feat(iwooos): add wazuh runtime owner review readback
This commit is contained in:
@@ -0,0 +1,250 @@
|
||||
{
|
||||
"schema_version": "wazuh_runtime_gate_owner_review_readback_v1",
|
||||
"generated_at": "2026-06-28T11:05:00+08:00",
|
||||
"status": "runtime_gate_owner_review_packet_committed_no_runtime_action",
|
||||
"mode": "committed_owner_review_readback_no_live_wazuh_no_secret_collection",
|
||||
"summary": {
|
||||
"expected_scope_alias_count": 6,
|
||||
"target_selector_count": 6,
|
||||
"source_of_truth_diff_count": 1,
|
||||
"check_mode_plan_count": 1,
|
||||
"dry_run_evidence_count": 1,
|
||||
"rollback_plan_count": 1,
|
||||
"post_apply_verifier_count": 1,
|
||||
"km_playbook_writeback_count": 1,
|
||||
"maintenance_window_review_count": 1,
|
||||
"owner_review_packet_received_count": 1,
|
||||
"owner_review_packet_review_ready_count": 1,
|
||||
"owner_review_packet_accepted_count": 1,
|
||||
"owner_review_packet_supplement_required_count": 0,
|
||||
"owner_review_packet_quarantined_count": 0,
|
||||
"owner_review_runtime_action_rejected_count": 0,
|
||||
"forbidden_payload_count": 18,
|
||||
"forbidden_action_count": 20,
|
||||
"runtime_gate_count": 0,
|
||||
"wazuh_api_live_query_authorized_count": 0,
|
||||
"wazuh_active_response_authorized_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"secret_value_collection_allowed_count": 0
|
||||
},
|
||||
"target_selectors": [
|
||||
{
|
||||
"node_alias": "managed_core_node_a",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false,
|
||||
"owner_review_scope": "runtime_gate_review_only"
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_core_node_b",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false,
|
||||
"owner_review_scope": "runtime_gate_review_only"
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_core_node_c",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false,
|
||||
"owner_review_scope": "runtime_gate_review_only"
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_edge_node_a",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false,
|
||||
"owner_review_scope": "runtime_gate_review_only"
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_edge_node_b",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false,
|
||||
"owner_review_scope": "runtime_gate_review_only"
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_lab_node_a",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false,
|
||||
"owner_review_scope": "runtime_gate_review_only"
|
||||
}
|
||||
],
|
||||
"required_owner_review_fields": [
|
||||
"owner_review_intent",
|
||||
"owner_reviewer_role",
|
||||
"owner_review_decision",
|
||||
"owner_review_decision_reason",
|
||||
"target_selector_aliases",
|
||||
"source_of_truth_diff_ref",
|
||||
"check_mode_plan_ref",
|
||||
"dry_run_evidence_ref",
|
||||
"blast_radius_statement",
|
||||
"maintenance_window_ref",
|
||||
"rollback_plan_ref",
|
||||
"rollback_owner",
|
||||
"post_apply_verifier_ref",
|
||||
"km_playbook_writeback_ref",
|
||||
"followup_owner",
|
||||
"audit_receipt_ref",
|
||||
"runtime_boundary_ack",
|
||||
"secret_boundary_ack",
|
||||
"live_wazuh_query_boundary_ack"
|
||||
],
|
||||
"review_items": [
|
||||
{
|
||||
"item_id": "owner_decision",
|
||||
"title": "Owner review decision for runtime-gate readiness",
|
||||
"state_key": "owner_review_decision_committed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"owner_reviewer_role",
|
||||
"owner_review_decision",
|
||||
"owner_review_decision_reason"
|
||||
],
|
||||
"next_gate": "staged allowlisted check-mode before any future runtime gate change"
|
||||
},
|
||||
{
|
||||
"item_id": "target_selector",
|
||||
"title": "Public alias target selector",
|
||||
"state_key": "target_selector_reviewed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"target_selector_aliases"
|
||||
],
|
||||
"next_gate": "target selector remains public aliases only"
|
||||
},
|
||||
{
|
||||
"item_id": "source_of_truth_diff",
|
||||
"title": "Source-of-truth diff reference",
|
||||
"state_key": "source_of_truth_diff_reviewed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"source_of_truth_diff_ref"
|
||||
],
|
||||
"next_gate": "diff must be re-read before any future controlled apply"
