docs(security): add Kali maintenance window draft [skip ci]

This commit is contained in:
Your Name
2026-06-04 19:56:23 +08:00
parent c046b9c81e
commit 291ff92534
8 changed files with 592 additions and 8 deletions

View File

@@ -36,7 +36,7 @@
| Host | scope | maintenance window | credential handling | rollback owner | validation 指標 |
|------|-------|--------------------|---------------------|----------------|-----------------|
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readiness | 待人工指定目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readinessP1-7 草案見 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` | 待人工指定目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
| `192.168.0.111` | Ollama fallback、model inventory、host reachability、SSH policy posture、fallback readiness | 待人工指定;目前不得停止模型、重啟服務或改 fallback route | 不收模型 API key、SSH 密碼或 private key只保存脫敏 evidence ref | Dev Host Steward 指派後才可動作 | Ollama route truth、fallback availability、model list hash、service status、AI route smoke |
| `192.168.0.168` | local development origin、repo hygiene、dev-only CORS、local service exposure | 待人工指定;目前不得 credentialed scan 或讀取未授權目錄 | 不收個人憑證、不讀私有目錄、不保存 secrets value | Dev Host Steward 指派後才可動作 | repo secret scan summary、local service list summary、CORS origin review、rollback / disable note |

View File

@@ -0,0 +1,123 @@
# Kali 112 維護窗口草案
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-04 |
| 狀態 | 草案,等待 owner review |
| Host | `192.168.0.112` |
| Asset key | `host:kali-112` |
| Schema | `docs/schemas/kali_maintenance_window_draft_v1.schema.json` |
| Snapshot | `docs/security/kali-112-maintenance-window-draft.snapshot.json` |
| 上游證據 | `docs/security/KALI-INTEGRATION-STATUS.md``docs/security/kali-integration-status.snapshot.json` |
| 模式 | `maintenance_window_draft_only` |
| 執行面授權 | `false` |
## 0. 核心結論
P1-7 補的是 Kali `192.168.0.112` 的維護窗口草案,不是維護批准,也不是主機操作計畫。
目前只讀證據顯示:
| 證據 | 目前值 |
|------|--------|
| 待更新套件 | `1994` |
| failed systemd units | `1`,為 `networking.service` |
| scanner service hardening | `0 / 4` |
| reboot required | `false` |
| scanner API health | `127.0.0.1:8080/health``healthy` |
| Docker services | `node-exporter``wg-easy` 運作中 |
這些值代表「需要人工安排維護窗口與 rollback」不代表可以直接 `apt upgrade`、restart、套 hardening、reboot、active scan 或呼叫 `/execute`
## 1. 摘要
| 指標 | 值 |
|------|----|
| maintenance window package | `ready` |
| package completion | `100%` |
| maintenance window approved | `false` |
| host update authorized | `false` |
| service restart authorized | `false` |
| hardening authorized | `false` |
| reboot authorized | `false` |
| active scan authorized | `false` |
| `/execute` authorized | `false` |
| owner response received / accepted | `false / false` |
## 2. Owner Response Handoff
此 handoff 只讓 AwoooP 或 reviewer 請 owner 補維護窗口 metadata。它不是 request sent也不是 approval queue更不是可執行動作。
### 2.1 必填欄位
| 欄位 | 說明 |
|------|------|
| `owner_role_or_team` | 維護 owner 的角色或團隊 |
| `maintenance_window_start_end_taipei` | 台北時間維護窗口起訖;未填前不安排 |
| `change_scope` | 本次允許討論的範圍,例如 package planning、networking.service review、hardening dry-run design |
| `rollback_owner` | rollback / stop decision owner |
| `validation_owner` | 維護後健康檢查 owner |
| `communication_owner` | 對 AwoooP / Telegram / LOGBOOK / operator 同步的 owner |
| `reboot_decision` | 是否允許未來 reboot目前預設 `false` |
| `redacted_evidence_refs` | 只填文件、snapshot、ticket 或脫敏 metadata pointer |
| `followup_owner` | 補件、拒收或下一階段 owner |
### 2.2 禁止輸入
| 類型 | 規則 |
|------|------|
| credential | 不貼密碼、token value、API key value、private key 或 runner token |
| host command | 不貼 `apt upgrade`、restart、hardening apply、reboot 或 shell command |
| scan request | 不把 active scan、credentialed scan 或 `/execute` 包進維護窗口 |
| runtime action | 不新增 AwoooP action button不開 runtime blocking control |
## 3. 維護 Lane 草案
| Lane | 目的 | 目前授權 |
|------|------|----------|
| package update planning | 整理 full-upgrade / autoremove / reboot 前置條件 | `false` |
| networking.service review | 釐清 failed unit 是否 expected / legacy / real failure | `false` |
| scanner systemd hardening dry-run design | 設計 override 與工具相容檢查 | `false` |
| post-maintenance validation | 定義維護後 health / service / update / evidence readback | `false` |
## 4. 維護前檢查
1. owner response 已收到且 accepted。
2. package、service、hardening、reboot scope 不混在同一個未批准動作中。
3. 不保存任何 credential value。
4. rollback owner 與 validation owner 已指定。
5. out-of-band access 與停止條件已定義。
6. active scan、credentialed scan 與 `/execute` 仍未授權。
## 5. Rollback 草案
| 項目 | 需要證據 | owner 狀態 |
|------|----------|------------|
| package update rollback | pre-window package list snapshot、apt history / dpkg log redacted ref、rollback owner、reboot decision | waiting owner assignment |
| networking.service restart rollback | current network service model、out-of-band access、previous service state snapshot、rollback owner | waiting owner assignment |
| systemd hardening override rollback | override file path、scanner tool compatibility result、scanner health before / after refs、rollback owner | waiting owner assignment |
## 6. 維護後 Post-check
1. scanner API `/health` 回 healthy。
2. `kali-scanner.service` active / enabled。
3. `node-exporter` container up。
4. `wg-easy` container healthy。
5. failed systemd units 已 review。
6. pending update count 已記錄。
7. reboot required flag 已記錄。
8. service hardening state 已記錄。
9. AwoooP / IwoooS evidence refs 已更新。
10. 沒有 active scan 或 `/execute`,除非另有獨立批准。
## 7. 驗收規則
1. 本草案完成不代表 maintenance window 已批准。
2. owner response received / accepted 前,不得執行 `apt upgrade`、restart、hardening 或 reboot。
3. active scan、credentialed scan 或 `/execute` 必須走獨立 approval gate不可包進維護窗口。
4. 所有 evidence refs 必須脫敏,不保存 credential value。
5. 維護後若任何 post-check 失敗,只能建立人工 follow-up不得自動補救。
## 8. 階段定位
P1-7 只把 Kali 112 的維護準備從「缺口已知」推到「owner / reviewer 可照表審維護窗口」。它不改變主機、不開 runtime gate、不啟動掃描也不提高 IwoooS headline 64%。

