security: prevent discord bot code from being tracked
- Add discord/ to .gitignore to protect private bot configuration - Discord bot contains API tokens and private implementation details - Prevents accidental exposure of Discord credentials in repository history
This commit is contained in:
Fimeg
100
README.md
100
README.md
@@ -1,5 +1,7 @@
|
||||
# RedFlag
|
||||
|
||||
> **🚨 BREAKING CHANGES IN v0.1.23 - READ THIS FIRST**
|
||||
>
|
||||
> **⚠️ ALPHA SOFTWARE - NOT READY FOR PRODUCTION**
|
||||
>
|
||||
> This is experimental software in active development. Features may be broken, bugs are expected, and breaking changes happen frequently. Use at your own risk, preferably on test systems only. Seriously, don't put this in production yet.
|
||||
@@ -10,10 +12,10 @@ Cross-platform agents • Web dashboard • Single binary deployment • No ente
|
||||
No MacOS yet - need real hardware, not hackintosh hopes and prayers
|
||||
|
||||
```
|
||||
v0.1.18 - Alpha Release
|
||||
v0.1.23 - BREAKING CHANGES RELEASE
|
||||
```
|
||||
|
||||
**Latest:** Enhanced disk detection, redesigned agent UI with workflow tabs, improved cache invalidation. Testing kernel updates on cloned test benches - help find bugs. [Update instructions below](#updating).
|
||||
**Latest:** Complete rearchitecture with security hardening, multi-subsystem support, and real metrics. **This is NOT a simple update** - see [Breaking Changes](#breaking-changes) below.
|
||||
|
||||
---
|
||||
|
||||
@@ -63,6 +65,61 @@ RedFlag lets you manage software updates across all your servers from one dashbo
|
||||
|
||||
---
|
||||
|
||||
## 🚨 Breaking Changes (v0.1.23)
|
||||
|
||||
**THIS IS NOT A SIMPLE UPDATE** - Complete rearchitecture from monolithic to multi-subsystem security architecture.
|
||||
|
||||
### **What Changed**
|
||||
- **Security**: Machine binding enforcement (v0.1.22+ minimum), Ed25519 signing required
|
||||
- **Architecture**: Single scan → Multi-subsystem (storage, system, docker, packages)
|
||||
- **Paths**: `/var/lib/aggregator/` → `/var/lib/redflag/agent/`, `/etc/aggregator/` → `/etc/redflag/agent/`
|
||||
- **Database**: Separate tables for metrics, docker images, storage metrics
|
||||
- **UI**: New approval/reject workflow, real security metrics, frosted glass design
|
||||
|
||||
### **RECOMMENDED: Full Uninstall & Fresh Install**
|
||||
|
||||
```bash
|
||||
# COMPLETE UNINSTALL - Remove all previous versions
|
||||
sudo systemctl stop redflag-agent 2>/dev/null || true
|
||||
sudo systemctl disable redflag-agent 2>/dev/null || true
|
||||
sudo rm -f /etc/systemd/system/redflag-agent.service
|
||||
sudo systemctl daemon-reload
|
||||
sudo userdel redflag-agent 2>/dev/null || true
|
||||
|
||||
# REMOVE ALL OLD DATA
|
||||
sudo rm -rf /var/lib/aggregator/
|
||||
sudo rm -rf /var/lib/redflag/
|
||||
sudo rm -rf /etc/aggregator/
|
||||
sudo rm -rf /etc/redflag/
|
||||
|
||||
# REMOVE DOCKER STUFF (BE SURE YOU'RE IN REDFLAG FOLDER)
|
||||
cd /path/to/RedFlag # IMPORTANT: Be in RedFlag directory
|
||||
docker-compose down -v 2>/dev/null || true
|
||||
docker system prune -f 2>/dev/null || true
|
||||
```
|
||||
|
||||
### **Manual Migration (Advanced Users Only)**
|
||||
|
||||
If you really need to preserve data:
|
||||
|
||||
1. **Backup old data**:
|
||||
```bash
|
||||
sudo cp -r /var/lib/aggregator/ ~/aggregator-backup
|
||||
sudo cp -r /etc/aggregator/ ~/aggregator-config-backup
|
||||
```
|
||||
|
||||
2. **Follow fresh install instructions** below
|
||||
3. **Manual data migration** (not supported - you're on your own)
|
||||
|
||||
### **No Support for Automatic Migration**
|
||||
|
||||
At this alpha stage, automated migration is not worth the complexity. The new architecture is fundamentally different and migration would be fragile.
