docs(security): add Kali maintenance window draft [skip ci]
This commit is contained in:
@@ -36,7 +36,7 @@
|
||||
|
||||
| Host | scope | maintenance window | credential handling | rollback owner | validation 指標 |
|
||||
|------|-------|--------------------|---------------------|----------------|-----------------|
|
||||
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readiness | 待人工指定;目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent;不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
|
||||
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readiness;P1-7 草案見 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` | 待人工指定;目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent;不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
|
||||
| `192.168.0.111` | Ollama fallback、model inventory、host reachability、SSH policy posture、fallback readiness | 待人工指定;目前不得停止模型、重啟服務或改 fallback route | 不收模型 API key、SSH 密碼或 private key;只保存脫敏 evidence ref | Dev Host Steward 指派後才可動作 | Ollama route truth、fallback availability、model list hash、service status、AI route smoke |
|
||||
| `192.168.0.168` | local development origin、repo hygiene、dev-only CORS、local service exposure | 待人工指定;目前不得 credentialed scan 或讀取未授權目錄 | 不收個人憑證、不讀私有目錄、不保存 secrets value | Dev Host Steward 指派後才可動作 | repo secret scan summary、local service list summary、CORS origin review、rollback / disable note |
|
||||
|
||||
|
||||
123
docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md
Normal file
123
docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md
Normal file
@@ -0,0 +1,123 @@
|
||||
# Kali 112 維護窗口草案
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-04 |
|
||||
| 狀態 | 草案,等待 owner review |
|
||||
| Host | `192.168.0.112` |
|
||||
| Asset key | `host:kali-112` |
|
||||
| Schema | `docs/schemas/kali_maintenance_window_draft_v1.schema.json` |
|
||||
| Snapshot | `docs/security/kali-112-maintenance-window-draft.snapshot.json` |
|
||||
| 上游證據 | `docs/security/KALI-INTEGRATION-STATUS.md`、`docs/security/kali-integration-status.snapshot.json` |
|
||||
| 模式 | `maintenance_window_draft_only` |
|
||||
| 執行面授權 | `false` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
P1-7 補的是 Kali `192.168.0.112` 的維護窗口草案,不是維護批准,也不是主機操作計畫。
|
||||
|
||||
目前只讀證據顯示:
|
||||
|
||||
| 證據 | 目前值 |
|
||||
|------|--------|
|
||||
| 待更新套件 | `1994` |
|
||||
| failed systemd units | `1`,為 `networking.service` |
|
||||
| scanner service hardening | `0 / 4` |
|
||||
| reboot required | `false` |
|
||||
| scanner API health | `127.0.0.1:8080/health` 回 `healthy` |
|
||||
| Docker services | `node-exporter`、`wg-easy` 運作中 |
|
||||
|
||||
這些值代表「需要人工安排維護窗口與 rollback」,不代表可以直接 `apt upgrade`、restart、套 hardening、reboot、active scan 或呼叫 `/execute`。
|
||||
|
||||
## 1. 摘要
|
||||
|
||||
| 指標 | 值 |
|
||||
|------|----|
|
||||
| maintenance window package | `ready` |
|
||||
| package completion | `100%` |
|
||||
| maintenance window approved | `false` |
|
||||
| host update authorized | `false` |
|
||||
| service restart authorized | `false` |
|
||||
| hardening authorized | `false` |
|
||||
| reboot authorized | `false` |
|
||||
| active scan authorized | `false` |
|
||||
| `/execute` authorized | `false` |
|
||||
| owner response received / accepted | `false / false` |
|
||||
|
||||
## 2. Owner Response Handoff
|
||||
|
||||
此 handoff 只讓 AwoooP 或 reviewer 請 owner 補維護窗口 metadata。它不是 request sent,也不是 approval queue,更不是可執行動作。
|
||||
|
||||
### 2.1 必填欄位
|
||||
|
||||
| 欄位 | 說明 |
|
