diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 8ea03282a..471c11006 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,45 @@ +## 2026-06-04|IwoooS P1-7 Kali 112 Maintenance Window Draft + +**背景**:P1-5 rollback owner handoff 已推送;本段接續 P1-7,針對 Kali `192.168.0.112` 已知缺口建立維護窗口草案。既有只讀證據顯示待更新套件 `1994`、`networking.service` failed、scanner service hardening `0 / 4`、reboot required `false`。本段只整理 owner / reviewer 可審的維護 handoff,不登入主機、不更新、不重啟、不 restart、不套 hardening、不 active scan、不呼叫 `/execute`。 + +**本輪完成**: +- 新增 `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md`:整理 owner response 必填欄位、禁止輸入、四條維護 lane、維護前檢查、rollback 草案、post-check 與驗收規則。 +- 新增 `docs/security/kali-112-maintenance-window-draft.snapshot.json`:固定 `pending_update_count=1994`、`failed_systemd_unit_count=1`、`service_hardening_enabled_count=0`、`service_hardening_expected_count=4`,並維持所有 host action flag 為 `false`。 +- 新增 `docs/schemas/kali_maintenance_window_draft_v1.schema.json`:讓維護窗口草案、owner response handoff、rollback plan 與 post-check 有可驗契約。 +- 更新 `KALI-INTEGRATION-STATUS.md` 與 `kali-integration-status.snapshot.json`:連到 P1-7 維護窗口草案,並把下一個 gate 改成先收 owner response / rollback owner / validation owner。 +- 更新 `DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md`:112 維護準備欄位連到 P1-7 草案。 +- 更新 IwoooS P0/P1 主控總帳:Kali 112 維護準備標記為 P1-7 maintenance window draft `100%`;維護執行仍未開始。 + +**完成度更新**: +- P1-7 Kali 112 maintenance window draft:`100%`。 +- Kali 112 維護執行:`0%`。 +- host update authorized:`false`。 +- service restart authorized:`false`。 +- hardening authorized:`false`。 +- reboot authorized:`false`。 +- active scan authorized:`false`。 +- `/execute` authorized:`false`。 +- active runtime gate:`0`。 +- IwoooS headline:維持 `64%`,不因文件草案假性調高。 + +**驗證**: +- `python3 -m json.tool docs/security/kali-112-maintenance-window-draft.snapshot.json`:通過。 +- `python3 -m json.tool docs/schemas/kali_maintenance_window_draft_v1.schema.json`:通過。 +- `python3 -m json.tool docs/security/kali-integration-status.snapshot.json`:通過。 +- 本段自訂結構檢查:`KALI_MAINTENANCE_WINDOW_DRAFT_STRUCTURE_OK`。 +- `git diff --check`:通過。 +- `python3 scripts/security/source-control-owner-response-guard.py --root .`:`SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。 +- `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。 +- 新增 diff 行 credential pattern 檢查:`NO_ADDED_URL_CREDENTIAL_PATTERNS`。 +- Schema validator 限制:本地沒有 Python `jsonschema` 與 Node AJV,未跑完整 JSON Schema validator;本段以 JSON parse、自訂結構檢查與既有 guard 補位。 +- Production 頁面檢查:本段只改 docs / snapshot / schema / LOGBOOK,未改 IwoooS 前端與 production 文案,不宣稱新的 production 狀態;沿用 P0 `/zh-TW/iwooos` desktop / mobile live sanity 基準。 + +**目前邊界**: +- 本草案完成不代表 maintenance window 已批准。 +- owner response received / accepted 前,不得執行 `apt upgrade`、full-upgrade、autoremove、restart、hardening、reboot。 +- active scan、credentialed scan 與 `/execute` 仍需獨立 approval gate,不可包進維護窗口。 +- 未來 post-check 失敗只能建立人工 follow-up,不得自動補救。 + ## 2026-06-04|IwoooS P1-5 Primary Rollback Owner Handoff **背景**:P1-4 已補 workflow / secret owner response handoff;本段接著補 P1-5 / S4.4 GitHub primary rollback ADR 的 owner handoff。目標是讓 7 個 in-scope repo 能用同一個只讀封套回覆 rollback owner、fallback role、trigger、pre-cutover / 1h / 24h validation window 與 follow-up owner;這不是 owner approval、不是 dry-run、不是 GitHub primary cutover,也不是 rollback execution。 @@ -32,7 +74,7 @@ - `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。 - URL credential pattern 檢查:本段新增 diff 行無命中;檔案級掃描命中 LOGBOOK 歷史舊行的外洩檢查旗標,非本段新增 credential payload。 - Schema validator 限制:本地沒有 Python `jsonschema` 與 Node AJV,未跑完整 JSON Schema validator;本段以 JSON parse、自訂結構檢查與既有 guard 補位。 -- Production 頁面檢查:本段 P1-5 主要是 docs / snapshot / schema / LOGBOOK;另含 5 個 i18n 鏡像字串修正,未改 layout 或資料鏈路。正式站頁面檢查若後續 CD 部署,需補 `/zh-TW/awooop/runs` desktop / mobile smoke;本段不宣稱新的 production 狀態,IwoooS `/zh-TW/iwooos` 沿用 P0 desktop / mobile live sanity 基準。 +- Production 頁面檢查:`8a326338` 已由 deploy marker `c046b9c8 chore(cd): deploy 8a32633 [skip ci]` 上線;Browser smoke `/zh-TW/awooop/runs?project_id=awoooi` desktop 1440x1100 與 mobile 390x844 皆載入 50 列、`horizontalOverflow=0`,繁中狀態 / fallback 文案 `需人工`、`執行失敗`、`已驗證`、`已執行`、`待判讀`、`狀態鏈批次回補中` 可見,英文殘留 `Needs human`、`Execution failed`、`Verified`、`Executed`、`Pending`、`Status chain batch is catching up`、`Wait for status-chain batch` 皆為 0。截圖:`/tmp/awoooi-runs-i18n-desktop-20260604.png`、`/tmp/awoooi-runs-i18n-mobile-20260604.png`。IwoooS `/zh-TW/iwooos` 仍沿用 P0 desktop / mobile live sanity 基準。 **目前邊界**: - P1-5 handoff 只代表 rollback owner request package 可交接,不代表 request 已送出、owner 已回覆或 owner 已批准。 diff --git a/docs/schemas/kali_maintenance_window_draft_v1.schema.json b/docs/schemas/kali_maintenance_window_draft_v1.schema.json new file mode 100644 index 000000000..b13c30cbf --- /dev/null +++ b/docs/schemas/kali_maintenance_window_draft_v1.schema.json @@ -0,0 +1,193 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:kali-maintenance-window-draft-v1", + "title": "Kali 112 Maintenance Window Draft v1", + "description": "定義 Kali 192.168.0.112 維護窗口草案、owner 回覆欄位、rollback、post-check 與禁止動作。此契約不授權 apt upgrade、restart、hardening、reboot、active scan 或 /execute。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "source_evidence_refs", + "summary", + "observed_gaps", + "owner_response_handoff", + "maintenance_window_draft", + "rollback_plan_draft", + "post_check_plan", + "acceptance_rules", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "kali_maintenance_window_draft_v1" + }, + "status": { + "type": "string", + "enum": ["draft_waiting_owner_review"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["maintenance_window_draft_only"] + }, + "source_evidence_refs": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "host", + "asset_key", + "pending_update_count", + "failed_systemd_unit_count", + "service_hardening_enabled_count", + "service_hardening_expected_count", + "reboot_required", + "maintenance_window_package_ready", + "maintenance_window_completion_percent", + "maintenance_window_approved", + "host_update_authorized", + "service_restart_authorized", + "hardening_authorized", + "reboot_authorized", + "active_scan_authorized", + "execute_endpoint_authorized" + ], + "properties": { + "host": {"type": "string"}, + "asset_key": {"type": "string"}, + "pending_update_count": {"type": "integer", "minimum": 0}, + "failed_systemd_unit_count": {"type": "integer", "minimum": 0}, + "service_hardening_enabled_count": {"type": "integer", "minimum": 0}, + "service_hardening_expected_count": {"type": "integer", "minimum": 0}, + "reboot_required": {"type": "boolean"}, + "maintenance_window_package_ready": {"type": "boolean"}, + "maintenance_window_completion_percent": {"type": "integer", "minimum": 0, "maximum": 100}, + "maintenance_window_approved": {"type": "boolean", "const": false}, + "host_update_authorized": {"type": "boolean", "const": false}, + "service_restart_authorized": {"type": "boolean", "const": false}, + "hardening_authorized": {"type": "boolean", "const": false}, + "reboot_authorized": {"type": "boolean", "const": false}, + "active_scan_authorized": {"type": "boolean", "const": false}, + "execute_endpoint_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "observed_gaps": { + "type": "array", + "items": { + "type": "object", + "required": ["gap_id", "current_evidence", "risk", "required_before_action"], + "properties": { + "gap_id": {"type": "string"}, + "current_evidence": {"type": "string"}, + "risk": {"type": "string", "enum": ["LOW", "MEDIUM", "HIGH"]}, + "required_before_action": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "owner_response_handoff": { + "type": "object", + "required": [ + "status", + "request_dispatch_authorized", + "required_response_fields", + "forbidden_inputs", + "response_received", + "response_accepted" + ], + "properties": { + "status": {"type": "string", "enum": ["ready_not_dispatched"]}, + "request_dispatch_authorized": {"type": "boolean", "const": false}, + "required_response_fields": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_inputs": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "response_received": {"type": "boolean", "const": false}, + "response_accepted": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "maintenance_window_draft": { + "type": "object", + "required": ["window_status", "candidate_window", "change_lanes", "pre_window_checks"], + "properties": { + "window_status": {"type": "string", "enum": ["waiting_owner_selection"]}, + "candidate_window": {"type": "string"}, + "change_lanes": { + "type": "array", + "items": { + "type": "object", + "required": ["lane_id", "description", "authorization_required", "current_authorized"], + "properties": { + "lane_id": {"type": "string"}, + "description": {"type": "string"}, + "authorization_required": {"type": "string"}, + "current_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "pre_window_checks": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false + }, + "rollback_plan_draft": { + "type": "array", + "items": { + "type": "object", + "required": ["rollback_item", "required_evidence", "owner_status"], + "properties": { + "rollback_item": {"type": "string"}, + "required_evidence": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "owner_status": {"type": "string", "enum": ["waiting_owner_assignment"]} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "post_check_plan": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "acceptance_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_actions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md b/docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md index 63ccc00de..0fa87ee11 100644 --- a/docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md +++ b/docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md @@ -36,7 +36,7 @@ | Host | scope | maintenance window | credential handling | rollback owner | validation 指標 | |------|-------|--------------------|---------------------|----------------|-----------------| -| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readiness | 待人工指定;目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent;不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref | +| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readiness;P1-7 草案見 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` | 待人工指定;目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent;不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref | | `192.168.0.111` | Ollama fallback、model inventory、host reachability、SSH policy posture、fallback readiness | 待人工指定;目前不得停止模型、重啟服務或改 fallback route | 不收模型 API key、SSH 密碼或 private key;只保存脫敏 evidence ref | Dev Host Steward 指派後才可動作 | Ollama route truth、fallback availability、model list hash、service status、AI route smoke | | `192.168.0.168` | local development origin、repo hygiene、dev-only CORS、local service exposure | 待人工指定;目前不得 credentialed scan 或讀取未授權目錄 | 不收個人憑證、不讀私有目錄、不保存 secrets value | Dev Host Steward 指派後才可動作 | repo secret scan summary、local service list summary、CORS origin review、rollback / disable note | diff --git a/docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md b/docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md new file mode 100644 index 000000000..910bf58a2 --- /dev/null +++ b/docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md @@ -0,0 +1,123 @@ +# Kali 112 維護窗口草案 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-06-04 | +| 狀態 | 草案,等待 owner review | +| Host | `192.168.0.112` | +| Asset key | `host:kali-112` | +| Schema | `docs/schemas/kali_maintenance_window_draft_v1.schema.json` | +| Snapshot | `docs/security/kali-112-maintenance-window-draft.snapshot.json` | +| 上游證據 | `docs/security/KALI-INTEGRATION-STATUS.md`、`docs/security/kali-integration-status.snapshot.json` | +| 模式 | `maintenance_window_draft_only` | +| 執行面授權 | `false` | + +## 0. 