Add security configuration documentation

- Comprehensive security configuration guide for nanobot - Production deployment security checklist - Channel access control configuration - API key and credential management - Workspace and file system security settings
2026-03-03 13:13:42 -05:00 · 2026-03-03 13:13:42 -05:00 · 9c9c4e3ebf
commit 9c9c4e3ebf
parent c46b0a7e37
1 changed files with 290 additions and 0 deletions
--- a/SECURITY_CONFIGURATION.md
+++ b/SECURITY_CONFIGURATION.md
@ -0,0 +1,290 @@
+# Nanobot Security Configuration Guide
+
+This guide provides step-by-step instructions for securing your nanobot installation.
+
+## Quick Security Setup
+
+### 1. Secure Configuration File
+
+```bash
+# Set proper permissions on config file
+chmod 600 ~/.nanobot/config.json
+
+# Set proper permissions on nanobot directory
+chmod 700 ~/.nanobot
+```
+
+### 2. Configure Channel Access Control
+
+**CRITICAL**: Empty `allowFrom` lists allow ALL users. Always configure this in production!
+
+#### Telegram Example
+```json
+{
+  "channels": {
+    "telegram": {
+      "enabled": true,
+      "token": "YOUR_BOT_TOKEN",
+      "allowFrom": ["123456789", "987654321"]
+    }
+  }
+}
+```
+
+To find your Telegram user ID:
+1. Message `@userinfobot` on Telegram
+2. Copy your user ID
+3. Add it to the `allowFrom` list
+
+#### WhatsApp Example
+```json
+{
+  "channels": {
+    "whatsapp": {
+      "enabled": true,
+      "allowFrom": ["+1234567890", "+0987654321"]
+    }
+  }
+}
+```
+
+Use full phone numbers with country code (e.g., `+1` for US).
+
+#### Email Example
+```json
+{
+  "channels": {
+    "email": {
+      "enabled": true,
+      "allowFrom": ["user@example.com", "admin@example.com"]
+    }
+  }
+}
+```
+
+### 3. Enable Workspace Restrictions
+
+Restrict file operations to a specific directory:
+
+```json
+{
+  "agents": {
+    "defaults": {
+      "restrictToWorkspace": true
+    }
+  }
+}
+```
+
+This ensures nanobot can only access files within `~/.nanobot/workspace`.
+
+### 4. Run as Non-Root User
+
+**NEVER run nanobot as root!**
+
+```bash
+# Create dedicated user
+sudo useradd -m -s /bin/bash nanobot
+
+# Switch to nanobot user
+sudo -u nanobot bash
+
+# Run nanobot
+python3 -m nanobot.cli.commands agent -m "hello"
+```
+
+### 5. Configure Command Timeouts
+
+Limit command execution time:
+
+```json
+{
+  "agents": {
+    "defaults": {
+      "execConfig": {
+        "timeout": 30
+      }
+    }
+  }
+}
+```
+
+Default is 60 seconds. Reduce for stricter security.
+
+## Advanced Security Configuration
+
+### 1. Custom Command Blocking
+
+You can add custom blocked command patterns by modifying the ExecTool initialization, but this requires code changes. The default patterns block:
+- `rm -rf`, `rm -r`, `rm -f`
+- `format`, `mkfs.*`
+- `dd if=`
+- `shutdown`, `reboot`, `poweroff`
+- Fork bombs
+
+### 2. Network Security
+
+#### Restrict Outbound Connections
+
+Use a firewall to restrict what nanobot can access:
+
+```bash
+# Example: Only allow HTTPS to specific domains
+sudo ufw allow out 443/tcp
+sudo ufw deny out 80/tcp  # Block HTTP
+```
+
+#### WhatsApp Bridge Security
+
+The WhatsApp bridge binds to `127.0.0.1:3001` (localhost only) by default. For additional security:
+
+```json
+{
+  "channels": {
+    "whatsapp": {
+      "enabled": true,
+      "bridgeToken": "your-secret-token-here"
+    }
+  }
+}
+```
+
+Set a `bridgeToken` to enable shared-secret authentication between Python and Node.js components.