|
||||
|
||||
**Need Migration Help?**
|
||||
If you're one of the few existing v0.1.18 users who needs migration support, join our Discord server and ask - I'll help you through it manually.
|
||||
|
||||
---
|
||||
|
||||
## Quick Start
|
||||
|
||||
### Server Deployment (Docker)
|
||||
@@ -77,9 +134,12 @@ docker-compose up -d
|
||||
|
||||
# Access web UI and run setup
|
||||
open http://localhost:3000
|
||||
# Follow setup wizard, then copy generated .env content
|
||||
# Follow setup wizard to:
|
||||
# - Generate Ed25519 signing keys (CRITICAL for agent updates)
|
||||
# - Configure database and admin settings
|
||||
# - Copy generated .env content to config/.env
|
||||
|
||||
# Restart with new configuration
|
||||
# Restart server to use new configuration and signing keys
|
||||
docker-compose down
|
||||
docker-compose up -d
|
||||
```
|
||||
@@ -146,7 +206,12 @@ docker-compose down -v --remove-orphans && \
|
||||
**Warning:** This deletes everything - all agents, update history, configurations. You'll need to handle existing agents:
|
||||
|
||||
**Option 1 - Re-register agents:**
|
||||
- Remove agent config: `sudo rm /etc/aggregator/config.json` (Linux) or `C:\ProgramData\RedFlag\config.json` (Windows)
|
||||
- Remove ALL agent config:
|
||||
- `sudo rm /etc/aggregator/config.json` (old path)
|
||||
- `sudo rm -rf /etc/redflag/` (new path)
|
||||
- `sudo rm -rf /var/lib/aggregator/` (old state)
|
||||
- `sudo rm -rf /var/lib/redflag/` (new state)
|
||||
- `C:\ProgramData\RedFlag\config.json` (Windows)
|
||||
- Re-run the one-liner installer with new registration token
|
||||
- Scripts handle override/update automatically (one agent per OS install)
|
||||
|
||||
@@ -172,8 +237,11 @@ rm config/.env
|
||||
# Using uninstall script (recommended)
|
||||
sudo bash aggregator-agent/uninstall.sh
|
||||
|
||||
# Remove agent configuration
|
||||
# Remove ALL agent configuration (old and new paths)
|
||||
sudo rm /etc/aggregator/config.json
|
||||
sudo rm -rf /etc/redflag/
|
||||
sudo rm -rf /var/lib/aggregator/
|
||||
sudo rm -rf /var/lib/redflag/
|
||||
|
||||
# Remove agent user (optional - preserves logs)
|
||||
sudo userdel -r redflag-agent
|
||||
@@ -204,6 +272,9 @@ Remove-Item "C:\ProgramData\RedFlag\config.json"
|
||||
✓ **Audit Trails** - Complete history of all operations
|
||||
✓ **Proxy Support** - HTTP/HTTPS/SOCKS5 for restricted networks
|
||||
✓ **Native Services** - systemd on Linux, Windows Services on Windows
|
||||
✓ **Ed25519 Signing** - Cryptographic signatures for agent updates (v0.1.22+)
|
||||
✓ **Machine Binding** - Hardware fingerprint enforcement prevents agent spoofing
|
||||
✓ **Real Security Metrics** - Actual database-driven security monitoring
|
||||
|
||||
---
|
||||
|
||||
@@ -247,13 +318,22 @@ RedFlag uses:
|
||||
- **SHA-256 hashing** - All tokens hashed at rest
|
||||
- **Rate limiting** - Configurable API protection
|
||||
- **Minimal privileges** - Agents run with least required permissions
|
||||
- **Ed25519 Signing** - All agent updates signed with server keys (v0.1.22+)
|
||||
- **Machine Binding** - Agents bound to hardware fingerprint (v0.1.22+)
|
||||
|
||||
**File Flow & Update Security:**
|
||||
- All agent update packages are cryptographically signed
|
||||
- Setup wizard generates Ed25519 keypair during initial configuration
|
||||
- Agents validate signatures before installing any updates
|
||||
- File integrity verified with checksums and signatures
|
||||
- Controlled file flow prevents unauthorized updates
|
||||
|
||||
For production deployments:
|
||||
1. Change default admin password
|
||||
1. Complete setup wizard to generate signing keys
|
||||
2. Use HTTPS/TLS
|
||||
3. Generate strong JWT secrets (setup wizard does this)
|
||||
4. Configure firewall rules
|
||||
5. Enable rate limiting
|
||||
3. Configure firewall rules
|
||||
4. Enable rate limiting
|
||||
5. Monitor security metrics dashboard
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user