diff --git a/Roadmap-and-Known-Debt.md b/Roadmap-and-Known-Debt.md new file mode 100644 index 0000000..9c9368e --- /dev/null +++ b/Roadmap-and-Known-Debt.md @@ -0,0 +1,29 @@ +# Roadmap and Known Debt + +DECNET keeps its forward-looking and backward-looking planning docs inside the main repo under `development/`. This page is an index — no duplication. + +## Roadmap and Future Work + +- `development/FUTURE.md` — planned features and direction. +- `development/ICS_SCADA.md` — ICS/SCADA decoy work. +- `development/IMAP_BAIT.md` — IMAP bait service design. +- `development/SMTP_RELAY.md` — SMTP relay decoy work. + +## Known Debt and Bugs + +- `development/DEBT.md` — accepted tech debt. +- `development/BUGS.md` — known open bugs. +- `development/BUG_FIXES.md` — recently fixed, for history. +- `development/HARDENING.md` — hardening backlog. + +## Audits and Coverage + +- `development/REALISM_AUDIT.md` — decoy realism audit notes. +- `development/COVERAGE.md` — test coverage state. +- `development/EVENTS.md` — event pipeline and schema notes. + +Each of these files lives in the DECNET repo, not this wiki. Follow the links above from a working checkout. + +--- + +See also: [[Home]] · [[Developer-Guide]] · [[Troubleshooting]] diff --git a/Security-and-Stealth.md b/Security-and-Stealth.md new file mode 100644 index 0000000..9d75d99 --- /dev/null +++ b/Security-and-Stealth.md @@ -0,0 +1,56 @@ +# Security and Stealth + +DECNET sits on the attacker-facing edge of a network, so its own posture matters as much as the decoys it deploys. + +## Authentication + +### JWT + +- Algorithm: **HS256** (see `decnet/web/auth.py`). +- Secret: `DECNET_JWT_SECRET` — must be **≥ 32 characters**. Anything shorter is rejected at startup with an explicit error referencing RFC 7518 §3.2 (see `decnet/env.py`). +- No fallback: the env var is required, not optional. + +### Admin Credentials + +- `DECNET_ADMIN_USER` / `DECNET_ADMIN_PASSWORD` seed the initial admin on first boot (`decnet/web/db/sqlmodel_repo.py`). +- The combination `admin/admin` is rejected at startup. Deployments must pick a real password. +- Passwords are hashed with **bcrypt** — plaintext is never persisted. + +### RBAC + +- All admin endpoints are gated server-side via `require_admin` / `require_role("admin")` dependencies (`decnet/web/dependencies.py`). +- **Contributor rule (ANTI)**: the admin UI must be server-gated, never client-side only. A hidden button is not access control. + +## Stealth in Active Probes + +**Contributor rule (ANTI)**: active probes and health checks must never reveal DECNET's identity. + +- No `User-Agent: DECNET/...`. +- No banners, headers, or log lines that leak the framework name to a decoy or an external target. +- Probe traffic should be indistinguishable from ordinary tooling (curl, nmap, python-requests). If you're adding a probe and unsure, ask before merging. + +## Network Architecture + +- Decoy network is attacker-facing by design. +- Logging / aggregation network (Logstash → ELK → SIEM) is **isolated** from the decoy network. +- A publicly accessible real server bridges the two; deckies never talk to the SIEM directly. + +See the top-level `README.md` for the full diagram. + +## OS Fingerprint Spoofing + +Deckies rotate service banners, TTLs, TCP options, and OS hints to look heterogeneous. Mutation is time-based and randomized per decky. + +- Details: [[Mutation-and-Randomization]] + +## Responsible Disclosure + +Found a security issue in DECNET itself (not a decoy)? Email: + +- `TODO: add security@ disclosure address` + +Please do not file public issues for exploitable bugs. + +--- + +See also: [[Troubleshooting]] · [[Environment-Variables]] · [[Web-Dashboard]] diff --git a/Sponsors.md b/Sponsors.md new file mode 100644 index 0000000..7957884 --- /dev/null +++ b/Sponsors.md @@ -0,0 +1,30 @@ +# Sponsors + +DECNET is built and maintained with the help of a small number of generous sponsors. Without their backing the project would not exist in its current form. + +## Current Sponsors + +### SecureJump + +- Website: https://securejump.cl +- Offensive-security and adversary-simulation outfit based in Chile. SecureJump's red-team crew has contributed threat-model input that shaped DECNET's decoy-service realism and fingerprint spoofing. + +### Xmartlab + +- Website: https://xmartlab.com +- Engineering lab sponsoring infrastructure, test hardware, and maintainer time. Xmartlab hosts the build and integration environment used for DECNET's swarm-mode testing. + +## Logos + +> Note: logo images must be uploaded to the wiki repo separately; the paths below are placeholders. + +- ![SecureJump](sponsor-logos/securejump.png) +- ![Xmartlab](sponsor-logos/xmartlab.png) + +## Thank You + +To SecureJump and Xmartlab — thank you for keeping the lights on, the containers running, and the decoys convincing. + +--- + +See also: [[Support-the-Project]] · [[Home]] diff --git a/Support-the-Project.md b/Support-the-Project.md new file mode 100644 index 0000000..d3643af --- /dev/null +++ b/Support-the-Project.md @@ -0,0 +1,49 @@ +# Support the Project + +DECNET is open-source, maintained in the open, and not cheap to keep running. If your team benefits from decoy-network research, please consider sponsoring. + +## Why Sponsor DECNET + +- **Maintenance**: keeping decoy services realistic means chasing CVEs, banner drift, and fingerprint tells on a rolling basis. +- **Infrastructure**: multi-host swarm testing, SIEM/ELK rigs, and realistic NIC hardware cost money. +- **Time**: the maintainer's hours are finite. Sponsorship buys focused, dedicated effort on roadmap items. + +## Tiers + +### Bronze + +- Small logo on the [[Sponsors]] page. +- Mention in release notes. + +### Silver + +- Medium logo on the [[Sponsors]] page. +- Feature-request priority in the issue tracker. +- Quarterly office-hours call with the maintainer. + +### Gold + +- Large logo on the [[Sponsors]] page. +- Roadmap co-design input. +- Advisory access to the maintainer. +- Private-channel support. + +## How to Sponsor + +Corporate sponsorships, invoicing, and tier selection: + +- **Contact**: samuel.paschuan@xmartlab.com + +Payment channels: + +- Stripe: `TODO: add Stripe link` +- BTC: `TODO: add BTC address` +- ETH: `TODO: add ETH address` + +## Individual Donors + +Not a company? No problem. If DECNET saved you a weekend of honeypot plumbing, drop a coffee's worth into the tip jar — small donations genuinely keep the project moving, and they accumulate. Use the Stripe link above (once live) or reach out by email for a one-off transfer. No tier, no logo, just appreciation. + +--- + +See also: [[Sponsors]] · [[Security-and-Stealth]] · [[Roadmap-and-Known-Debt]] diff --git a/Troubleshooting.md b/Troubleshooting.md new file mode 100644 index 0000000..d506828 --- /dev/null +++ b/Troubleshooting.md @@ -0,0 +1,63 @@ +# Troubleshooting + +Common gotchas when deploying and running DECNET. + +## Networking + +### MACVLAN fails on WSL + +WSL does not play nicely with MACVLAN drivers. Options: + +- Run DECNET on bare metal or inside a proper VM (preferred). +- Fall back to IPVLAN by passing `--ipvlan` on the deploy command. + +See [[Home]] for supported environments. + +### NIC not in promiscuous mode + +Deckies and the sniffer need the host NIC in promiscuous mode to see decoy-directed traffic. If captures look empty: + +```bash +sudo ip link set promisc on +``` + +## Auth and Startup + +### `admin/admin` rejected at startup + +Intentional. DECNET refuses to boot with the trivial default. Set `DECNET_ADMIN_USER` and `DECNET_ADMIN_PASSWORD` to real values. + +### JWT secret too short + +`DECNET_JWT_SECRET` must be at least **32 bytes** for HS256 (RFC 7518 §3.2). Shorter secrets are rejected at startup with an explicit error. See `decnet/env.py`. + +## Embedded vs Standalone Workers + +Running both the embedded profiler/sniffer **and** a standalone instance causes duplicate or skipped events. + +Fix: pick one. Unset the embed flags when running standalone workers: + +```bash +unset DECNET_EMBED_PROFILER +unset DECNET_EMBED_SNIFFER +``` + +See [[Environment-Variables]]. + +## Python Runtime + +### Python 3.14 GC instability under load + +The 3.14 GC has surfaced crashes under DECNET's load profile. Pin to **Python 3.11 – 3.13** until upstream stabilizes. + +## Database + +### SQLite write contention + +Under heavy concurrent event ingestion, SQLite can hit writer-lock contention. Switch the backend to MySQL. + +See [[Database-Drivers]]. + +--- + +See also: [[Security-and-Stealth]] · [[Environment-Variables]] · [[Roadmap-and-Known-Debt]]