|
||||
},
|
||||
{
|
||||
"item_id": "check_mode_dry_run",
|
||||
"title": "Check-mode and dry-run evidence",
|
||||
"state_key": "check_mode_dry_run_reviewed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"check_mode_plan_ref",
|
||||
"dry_run_evidence_ref"
|
||||
],
|
||||
"next_gate": "dry-run evidence stays redacted and no host output is stored"
|
||||
},
|
||||
{
|
||||
"item_id": "rollback_and_maintenance",
|
||||
"title": "Rollback and maintenance window",
|
||||
"state_key": "rollback_maintenance_reviewed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"rollback_plan_ref",
|
||||
"rollback_owner",
|
||||
"maintenance_window_ref"
|
||||
],
|
||||
"next_gate": "rollback owner and maintenance window must be revalidated before runtime"
|
||||
},
|
||||
{
|
||||
"item_id": "post_apply_verifier",
|
||||
"title": "Post-apply verifier",
|
||||
"state_key": "post_apply_verifier_reviewed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"post_apply_verifier_ref"
|
||||
],
|
||||
"next_gate": "future runtime action requires production post-apply verifier readback"
|
||||
},
|
||||
{
|
||||
"item_id": "learning_writeback",
|
||||
"title": "KM and PlayBook trust writeback",
|
||||
"state_key": "learning_writeback_reviewed",
|
||||
"accepted": true,
|
||||
"required_fields": [
|
||||
"km_playbook_writeback_ref",
|
||||
"audit_receipt_ref"
|
||||
],
|
||||
"next_gate": "writeback receipt must be committed after verifier"
|
||||
}
|
||||
],
|
||||
"outcome_lanes": [
|
||||
"accepted_for_runtime_gate_owner_review_readback_only",
|
||||
"request_runtime_gate_owner_review_supplement",
|
||||
"request_runtime_gate_owner_review_decision_fix",
|
||||
"request_target_selector_fix",
|
||||
"request_runtime_boundary_ack_fix",
|
||||
"quarantine_sensitive_payload",
|
||||
"reject_runtime_action_request"
|
||||
],
|
||||
"forbidden_payloads": [
|
||||
"secret_value",
|
||||
"token_value",
|
||||
"private_key",
|
||||
"cookie",
|
||||
"session",
|
||||
"authorization_header",
|
||||
"client.keys",
|
||||
"raw_wazuh_payload",
|
||||
"raw_agent_identity",
|
||||
"raw_hostname",
|
||||
"internal_ip",
|
||||
"full_cli_output",
|
||||
"full_journal",
|
||||
"raw_dashboard_request",
|
||||
"unredacted_screenshot",
|
||||
"private_namespace",
|
||||
"raw_env_file",
|
||||
"raw_runtime_volume"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"wazuh_api_live_query",
|
||||
"wazuh_active_response",
|
||||
"wazuh_agent_restart",
|
||||
"wazuh_agent_reenroll",
|
||||
"wazuh_manager_restart",
|
||||
"host_write",
|
||||
"systemd_restart",
|
||||
"docker_restart",
|
||||
"nginx_reload",
|
||||
"firewall_change",
|
||||
"kali_active_scan",
|
||||
"credentialed_scan",
|
||||
"exploit_attempt",
|
||||
"secret_rotation",
|
||||
"k8s_apply",
|
||||
"argocd_sync",
|
||||
"database_migration",
|
||||
"force_push",
|
||||
"repo_ref_delete",
|
||||
"workflow_trigger"
|
||||
],
|
||||
"execution_boundaries": {
|
||||
"active_scan_authorized": false,
|
||||
"alertmanager_reload_authorized": false,
|
||||
"auto_block_authorized": false,
|
||||
"credentialed_scan_authorized": false,
|
||||
"firewall_change_authorized": false,
|
||||
"host_write_authorized": false,
|
||||
"kali_execute_authorized": false,
|
||||
"kali_scan_authorized": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"production_write_authorized": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"runtime_gate_open": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"telegram_send_authorized": false,
|
||||
"wazuh_active_response_authorized": false,
|
||||
"wazuh_api_live_query_authorized": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
"no_false_green_rules": [
|
||||
"Owner review packet accepted does not open runtime gate.",
|
||||
"Committed owner review readback only records review readiness and does not query live Wazuh.",
|
||||
"Target selectors are public aliases only and do not authorize host writes.",
|
||||
"Check-mode and dry-run evidence references do not authorize active response.",
|
||||
"Maintenance window, rollback, verifier, and writeback readiness must be revalidated before any future runtime action."
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user