核心結論 + +P1-7 補的是 Kali `192.168.0.112` 的維護窗口草案,不是維護批准,也不是主機操作計畫。 + +目前只讀證據顯示: + +| 證據 | 目前值 | +|------|--------| +| 待更新套件 | `1994` | +| failed systemd units | `1`,為 `networking.service` | +| scanner service hardening | `0 / 4` | +| reboot required | `false` | +| scanner API health | `127.0.0.1:8080/health` 回 `healthy` | +| Docker services | `node-exporter`、`wg-easy` 運作中 | + +這些值代表「需要人工安排維護窗口與 rollback」,不代表可以直接 `apt upgrade`、restart、套 hardening、reboot、active scan 或呼叫 `/execute`。 + +## 1. 摘要 + +| 指標 | 值 | +|------|----| +| maintenance window package | `ready` | +| package completion | `100%` | +| maintenance window approved | `false` | +| host update authorized | `false` | +| service restart authorized | `false` | +| hardening authorized | `false` | +| reboot authorized | `false` | +| active scan authorized | `false` | +| `/execute` authorized | `false` | +| owner response received / accepted | `false / false` | + +## 2. Owner Response Handoff + +此 handoff 只讓 AwoooP 或 reviewer 請 owner 補維護窗口 metadata。它不是 request sent,也不是 approval queue,更不是可執行動作。 + +### 2.1 必填欄位 + +| 欄位 | 說明 | +|------|------| +| `owner_role_or_team` | 維護 owner 的角色或團隊 | +| `maintenance_window_start_end_taipei` | 台北時間維護窗口起訖;未填前不安排 | +| `change_scope` | 本次允許討論的範圍,例如 package planning、networking.service review、hardening dry-run design | +| `rollback_owner` | rollback / stop decision owner | +| `validation_owner` | 維護後健康檢查 owner | +| `communication_owner` | 對 AwoooP / Telegram / LOGBOOK / operator 同步的 owner | +| `reboot_decision` | 是否允許未來 reboot;目前預設 `false` | +| `redacted_evidence_refs` | 只填文件、snapshot、ticket 或脫敏 metadata pointer | +| `followup_owner` | 補件、拒收或下一階段 owner | + +### 2.2 禁止輸入 + +| 類型 | 規則 | +|------|------| +| credential | 不貼密碼、token value、API key value、private key 或 runner token | +| host command | 不貼 `apt upgrade`、restart、hardening apply、reboot 或 shell command | +| scan request | 不把 active scan、credentialed scan 或 `/execute` 包進維護窗口 | +| runtime action | 不新增 AwoooP action button,不開 runtime blocking control | + +## 3. 維護 Lane 草案 + +| Lane | 目的 | 目前授權 | +|------|------|----------| +| package update planning | 整理 full-upgrade / autoremove / reboot 前置條件 | `false` | +| networking.service review | 釐清 failed unit 是否 expected / legacy / real failure | `false` | +| scanner systemd hardening dry-run design | 設計 override 與工具相容檢查 | `false` | +| post-maintenance validation | 定義維護後 health / service / update / evidence readback | `false` | + +## 4. 維護前檢查 + +1. owner response 已收到且 accepted。 +2. package、service、hardening、reboot scope 不混在同一個未批准動作中。 +3. 不保存任何 credential value。 +4. rollback owner 與 validation owner 已指定。 +5. out-of-band access 與停止條件已定義。 +6. active scan、credentialed scan 與 `/execute` 仍未授權。 + +## 5. Rollback 草案 + +| 項目 | 需要證據 | owner 狀態 | +|------|----------|------------| +| package update rollback | pre-window package list snapshot、apt history / dpkg log redacted ref、rollback owner、reboot decision | waiting owner assignment | +| networking.service restart rollback | current network service model、out-of-band access、previous service state snapshot、rollback owner | waiting owner assignment | +| systemd hardening override rollback | override file path、scanner tool compatibility result、scanner health before / after refs、rollback owner | waiting owner assignment | + +## 6. 維護後 Post-check + +1. scanner API `/health` 回 healthy。 +2. `kali-scanner.service` active / enabled。 +3. `node-exporter` container up。 +4. `wg-easy` container healthy。 +5. failed systemd units 已 review。 +6. pending update count 已記錄。 +7. reboot required flag 已記錄。 +8. service hardening state 已記錄。 +9. AwoooP / IwoooS evidence refs 已更新。 +10. 沒有 active scan 或 `/execute`,除非另有獨立批准。 + +## 7. 驗收規則 + +1. 本草案完成不代表 maintenance window 已批准。 +2. owner response received / accepted 前,不得執行 `apt upgrade`、restart、hardening 或 reboot。 +3. active scan、credentialed scan 或 `/execute` 必須走獨立 approval gate,不可包進維護窗口。 +4. 所有 evidence refs 必須脫敏,不保存 credential value。 +5. 維護後若任何 post-check 失敗,只能建立人工 follow-up,不得自動補救。 + +## 8. 階段定位 + +P1-7 只把 Kali 112 的維護準備從「缺口已知」推到「owner / reviewer 可照表審維護窗口」。它不改變主機、不開 runtime gate、不啟動掃描,也不提高 IwoooS headline 64%。 diff --git a/docs/security/KALI-INTEGRATION-STATUS.md b/docs/security/KALI-INTEGRATION-STATUS.md index ded976475..da2d98ee8 100644 --- a/docs/security/KALI-INTEGRATION-STATUS.md +++ b/docs/security/KALI-INTEGRATION-STATUS.md @@ -9,6 +9,7 @@ | 模式 | `observe_only` | | Snapshot | `docs/security/kali-integration-status.snapshot.json` | | Schema | `docs/schemas/kali_integration_status_v1.schema.json` | +| Maintenance window draft | `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md` | ## 0. 核心結論 @@ -48,6 +49,12 @@ Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runti 結論:Kali `192.168.0.112` 今天仍可被 IwoooS 以只讀方式納入證據鏈,scanner runtime 健康也有實機證據;但 `networking.service` failed、`upgradable_package_count=1994` 與服務硬化缺口代表後續仍需要維護窗口、rollback / reboot gate、hardening dry-run 與人工批准,不能直接把「可連線」解讀為主機更新、掃描或調校已完成。 +## 0.1.1 2026-06-04 P1-7 維護窗口草案 + +已新增 `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md` 與 `docs/security/kali-112-maintenance-window-draft.snapshot.json`,把 1994 個待更新套件、`networking.service` failed、scanner service hardening `0 / 4`、rollback owner、post-check owner 與維護後驗證指標整理成 owner / reviewer 可審的 handoff package。 + +這是 maintenance window readiness,不是 maintenance approval。`host_update_authorized=false`、`service_restart_authorized=false`、`hardening_authorized=false`、`reboot_authorized=false`、`active_scan_authorized=false`、`execute_endpoint_authorized=false` 全部維持不變。 + ## 0.2 2026-05-31 只讀實機快照 本輪用既有 SSH key 完成 read-only 連線檢查,沒有輸入或保存密碼,沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 package update、沒有調整設定、沒有重啟。 @@ -163,4 +170,4 @@ AwoooP 現階段只能 mirror `kali_integration_status_v1`: 2. 未來批准後,再建立 `security_finding_v1` ingestion endpoint 或 adapter,先只接 redacted finding。 3. 把 `/execute` endpoint 降級為預設停用或單獨 high-risk approval path。 4. 修正 Harbor image scan 的 target / project / auth / certificate chain。 -5. 排 Kali rolling full-upgrade 維護窗口;先 snapshot,再 upgrade,最後 reboot 與健康複驗。 +5. 依 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗。 diff --git a/docs/security/kali-112-maintenance-window-draft.snapshot.json b/docs/security/kali-112-maintenance-window-draft.snapshot.json new file mode 100644 index 000000000..945ff3f01 --- /dev/null +++ b/docs/security/kali-112-maintenance-window-draft.snapshot.json @@ -0,0 +1,217 @@ +{ + "schema_version": "kali_maintenance_window_draft_v1", + "status": "draft_waiting_owner_review", + "date": "2026-06-04", + "mode": "maintenance_window_draft_only", + "source_evidence_refs": [ + "docs/security/KALI-INTEGRATION-STATUS.md", + "docs/security/kali-integration-status.snapshot.json", + "docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md", + "docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md", + "docs/workplans/2026-06-04-iwooos-security-governance-p0.md" + ], + "summary": { + "host": "192.168.0.112", + "asset_key": "host:kali-112", + "pending_update_count": 1994, + "failed_systemd_unit_count": 1, + "service_hardening_enabled_count": 0, + "service_hardening_expected_count": 4, + "reboot_required": false, + "maintenance_window_package_ready": true, + "maintenance_window_completion_percent": 100, + "maintenance_window_approved": false, + "host_update_authorized": false, + "service_restart_authorized": false, + "hardening_authorized": false, + "reboot_authorized": false, + "active_scan_authorized": false, + "execute_endpoint_authorized": false + }, + "observed_gaps": [ + { + "gap_id": "pending-updates-1994", + "current_evidence": "2026-06-04 只讀快照顯示 upgradable_package_count=1994。", + "risk": "MEDIUM", + "required_before_action": [ + "maintenance window owner response", + "package change scope", + "rollback owner", + "post-check