RedAmon v5.1.0 — Security Hardening
A focused hardening release. RedAmon now contains the blast radius of a compromised worker — if a hostile scan target pops the Kali sandbox, it can no longer reach the host, steal secrets, persist, or tamper with your data.
🛡️ Container & Host Isolation
- docker-broker — a filtering Docker-socket proxy: the recon orchestrator's spawned scan containers reach the daemon through it, so they can only launch the known tool images (allowlisted, no host mounts, no
--privileged, no arbitrary images) - De-privileged recon containers —
privileged: truereplaced with a scopedNET_RAW; the worker drops the unusedSYS_PTRACE - Read-only MCP server source — closes restart-surviving persistence in the worker
🔑 Secrets Off the Worker
- The worker no longer holds
INTERNAL_API_KEY(it never used it) or the masterNEO4J_PASSWORD - Graph access from the worker is proxied read-only + tenant-scoped through the agent — a compromised worker can read its own project, and nothing else
🌐 Orchestrator Lockdown
- The recon orchestrator (the Docker-socket holder) is network-isolated on its own segment and bound to loopback
- Every orchestrator API route now requires an
X-Orchestrator-Key, held only by the webapp - Tool Docker images are allowlisted; the orchestrator ignores client-supplied
webapp_api_url(SSRF / key-leak)
🧠 Agent Prompt-Injection Boundary
- Untrusted tool output (a hostile target controls every byte) is wrapped in per-call random-nonce sentinels before it enters the agent's prompt, across the ReAct loop and side subsystems — a crafted response can no longer forge the framing and inject instructions into the trusted agent
🛠️ Tooling & Upgrade
redamon.shregistersdocker-brokerin the start + update flow, auto-generatesORCHESTRATOR_API_KEY, and self-heals future updates via re-exec- One-time upgrade onto this release:
./redamon.sh update && ./redamon.sh up
Full changelog: v5.0.0...v5.1.0