **Certificate Management** - Add expiration monitoring and auto-renewal
- [ ] **Audit Logging** - Ensure comprehensive coverage
- [ ] **Security Testing** - Create dedicated test suite
### Compliance
- [ ] **Security Documentation** - Update policies and procedures
- [ ] **Compliance Mapping** - Map controls to SOC2/GDPR/ISO27001
- [ ] **Evidence Collection** - Implement automated evidence gathering
## Quick Wins (Can be done today)
### Code Quality
- [ ] Run `cargo clippy --workspace` and fix all warnings
- [ ] Use `cargo audit` to check for vulnerable dependencies
- [ ] Replace 10 `unwrap()` calls with proper error handling
### Configuration
- [ ] Check `.env` files for hardcoded secrets (move to `/tmp/`)
- [ ] Verify `botserver-stack/conf/` permissions
- [ ] Review `Cargo.toml` for unnecessary dependencies
### Testing
- [ ] Test authentication flows with invalid credentials
- [ ] Verify CSRF tokens are required for POST/PUT/DELETE
- [ ] Check security headers on main endpoints
## Daily Security Tasks
### Morning Check
- [ ] Review `botserver.log` for security events
- [ ] Check `cargo audit` for new vulnerabilities
- [ ] Monitor failed login attempts
- [ ] Verify certificate expiration dates
### Ongoing Monitoring
- [ ] Watch for unusual access patterns
- [ ] Monitor DLP policy violations
- [ ] Track security metric trends
- [ ] Review audit logs for anomalies
### Weekly Tasks
- [ ] Run full security scan with protection tools
- [ ] Review and rotate any expiring credentials
- [ ] Update security dependencies
- [ ] Backup security configurations
## Emergency Response
### If you suspect a breach:
1. **Isolate** - Disconnect affected systems
2. **Preserve** - Don't delete logs or evidence
3. **Document** - Record all actions and observations
4. **Escalate** - Contact security team immediately
5. **Contain** - Implement temporary security measures
6. **Investigate** - Determine scope and impact
7. **Remediate** - Fix vulnerabilities and restore services
8. **Learn** - Update procedures to prevent recurrence
## Security Tools Commands
### Dependency Scanning
```bash
cargo audit
cargo deny check
cargo geiger
```
### Code Analysis
```bash
cargo clippy --workspace -- -D warnings
cargo fmt --check
```
### Security Testing
```bash
# Run security tests
cargo test -p bottest --test security
# Check for unsafe code
cargo geiger --forbid
# Audit dependencies
cargo audit --deny warnings
```
### Protection Tools
```bash
# Security scanning
curl -X POST http://localhost:9000/api/security/protection/scan
# Get security report
curl http://localhost:9000/api/security/protection/report
# Check tool status
curl http://localhost:9000/api/security/protection/status
```
## Common Security Issues to Watch For
### 1. Hardcoded Secrets
**Bad:** `password = "secret123"` in code
**Good:** `password = env::var("DB_PASSWORD")?` from `/tmp/`
### 2. Unsafe Command Execution
**Bad:** `Command::new("rm").arg("-rf").arg(user_input)`
**Good:** `SafeCommand::new("rm")?.arg("-rf")?.arg(sanitized_input)?`
### 3. Missing Input Validation
**Bad:** `format!("SELECT * FROM {}", user_table)`
**Good:** `validate_table_name(&user_table)?; format!("SELECT * FROM {}", safe_table)`
### 4. Information Disclosure
**Bad:** `Json(json!({ "error": e.to_string() }))`
**Good:** `let sanitized = log_and_sanitize(&e, "context", None); (StatusCode::INTERNAL_SERVER_ERROR, sanitized)`
## Security Contact Information
**Primary Contact:** security@pragmatismo.com.br
**Backup Contact:** Check `security.txt` at `/.well-known/security.txt`
**Emergency Response:** Follow procedures in `botbook/src/12-auth/security-policy.md`
---
*Last Updated: 2026-02-22*
*Review Frequency: Weekly*
*Next Review: 2026-03-01*
Reference in a new issue View git blame Copy permalink