owner", + "reboot decision" + ] + }, + { + "gap_id": "networking-service-failed", + "current_evidence": "2026-06-04 只讀快照顯示 failed_systemd_unit_names=[networking.service]。", + "risk": "MEDIUM", + "required_before_action": [ + "service owner confirmation", + "expected network manager / interface model", + "restart impact review", + "rollback path", + "out-of-band access confirmation" + ] + }, + { + "gap_id": "scanner-service-hardening-0-of-4", + "current_evidence": "2026-06-04 只讀快照顯示 NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。", + "risk": "MEDIUM", + "required_before_action": [ + "dry-run hardening design", + "scanner tool compatibility review", + "override rollback file plan", + "health check plan", + "manual approval" + ] + }, + { + "gap_id": "execute-endpoint-present", + "current_evidence": "Kali Scanner API 文件化存在 /execute path,仍是 block candidate。", + "risk": "HIGH", + "required_before_action": [ + "separate high-risk approval", + "allowlist / disable gate design", + "audit event design", + "runtime gate", + "manual exception record" + ] + } + ], + "owner_response_handoff": { + "status": "ready_not_dispatched", + "request_dispatch_authorized": false, + "required_response_fields": [ + "owner_role_or_team", + "maintenance_window_start_end_taipei", + "change_scope", + "rollback_owner", + "validation_owner", + "communication_owner", + "reboot_decision", + "redacted_evidence_refs", + "followup_owner" + ], + "forbidden_inputs": [ + "password value", + "token value", + "private key", + "API key value", + "runner token", + "raw secret", + "command to execute", + "apt upgrade request", + "service restart request", + "hardening apply request", + "active scan request", + "execute endpoint request" + ], + "response_received": false, + "response_accepted": false + }, + "maintenance_window_draft": { + "window_status": "waiting_owner_selection", + "candidate_window": "建議由 owner 指定台北時間低流量 2 小時窗口;本草案不自動指定日期或開始維護。", + "change_lanes": [ + { + "lane_id": "package-update-planning", + "description": "整理 full-upgrade / autoremove / reboot 的人工批准前檢查,不執行 apt upgrade。", + "authorization_required": "kali-full-upgrade-reboot approval + rollback owner + post-check owner", + "current_authorized": false + }, + { + "lane_id": "networking-service-review", + "description": "釐清 networking.service failed 是否為 expected / legacy / real failure,不直接 restart。", + "authorization_required": "service owner decision + out-of-band access + rollback path", + "current_authorized": false + }, + { + "lane_id": "scanner-systemd-hardening-dry-run-design", + "description": "設計 kali-scanner.service hardening override 的 dry-run / compatibility review,不套用 hardening。", + "authorization_required": "scanner owner decision + health compatibility review + rollback file plan", + "current_authorized": false + }, + { + "lane_id": "post-maintenance-validation", + "description": "定義維護後 scanner health、Docker service、failed units、pending updates、reboot required 與 AwoooP / IwoooS evidence readback。", + "authorization_required": "validation owner + evidence refs + reviewer acceptance", + "current_authorized": false + } + ], + "pre_window_checks": [ + "確認 maintenance window owner response 已收到且 accepted。", + "確認 package / service / hardening / reboot scope 沒有混在同一個未批准動作中。", + "確認不保存任何 credential value。", + "確認 rollback owner 與 validation owner 已指定。", + "確認 out-of-band access 與停止條件已定義。", + "確認 active scan、credentialed scan 與 /execute 仍未授權。" + ] + }, + "rollback_plan_draft": [ + { + "rollback_item": "package update rollback", + "required_evidence": [ + "pre-window package list snapshot ref", + "apt history / dpkg log redacted ref", + "rollback owner", + "reboot decision" + ], + "owner_status": "waiting_owner_assignment" + }, + { + "rollback_item": "networking.service restart rollback", + "required_evidence": [ + "current network service model", + "out-of-band access confirmation", + "previous