gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9deddca53a
secubox-openwrt/package/secubox/secubox-cve-triage/README.md
CyberMind-FR 44493ebfe3 feat: Add CVE Triage Agent and Vortex DNS, fix webmail login 
New Packages:
- secubox-cve-triage: AI-powered CVE analysis and vulnerability management
  - NVD API integration for CVE data
  - CrowdSec CVE alert correlation
  - LocalAI-powered impact analysis
  - Approval workflow for patch recommendations
  - Multi-source monitoring (opkg, LXC, Docker)

- luci-app-cve-triage: Dashboard with alerts, pending queue, risk score

- secubox-vortex-dns: Meshed multi-dynamic subdomain delegation
  - Master/slave hierarchical DNS delegation
  - Wildcard domain management
  - First Peek auto-registration
  - Gossip-based exposure config sync
  - Submastering for nested hierarchies

Fixes:
- Webmail 401 login: config.docker.inc.php was overriding IMAP host
  to ssl://mail.secubox.in:993 which Docker couldn't reach
- Fixed mailctl webmail configure to use socat proxy (172.17.0.1:10143)

Documentation:
- Added LXC cgroup:mixed fix to FAQ-TROUBLESHOOTING.md
- Updated CLAUDE.md to include FAQ consultation at startup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 12:19:54 +01:00

103 lines
2.8 KiB
Markdown
Raw Blame History

# SecuBox CVE Triage Agent
AI-powered CVE analysis and vulnerability management for SecuBox.
## Features
- **Automated CVE Scanning**: Monitors installed packages (opkg, LXC, Docker)
- **NVD Integration**: Fetches latest vulnerabilities from NIST NVD API
- **CrowdSec Correlation**: Matches CVE-related CrowdSec alerts
- **AI Analysis**: LocalAI-powered impact assessment and recommendations
- **Approval Workflow**: Queue-based patch approval for critical changes
- **Multi-Source Monitoring**: opkg packages, LXC containers, Docker images
## CLI Reference
```bash
# Status and monitoring
cve-triage status # Agent status
cve-triage scan # Scan installed packages
cve-triage fetch # Fetch latest CVE data
cve-triage run # Full triage cycle
# CVE analysis
cve-triage analyze CVE-2024-1234 # Analyze specific CVE
# Recommendation management
cve-triage list-pending # List pending recommendations
cve-triage approve <id> # Approve recommendation
cve-triage reject <id> # Reject recommendation
cve-triage approve-all # Approve all pending
# Alerts
cve-triage alerts # Show active alerts
# Reports
cve-triage summary # Security summary
cve-triage export # Export full report (JSON)
# Daemon
cve-triage daemon # Run as background daemon
```
## Configuration
Edit `/etc/config/cve-triage`:
```uci
config cve-triage 'main'
option enabled '1'
option interval '3600' # Triage interval (seconds)
option localai_url 'http://127.0.0.1:8081'
option localai_model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'
option min_severity 'high' # low/medium/high/critical
option affected_only '1' # Only CVEs affecting installed packages
option auto_apply_patches '0' # Queue patches for approval
option min_confidence '80' # AI confidence threshold
```
## Data Flow
```
1. COLLECT
├─ opkg list-installed
├─ LXC container packages (dpkg/apk)
└─ Docker images
2. FETCH CVEs
├─ NVD API (last 7 days, high severity)
└─ CrowdSec CVE alerts
3. MATCH
└─ CVE descriptions ↔ package names
4. ANALYZE (LocalAI)
├─ Impact assessment
├─ OpenWrt relevance
└─ Action recommendation
5. RECOMMEND
├─ patch: opkg upgrade <pkg>
├─ mitigate: manual steps
└─ monitor: no action
6. APPROVE/APPLY
├─ Auto-apply (if enabled)
└─ Queue for review
```
## LocalAI Integration
Requires LocalAI running at `http://127.0.0.1:8081`.
Without LocalAI, the agent uses basic CVSS-based analysis.
## Files
- `/etc/config/cve-triage` - Configuration
- `/var/lib/cve-triage/` - State and recommendations
- `/var/cache/cve-triage/` - CVE data cache
- `/var/lib/cve-triage/pending_actions.json` - Approval queue
## Part of SecuBox v0.19 AI Gateway
Reference in New Issue View Git Blame Copy Permalink