CyberMind-FR
44493ebfe3
New Packages: - secubox-cve-triage: AI-powered CVE analysis and vulnerability management - NVD API integration for CVE data - CrowdSec CVE alert correlation - LocalAI-powered impact analysis - Approval workflow for patch recommendations - Multi-source monitoring (opkg, LXC, Docker) - luci-app-cve-triage: Dashboard with alerts, pending queue, risk score - secubox-vortex-dns: Meshed multi-dynamic subdomain delegation - Master/slave hierarchical DNS delegation - Wildcard domain management - First Peek auto-registration - Gossip-based exposure config sync - Submastering for nested hierarchies Fixes: - Webmail 401 login: config.docker.inc.php was overriding IMAP host to ssl://mail.secubox.in:993 which Docker couldn't reach - Fixed mailctl webmail configure to use socat proxy (172.17.0.1:10143) Documentation: - Added LXC cgroup:mixed fix to FAQ-TROUBLESHOOTING.md - Updated CLAUDE.md to include FAQ consultation at startup Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2.8 KiB
2.8 KiB
SecuBox CVE Triage Agent
AI-powered CVE analysis and vulnerability management for SecuBox.
Features
- Automated CVE Scanning: Monitors installed packages (opkg, LXC, Docker)
- NVD Integration: Fetches latest vulnerabilities from NIST NVD API
- CrowdSec Correlation: Matches CVE-related CrowdSec alerts
- AI Analysis: LocalAI-powered impact assessment and recommendations
- Approval Workflow: Queue-based patch approval for critical changes
- Multi-Source Monitoring: opkg packages, LXC containers, Docker images
CLI Reference
# Status and monitoring
cve-triage status # Agent status
cve-triage scan # Scan installed packages
cve-triage fetch # Fetch latest CVE data
cve-triage run # Full triage cycle
# CVE analysis
cve-triage analyze CVE-2024-1234 # Analyze specific CVE
# Recommendation management
cve-triage list-pending # List pending recommendations
cve-triage approve <id> # Approve recommendation
cve-triage reject <id> # Reject recommendation
cve-triage approve-all # Approve all pending
# Alerts
cve-triage alerts # Show active alerts
# Reports
cve-triage summary # Security summary
cve-triage export # Export full report (JSON)
# Daemon
cve-triage daemon # Run as background daemon
Configuration
Edit /etc/config/cve-triage:
config cve-triage 'main'
option enabled '1'
option interval '3600' # Triage interval (seconds)
option localai_url 'http://127.0.0.1:8081'
option localai_model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'
option min_severity 'high' # low/medium/high/critical
option affected_only '1' # Only CVEs affecting installed packages
option auto_apply_patches '0' # Queue patches for approval
option min_confidence '80' # AI confidence threshold
Data Flow
1. COLLECT
├─ opkg list-installed
├─ LXC container packages (dpkg/apk)
└─ Docker images
2. FETCH CVEs
├─ NVD API (last 7 days, high severity)
└─ CrowdSec CVE alerts
3. MATCH
└─ CVE descriptions ↔ package names
4. ANALYZE (LocalAI)
├─ Impact assessment
├─ OpenWrt relevance
└─ Action recommendation
5. RECOMMEND
├─ patch: opkg upgrade <pkg>
├─ mitigate: manual steps
└─ monitor: no action
6. APPROVE/APPLY
├─ Auto-apply (if enabled)
└─ Queue for review
LocalAI Integration
Requires LocalAI running at http://127.0.0.1:8081.
Without LocalAI, the agent uses basic CVSS-based analysis.
Files
/etc/config/cve-triage- Configuration/var/lib/cve-triage/- State and recommendations/var/cache/cve-triage/- CVE data cache/var/lib/cve-triage/pending_actions.json- Approval queue