+
+### 3. Log Monitoring
+
+Set up log monitoring to detect security issues:
+
+```bash
+# Monitor access denials
+tail -f ~/.nanobot/logs/nanobot.log | grep "Access denied"
+
+# Monitor blocked commands
+tail -f ~/.nanobot/logs/nanobot.log | grep "blocked by safety guard"
+
+# Monitor all tool executions
+tail -f ~/.nanobot/logs/nanobot.log | grep "ExecTool:"
+```
+
+### 4. Regular Security Audits
+
+#### Check Dependencies
+
+```bash
+# Python dependencies
+pip install pip-audit
+pip-audit
+
+# Node.js dependencies (for WhatsApp bridge)
+cd bridge
+npm audit
+npm audit fix
+```
+
+#### Review Logs
+
+```bash
+# Check for suspicious activity
+grep -i "error\|denied\|blocked" ~/.nanobot/logs/nanobot.log | tail -100
+
+# Check file operations
+grep "write_file\|edit_file" ~/.nanobot/logs/nanobot.log | tail -100
+```
+
+### 5. API Key Rotation
+
+Rotate API keys regularly:
+
+1. Generate new API keys from your provider
+2. Update `~/.nanobot/config.json`
+3. Restart nanobot
+4. Revoke old keys after confirming new ones work
+
+### 6. Environment Isolation
+
+Run nanobot in a container or VM for better isolation:
+
+```bash
+# Using Docker (if Dockerfile exists)
+docker build -t nanobot .
+docker run --rm -it \
+  -v ~/.nanobot:/root/.nanobot \
+  -v ~/.nanobot/workspace:/root/.nanobot/workspace \
+  nanobot
+```
+
+## Security Checklist
+
+Before deploying nanobot in production:
+
+- [ ] Config file permissions set to `0600`
+- [ ] Nanobot directory permissions set to `700`
+- [ ] All channels have `allowFrom` lists configured
+- [ ] Running as non-root user
+- [ ] `restrictToWorkspace` enabled
+- [ ] Command timeout configured
+- [ ] API keys stored securely (not in code)
+- [ ] Logs monitored for security events
+- [ ] Dependencies updated and audited
+- [ ] Firewall rules configured (if needed)
+- [ ] Backup and disaster recovery plan in place
+
+## What Nanobot Cannot Do (Built-in Protections)
+
+Nanobot has built-in protections that prevent:
+
+1. **Destructive Commands**: `rm -rf /`, `format`, `mkfs`, `dd`, `shutdown`, etc.
+2. **Path Traversal**: `../` and `..\\` are blocked when workspace restrictions are enabled
+3. **System File Access**: When restricted, cannot access files outside workspace
+4. **Unlimited Execution**: Commands timeout after configured limit (default 60s)
+5. **Unlimited Output**: Command output truncated at 10KB
+6. **Unauthorized Access**: Channels check `allowFrom` lists before processing messages
+
+## Incident Response
+
+If you suspect a security breach:
+
+1. **Immediately revoke compromised API keys**
+   ```bash
+   # Update config.json with new keys
+   nano ~/.nanobot/config.json
+   ```
+
+2. **Review logs for unauthorized access**
+   ```bash
+   grep "Access denied" ~/.nanobot/logs/nanobot.log
+   ```
+
+3. **Check for unexpected file modifications**
+   ```bash
+   find ~/.nanobot/workspace -type f -mtime -1 -ls
+   ```
+
+4. **Rotate all credentials**
+   - Update API keys
+   - Update channel tokens
+   - Update bridge tokens (if using WhatsApp)
+
+5. **Update to latest version**
+   ```bash
+   pip install --upgrade nanobot-ai
+   ```
+
+6. **Report the incident**
+   - Email: xubinrencs@gmail.com
+   - Include: Description, steps to reproduce, potential impact
+
+## Additional Resources
+
+- [SECURITY.md](SECURITY.md) - Full security policy and best practices
+- [SETUP_GUIDE.md](SETUP_GUIDE.md) - Setup and configuration guide
+- [README.md](README.md) - General documentation
+
+## Questions?
+
+If you have security concerns or questions:
+- Review [SECURITY.md](SECURITY.md)
+- Check nanobot logs for errors
+- Contact maintainers: xubinrencs@gmail.com
+
+