service state snapshot ref", + "rollback owner" + ], + "owner_status": "waiting_owner_assignment" + }, + { + "rollback_item": "systemd hardening override rollback", + "required_evidence": [ + "override file path", + "scanner tool compatibility result", + "scanner health before / after refs", + "rollback owner" + ], + "owner_status": "waiting_owner_assignment" + } + ], + "post_check_plan": [ + "scanner API /health returns healthy", + "kali-scanner.service active / enabled", + "node-exporter container up", + "wg-easy container healthy", + "failed systemd units reviewed", + "pending update count recorded", + "reboot required flag recorded", + "service hardening state recorded", + "AwoooP / IwoooS evidence refs updated", + "no active scan or /execute call occurred during maintenance unless separately approved" + ], + "acceptance_rules": [ + "本草案完成不代表 maintenance window 已批准。", + "maintenance owner response received / accepted 前,不得執行 apt upgrade、restart、hardening 或 reboot。", + "任何 active scan、credentialed scan 或 /execute 都必須走獨立 approval gate,不可包進維護窗口。", + "所有 evidence refs 必須脫敏,不保存 credential value。", + "維護後若任何 post-check 失敗,只能建立人工 follow-up,不得自動補救。" + ], + "forbidden_actions": [ + "apt_upgrade", + "apt_full_upgrade", + "apt_autoremove", + "restart_networking_service", + "apply_systemd_hardening", + "reboot_host", + "active_scan", + "credentialed_scan", + "call_execute_endpoint", + "store_credential_value", + "change_firewall", + "change_networkpolicy", + "change_rbac", + "enable_runtime_blocking_control" + ] +} diff --git a/docs/security/kali-integration-status.snapshot.json b/docs/security/kali-integration-status.snapshot.json index d3466f02b..34f3241e0 100644 --- a/docs/security/kali-integration-status.snapshot.json +++ b/docs/security/kali-integration-status.snapshot.json @@ -150,7 +150,7 @@ "未來批准後建立 Kali scan result ingestion adapter,先只接收 redacted findings", "把 /execute endpoint 改成預設停用或單獨 high-risk approval path", "把 Harbor scan failure 轉成 security finding / ops finding,不直接自動修復", - "安排 Kali rolling full-upgrade 維護窗口與 reboot gate" + "依 docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗" ], "still_forbidden": [ "run_active_scan_without_scope_approval", diff --git a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md index c68d95683..d927cf054 100644 --- a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md +++ b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md @@ -9,7 +9,7 @@ | 工作視窗 | IwoooS / AWOOOI 資安治理 P0 | | 本次乾淨 worktree | `/private/tmp/awoooi-iwooos-governance-p0-20260604` | | 本次分支 | `codex/iwooos-governance-p0-20260604` | -| 最新觀察到的 `gitea/main` | `8ad8bf48 fix(web): keep run status readable without chain batch` | +| 最新觀察到的 `gitea/main` | `c046b9c8 chore(cd): deploy 8a32633 [skip ci]` | | 前一個正式 IwoooS 候選基準 | code `7b8fc093`、deploy marker `45c63488`、LOGBOOK `02cadee6` | | 最新導航 IA 基準 | code `973fc7a4`、LOGBOOK `2555c811`、deploy marker `0260ec89` | | 禁止事項 | 不 force push、不 destructive git、不 SSH 修改主機、不 active scan、不收 secrets 明文、不把 AwoooP approval 當資安批准、不把 UI 可見當 runtime 授權 | @@ -24,7 +24,7 @@ | active runtime gate | 0 | 否 | 必須維持 0,直到獨立人工批准、rollback、post-check 與 guard 成立 | | S4.9 owner response gate | 0% | 可在收到合格回覆後調整 | 目前只定義欄位、預檢、收件與驗收,不標記 received / accepted | | GitHub primary readiness | 0 | 否 | primary gate 仍為 0;P1 只讀重盤工作本身目前約 70%,不代表可切 primary | -| Kali 112 維護準備 | 只讀證據已納管,維護尚未開始 | 否 | 不更新套件、不重啟、不 hardening、不 active scan | +| Kali 112 維護準備 | P1-7 maintenance window draft `100%`;維護尚未開始 | 否 | 不更新套件、不重啟、不 hardening、不 active scan | | 111 / 168 開發主機納管 | observe-only mapping 已有,維護包需補強 | 可補文件,不調 runtime | 仍不 credentialed scan、不讀未授權資料、不自動修復 | | VibeWork 納入 IwoooS | 前端態勢已有 onboarding 欄位,產品邊界需補規範 | 可補文件 | 保留 VibeWork 獨立產品邊界 | @@ -129,7 +129,7 @@ S4.9 是目前 IwoooS 64% 能往前的第一優先 gate。