||||
|------|------|
|
||||
| `owner_role_or_team` | 維護 owner 的角色或團隊 |
|
||||
| `maintenance_window_start_end_taipei` | 台北時間維護窗口起訖;未填前不安排 |
|
||||
| `change_scope` | 本次允許討論的範圍,例如 package planning、networking.service review、hardening dry-run design |
|
||||
| `rollback_owner` | rollback / stop decision owner |
|
||||
| `validation_owner` | 維護後健康檢查 owner |
|
||||
| `communication_owner` | 對 AwoooP / Telegram / LOGBOOK / operator 同步的 owner |
|
||||
| `reboot_decision` | 是否允許未來 reboot;目前預設 `false` |
|
||||
| `redacted_evidence_refs` | 只填文件、snapshot、ticket 或脫敏 metadata pointer |
|
||||
| `followup_owner` | 補件、拒收或下一階段 owner |
|
||||
|
||||
### 2.2 禁止輸入
|
||||
|
||||
| 類型 | 規則 |
|
||||
|------|------|
|
||||
| credential | 不貼密碼、token value、API key value、private key 或 runner token |
|
||||
| host command | 不貼 `apt upgrade`、restart、hardening apply、reboot 或 shell command |
|
||||
| scan request | 不把 active scan、credentialed scan 或 `/execute` 包進維護窗口 |
|
||||
| runtime action | 不新增 AwoooP action button,不開 runtime blocking control |
|
||||
|
||||
## 3. 維護 Lane 草案
|
||||
|
||||
| Lane | 目的 | 目前授權 |
|
||||
|------|------|----------|
|
||||
| package update planning | 整理 full-upgrade / autoremove / reboot 前置條件 | `false` |
|
||||
| networking.service review | 釐清 failed unit 是否 expected / legacy / real failure | `false` |
|
||||
| scanner systemd hardening dry-run design | 設計 override 與工具相容檢查 | `false` |
|
||||
| post-maintenance validation | 定義維護後 health / service / update / evidence readback | `false` |
|
||||
|
||||
## 4. 維護前檢查
|
||||
|
||||
1. owner response 已收到且 accepted。
|
||||
2. package、service、hardening、reboot scope 不混在同一個未批准動作中。
|
||||
3. 不保存任何 credential value。
|
||||
4. rollback owner 與 validation owner 已指定。
|
||||
5. out-of-band access 與停止條件已定義。
|
||||
6. active scan、credentialed scan 與 `/execute` 仍未授權。
|
||||
|
||||
## 5. Rollback 草案
|
||||
|
||||
| 項目 | 需要證據 | owner 狀態 |
|
||||
|------|----------|------------|
|
||||
| package update rollback | pre-window package list snapshot、apt history / dpkg log redacted ref、rollback owner、reboot decision | waiting owner assignment |
|
||||
| networking.service restart rollback | current network service model、out-of-band access、previous service state snapshot、rollback owner | waiting owner assignment |
|
||||
| systemd hardening override rollback | override file path、scanner tool compatibility result、scanner health before / after refs、rollback owner | waiting owner assignment |
|
||||
|
||||
## 6. 維護後 Post-check
|
||||
|
||||
1. scanner API `/health` 回 healthy。
|
||||
2. `kali-scanner.service` active / enabled。
|
||||
3. `node-exporter` container up。
|
||||
4. `wg-easy` container healthy。
|
||||
5. failed systemd units 已 review。
|
||||
6. pending update count 已記錄。
|
||||
7. reboot required flag 已記錄。
|
||||
8. service hardening state 已記錄。
|
||||
9. AwoooP / IwoooS evidence refs 已更新。
|
||||
10. 沒有 active scan 或 `/execute`,除非另有獨立批准。
|
||||
|
||||
## 7. 驗收規則
|
||||
|
||||
1. 本草案完成不代表 maintenance window 已批准。
|
||||
2. owner response received / accepted 前,不得執行 `apt upgrade`、restart、hardening 或 reboot。
|
||||
3. active scan、credentialed scan 或 `/execute` 必須走獨立 approval gate,不可包進維護窗口。
|
||||
4. 所有 evidence refs 必須脫敏,不保存 credential value。
|
||||
5. 維護後若任何 post-check 失敗,只能建立人工 follow-up,不得自動補救。
|
||||
|
||||
## 8. 階段定位
|
||||
|
||||
P1-7 只把 Kali 112 的維護準備從「缺口已知」推到「owner / reviewer 可照表審維護窗口」。它不改變主機、不開 runtime gate、不啟動掃描,也不提高 IwoooS headline 64%。
|
||||
@@ -9,6 +9,7 @@
|
||||
