Authorized Use Only
This document describes security properties of the Alfa Arsenal control plane. It does not replace engagement-specific legal review or authorization processes.
This document describes security properties of the Alfa Arsenal control plane when used as an authorized wireless assessment platform. It does not replace engagement-specific legal review.
- Captured handshakes, PMKIDs, credentials, PCAPs, GPS traces.
- SQLite database (
ArsenalConfig.db_path). - API keys (
api_secret_key/X-API-Key) and remote coordination API secrets (c2_secret_key).
| Threat | Mitigation |
|---|---|
| Unauthorized API use | Bind API to 127.0.0.1 by default; set api_secret_key; reverse proxy + mTLS for remote access. |
| Unauthorized RF operations | Engagement policy (policy_file); ROE menu; target BSSID allowlists. |
| Data tampering | Evidence hashing (core/evidence.py); prefer immutable storage for deliverables. |
| Container escape | API Docker image is optional and RF-less; production RF runs on host with least privilege. |
| Supply chain | Pin Python deps (requirements.txt); verify distro packages; audit Git clones in install.sh. |
- Least privilege: run as non-root where possible; wireless operations still require capabilities equivalent to root on Linux.
- Audit: structured logging (
ArsenalLogger); metrics (/metrics); assessment runs in DB. - Configuration: policy-as-code JSON; no default wide-open remote coordination API secret.
- Physical security of the hardware adapter.
- Target network legal authorization (operator responsibility).