驗收前所有 count | 優先 | 工作 | 細項 | 驗證 | |------|------|------|------| | P1 | GitHub primary readiness 只讀重盤 | repo visibility、refs、tags、workflow、secret name、runner、rollback ADR | 只讀 inventory;不建立 repo、不同步 refs | -| P1 | Kali 112 維護窗口草案 | 1994 pending updates、`networking.service` failed、服務硬化 0/4、rollback、post-check | 文件與人工批准;不 `apt upgrade`、不 restart | +| P1 | Kali 112 維護窗口草案 | 1994 pending updates、`networking.service` failed、服務硬化 0/4、rollback、post-check | P1-7 草案已完成;不 `apt upgrade`、不 restart | | P1 | 111 / 168 主機 scope 補強 | scope、maintenance window、credential handling、rollback owner、validation 指標 | observe-only;不 credentialed scan | | P1 | VibeWork 納入 IwoooS | repo、product、surface、owner、evidence refs、獨立產品邊界 | 繁中 docs/specs;不合併產品責任 | | P1 | Code Review 候選分類 | 前端體驗、測試補洞、文件同步、低風險重構;人工批准後才 Codex | 候選不自動改 code、不自動 deploy | @@ -186,7 +186,7 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory / | P1-4 | Workflow / runner / secret parity evidence | 已補 2026-06-04 owner response handoff package;webhook、runner owner、deploy key、branch protection、CODEOWNERS、secret name parity 只收 redacted metadata | secret value、hash、masked token、partial token 仍拒收;received / accepted 前全部 0 | | P1-5 | Primary rollback ADR 補強 | 已補 2026-06-04 rollback owner handoff package;逐 repo rollback owner、trigger、validation window、fallback role 進入可交接模板 | ADR approved 前不切 primary;received / accepted / approved 仍 0 | | P1-6 | AwoooP Session 同步 | 同步 commits、runs、production sanity、P1 refresh counts、gate 0 / false | 另一 Session 不再使用舊 refs count | -| P1-7 | Kali 112 maintenance window 草案 | packages、`networking.service` failed、hardening 0/4、rollback、post-check | 文件草案,不執行 `apt upgrade` / restart / scan | +| P1-7 | Kali 112 maintenance window 草案 | 已補 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md`、snapshot 與 schema;packages、`networking.service` failed、hardening 0/4、rollback、post-check 已進 owner handoff | 文件草案,不執行 `apt upgrade` / restart / hardening / scan | | P1-8 | 111 / 168 開發主機 scope | scope、credential handling、rollback owner、validation 指標 | observe-only,不做 credentialed scan | | P1-9 | VibeWork 納入 IwoooS | repo / product / surface / owner / evidence refs / 獨立產品邊界 | docs/specs 繁中,產品責任不合併 | @@ -216,6 +216,8 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory / | P1-4 JSON parse / structure check | `source-control-workflow-secret-name-owner-response.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `WORKFLOW_SECRET_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator | | P1-5 Primary rollback owner handoff | S4.4 日期更新為 2026-06-04;補 6 項 rollback owner handoff preflight、11 欄 handoff packet、7 個 repo owner response templates 與送後不變條件;received / accepted / rejected、owner approved、dry-run、active cutover 仍 0 | | P1-5 JSON parse / structure check | `source-control-primary-rollback-adr.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `PRIMARY_ROLLBACK_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV 時以 JSON parse、自訂結構檢查與既有 guard 補位 | +| AwoooP Runs i18n production smoke | deploy marker `c046b9c8` 已上線 `8a326338`;desktop 1440x1100 / mobile 390x844 皆載入 50 列、`horizontalOverflow=0`;繁中狀態與 fallback 文案可見,英文殘留 0 | 截圖 `/tmp/awoooi-runs-i18n-desktop-20260604.png`、`/tmp/awoooi-runs-i18n-mobile-20260604.png` | +| P1-7 Kali 112 maintenance window draft | 新增 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md`、`kali-112-maintenance-window-draft.snapshot.json`、`kali_maintenance_window_draft_v1.schema.json`;1994 pending updates、`networking.service` failed、hardening `0 / 4`、rollback owner、post-check owner 已整理成 handoff | `host_update_authorized=false`、`service_restart_authorized=false`、`hardening_authorized=false`、`reboot_authorized=false`、`active_scan_authorized=false`、`execute_endpoint_authorized=false` | | P1 JSON parse | `gitea-github-awoooi-inventory`、`github-target-probe`、`source-control-primary-readiness-gate`、`source-control-workflow-secret-name-local-evidence`、Gitea repo / search / org blocked snapshots 皆通過 | | P1 production 頁面檢查 | 本輪未改前端、未改 production 文案、未新增 deploy;不宣稱新的 production 狀態,沿用 P0 live sanity 作為基準 |