| 模式 | `observe_only` |
|
||||
| Snapshot | `docs/security/kali-integration-status.snapshot.json` |
|
||||
| Schema | `docs/schemas/kali_integration_status_v1.schema.json` |
|
||||
| Maintenance window draft | `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
@@ -48,6 +49,12 @@ Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runti
|
||||
|
||||
結論:Kali `192.168.0.112` 今天仍可被 IwoooS 以只讀方式納入證據鏈,scanner runtime 健康也有實機證據;但 `networking.service` failed、`upgradable_package_count=1994` 與服務硬化缺口代表後續仍需要維護窗口、rollback / reboot gate、hardening dry-run 與人工批准,不能直接把「可連線」解讀為主機更新、掃描或調校已完成。
|
||||
|
||||
## 0.1.1 2026-06-04 P1-7 維護窗口草案
|
||||
|
||||
已新增 `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md` 與 `docs/security/kali-112-maintenance-window-draft.snapshot.json`,把 1994 個待更新套件、`networking.service` failed、scanner service hardening `0 / 4`、rollback owner、post-check owner 與維護後驗證指標整理成 owner / reviewer 可審的 handoff package。
|
||||
|
||||
這是 maintenance window readiness,不是 maintenance approval。`host_update_authorized=false`、`service_restart_authorized=false`、`hardening_authorized=false`、`reboot_authorized=false`、`active_scan_authorized=false`、`execute_endpoint_authorized=false` 全部維持不變。
|
||||
|
||||
## 0.2 2026-05-31 只讀實機快照
|
||||
|
||||
本輪用既有 SSH key 完成 read-only 連線檢查,沒有輸入或保存密碼,沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 package update、沒有調整設定、沒有重啟。
|
||||
@@ -163,4 +170,4 @@ AwoooP 現階段只能 mirror `kali_integration_status_v1`:
|
||||
2. 未來批准後,再建立 `security_finding_v1` ingestion endpoint 或 adapter,先只接 redacted finding。
|
||||
3. 把 `/execute` endpoint 降級為預設停用或單獨 high-risk approval path。
|
||||
4. 修正 Harbor image scan 的 target / project / auth / certificate chain。
|
||||
5. 排 Kali rolling full-upgrade 維護窗口;先 snapshot,再 upgrade,最後 reboot 與健康複驗。
|
||||
5. 依 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗。
|
||||
|
||||
217
docs/security/kali-112-maintenance-window-draft.snapshot.json
Normal file
217
docs/security/kali-112-maintenance-window-draft.snapshot.json
Normal file
@@ -0,0 +1,217 @@
|
||||
{
|
||||
"schema_version": "kali_maintenance_window_draft_v1",
|
||||
"status": "draft_waiting_owner_review",
|
||||
"date": "2026-06-04",
|
||||
"mode": "maintenance_window_draft_only",
|
||||
"source_evidence_refs": [
|
||||
"docs/security/KALI-INTEGRATION-STATUS.md",
|
||||
"docs/security/kali-integration-status.snapshot.json",
|
||||
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
|
||||
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md",
|
||||
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md"
|
||||
],
|
||||
"summary": {
|
||||
"host": "192.168.0.112",
|
||||
"asset_key": "host:kali-112",
|
||||
"pending_update_count": 1994,
|
||||
"failed_systemd_unit_count": 1,
|
||||
"service_hardening_enabled_count": 0,
|
||||
"service_hardening_expected_count": 4,
|
||||
"reboot_required": false,
|
||||
"maintenance_window_package_ready": true,
|
||||
"maintenance_window_completion_percent": 100,
|
||||
"maintenance_window_approved": false,
|
||||
"host_update_authorized": false,
|
||||
"service_restart_authorized": false,
|
||||
"hardening_authorized": false,
|
||||
"reboot_authorized": false,
|
||||
"active_scan_authorized": false,
|
||||
"execute_endpoint_authorized": false
|
||||
},
|
||||
"observed_gaps": [
|
||||
{
|
||||
"gap_id": "pending-updates-1994",
|
||||
"current_evidence": "2026-06-04 只讀快照顯示 upgradable_package_count=1994。",
|
||||
"risk": "MEDIUM",
|
||||
"required_before_action": [
|
||||
"maintenance window owner response",
|
||||
"package change scope",
|
||||
"rollback owner",
|
||||
"post-check owner",
|
||||
"reboot decision"
|
||||
]
|
||||
},
|
||||
{
|
||||
"gap_id": "networking-service-failed",
|
||||
"current_evidence": "2026-06-04 只讀快照顯示 failed_systemd_unit_names=[networking.service]。",
|
||||
"risk": "MEDIUM",
|
||||
"required_before_action": [
|
||||
"service owner confirmation",
|
||||
"expected network manager / interface model",
|
||||
"restart impact review",
|
||||
"rollback path",
|
||||
"out-of-band access confirmation"
|
||||
]
|
||||
},
|
||||
{
|
||||
"gap_id": "scanner-service-hardening-0-of-4",
|
||||
"current_evidence": "2026-06-04 只讀快照顯示 NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。",
|
||||
"risk": "MEDIUM",
|
||||
"required_before_action": [
|
||||
"dry-run hardening design",
|
||||
"scanner tool compatibility review",
|
||||
"override rollback file plan",
|
||||
"health check plan",
|
||||
"manual approval"
|
||||
]
|
||||
},
|
||||
{
|
||||
"gap_id": "execute-endpoint-present",
|
||||
"current_evidence": "Kali Scanner API 文件化存在 /execute path,仍是 block candidate。",
|
||||
"risk": "HIGH",
|
||||
"required_before_action": [
|
||||
"separate high-risk approval",
|
||||
"allowlist / disable gate design",
|
||||
"audit event design",
|
||||
"runtime gate",
|
||||
"manual exception record"
|
||||
]
|
||||
}
|
||||
],
|
||||
"owner_response_handoff": {
|
||||
"status": "ready_not_dispatched",
|
||||
"request_dispatch_authorized": false,
|
||||
"required_response_fields": [
|
||||
"owner_role_or_team",
|
||||
"maintenance_window_start_end_taipei",
|
||||
"change_scope",
|
||||
"rollback_owner",
|
||||
"validation_owner",
|
||||
"communication_owner",
|
||||
"reboot_decision",
|
||||
"redacted_evidence_refs",
|
||||
"followup_owner"
|
||||
],
|
||||
"forbidden_inputs": [
|
||||
"password value",
|
||||
"token value",
|
||||
"private key",
|
||||
"API key value",
|
||||
"runner token",
|
||||
"raw secret",
|
||||
"command to execute",
|
||||
"apt upgrade request",
|
||||
"service restart request",
|
||||
"hardening apply request",
|
||||
"active scan request",
|
||||
"execute endpoint request"
|
||||
],
|
||||
"response_received": false,
|
||||
"response_accepted": false
|
||||
},
|
||||
"maintenance_window_draft": {
|
||||
"window_status": "waiting_owner_selection",
|
||||
"candidate_window": "建議由 owner 指定台北時間低流量 2 小時窗口;本草案不自動指定日期或開始維護。",
|
||||
"change_lanes": [
|
||||
{
|
||||
"lane_id": "package-update-planning",
|
||||
"description": "整理 full-upgrade / autoremove / reboot 的人工批准前檢查,不執行 apt upgrade。",
|
||||
"authorization_required": "kali-full-upgrade-reboot approval + rollback owner + post-check owner",
|
||||
"current_authorized": false
|
||||
},
|
||||
{
|
||||
"lane_id": "networking-service-review",
|
||||
"description": "釐清 networking.service failed 是否為 expected / legacy / real failure,不直接 restart。",
|
||||
"authorization_required": "service owner decision + out-of-band access + rollback path",
|
||||
"current_authorized": false
|
||||
},
|
||||
{
|
||||
"lane_id": "scanner-systemd-hardening-dry-run-design",
|
||||
"description": "設計 kali-scanner.service hardening override 的 dry-run / compatibility review,不套用 hardening。",
|
||||
"authorization_required": "scanner owner decision + health compatibility review + rollback file plan",
|
||||
"current_authorized": false
|
||||
},
|
||||
{
|
||||
"lane_id": "post-maintenance-validation",
|
||||
"description": "定義維護後 scanner health、Docker service、failed units、pending updates、reboot required 與 AwoooP / IwoooS evidence readback。",
|
||||
"authorization_required": "validation owner + evidence refs + reviewer acceptance",
|
||||
"current_authorized": false
|
||||
}
|
||||
],
|
||||
"pre_window_checks": [
|
||||
"確認 maintenance window owner response 已收到且 accepted。",
|
||||
"確認 package / service / hardening / reboot scope 沒有混在同一個未批准動作中。",
|
||||
"確認不保存任何 credential value。",
|
||||
"確認 rollback owner 與 validation owner 已指定。",
|
||||
"確認 out-of-band access 與停止條件已定義。",
|
||||
"確認 active scan、credentialed scan 與 /execute 仍未授權。"
|
||||
]
|
||||
},
|
||||
"rollback_plan_draft": [
|
||||
{
|
||||
"rollback_item": "package update rollback",
|
||||
"required_evidence": [
|
||||
"pre-window package list snapshot ref",
|
||||
"apt history / dpkg log redacted ref",
|
||||
"rollback owner",
|
||||
"reboot decision"
|
||||
],
|
||||
"owner_status": "waiting_owner_assignment"
|
||||
},
|
||||
{
|
||||
"rollback_item": "networking.service restart rollback",
|
||||
"required_evidence": [
|
||||
"current network service model",
|
||||
"out-of-band access confirmation",
|
||||
"previous service state snapshot ref",
|
||||
"rollback owner"
|
||||
],
|
||||
"owner_status": "waiting_owner_assignment"
|
||||
},
|
||||
{
|
||||
"rollback_item": "systemd hardening override rollback",
|
||||
"required_evidence": [
|
||||
"override file path",
|
||||
"scanner tool compatibility result",
|
||||
"scanner health before / after refs",
|
||||
"rollback owner"
|
||||
],
|
||||
"owner_status": "waiting_owner_assignment"
|
||||
}
|
||||
],
|
||||
"post_check_plan": [
|
||||
"scanner API /health returns healthy",
|
||||
"kali-scanner.service active / enabled",
|
||||
"node-exporter container up",
|
||||
"wg-easy container healthy",
|
||||
"failed systemd units reviewed",
|
||||
"pending update count recorded",
|
||||
"reboot required flag recorded",
|
||||
"service hardening state recorded",
|
||||
"AwoooP / IwoooS evidence refs updated",
|
||||
"no active scan or /execute call occurred during maintenance unless separately approved"
|
||||
],
|
||||
"acceptance_rules": [
|
||||
"本草案完成不代表 maintenance window 已批准。",
|
||||
"maintenance owner response received / accepted 前,不得執行 apt upgrade、restart、hardening 或 reboot。",
|
||||
"任何 active scan、credentialed scan 或 /execute 都必須走獨立 approval gate,不可包進維護窗口。",
|
||||
"所有 evidence refs 必須脫敏,不保存 credential value。",
|
||||
"維護後若任何 post-check 失敗,只能建立人工 follow-up,不得自動補救。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"apt_upgrade",
|
||||
"apt_full_upgrade",
|
||||
"apt_autoremove",
|
||||
"restart_networking_service",
|
||||
"apply_systemd_hardening",
|
||||
"reboot_host",
|
||||
"active_scan",
|
||||
"credentialed_scan",
|
||||
"call_execute_endpoint",
|
||||
"store_credential_value",
|
||||
"change_firewall",
|
||||
"change_networkpolicy",
|
||||
"change_rbac",
|
||||
"enable_runtime_blocking_control"
|
||||
]
|
||||
}
|
||||
@@ -150,7 +150,7 @@
|
||||
"未來批准後建立 Kali scan result ingestion adapter,先只接收 redacted findings",
|
||||
"把 /execute endpoint 改成預設停用或單獨 high-risk approval path",
|
||||
"把 Harbor scan failure 轉成 security finding / ops finding,不直接自動修復",
|
||||
"安排 Kali rolling full-upgrade 維護窗口與 reboot gate"
|
||||
"依 docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗"
|
||||
],
|
||||
"still_forbidden": [
|
||||
"run_active_scan_without_scope_approval",
|
||||
|
||||
Reference in New Issue
Block a user