View File

@@ -9,6 +9,7 @@
| 模式 | `observe_only` |
| Snapshot | `docs/security/kali-integration-status.snapshot.json` |
| Schema | `docs/schemas/kali_integration_status_v1.schema.json` |
| Maintenance window draft | `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md` |
## 0. 核心結論
@@ -48,6 +49,12 @@ Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runti
結論Kali `192.168.0.112` 今天仍可被 IwoooS 以只讀方式納入證據鏈scanner runtime 健康也有實機證據;但 `networking.service` failed、`upgradable_package_count=1994` 與服務硬化缺口代表後續仍需要維護窗口、rollback / reboot gate、hardening dry-run 與人工批准,不能直接把「可連線」解讀為主機更新、掃描或調校已完成。
## 0.1.1 2026-06-04 P1-7 維護窗口草案
已新增 `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md``docs/security/kali-112-maintenance-window-draft.snapshot.json`,把 1994 個待更新套件、`networking.service` failed、scanner service hardening `0 / 4`、rollback owner、post-check owner 與維護後驗證指標整理成 owner / reviewer 可審的 handoff package。
這是 maintenance window readiness不是 maintenance approval。`host_update_authorized=false``service_restart_authorized=false``hardening_authorized=false``reboot_authorized=false``active_scan_authorized=false``execute_endpoint_authorized=false` 全部維持不變。
## 0.2 2026-05-31 只讀實機快照
本輪用既有 SSH key 完成 read-only 連線檢查,沒有輸入或保存密碼,沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 package update、沒有調整設定、沒有重啟。
@@ -163,4 +170,4 @@ AwoooP 現階段只能 mirror `kali_integration_status_v1`
2. 未來批准後,再建立 `security_finding_v1` ingestion endpoint 或 adapter先只接 redacted finding。
3.`/execute` endpoint 降級為預設停用或單獨 high-risk approval path。
4. 修正 Harbor image scan 的 target / project / auth / certificate chain。
5. 排 Kali rolling full-upgrade 維護窗口;先 snapshot再 upgrade最後 reboot 健康複驗。
5. `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 健康複驗。

View File

@@ -0,0 +1,217 @@
{
"schema_version": "kali_maintenance_window_draft_v1",
"status": "draft_waiting_owner_review",
"date": "2026-06-04",
"mode": "maintenance_window_draft_only",
"source_evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/kali-integration-status.snapshot.json",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md",
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md"
],
"summary": {
"host": "192.168.0.112",
"asset_key": "host:kali-112",
"pending_update_count": 1994,
"failed_systemd_unit_count": 1,
"service_hardening_enabled_count": 0,
"service_hardening_expected_count": 4,
"reboot_required": false,
"maintenance_window_package_ready": true,
"maintenance_window_completion_percent": 100,
"maintenance_window_approved": false,
"host_update_authorized": false,
"service_restart_authorized": false,
"hardening_authorized": false,
"reboot_authorized": false,
"active_scan_authorized": false,
"execute_endpoint_authorized": false
},
"observed_gaps": [
{
"gap_id": "pending-updates-1994",
"current_evidence": "2026-06-04 只讀快照顯示 upgradable_package_count=1994。",
"risk": "MEDIUM",
"required_before_action": [
"maintenance window owner response",
"package change scope",
"rollback owner",
"post-check owner",
"reboot decision"
]
},
{
"gap_id": "networking-service-failed",
"current_evidence": "2026-06-04 只讀快照顯示 failed_systemd_unit_names=[networking.service]。",
"risk": "MEDIUM",
"required_before_action": [
"service owner confirmation",
"expected network manager / interface model",
"restart impact review",
"rollback path",
"out-of-band access confirmation"
]
},
{
"gap_id": "scanner-service-hardening-0-of-4",
"current_evidence": "2026-06-04 只讀快照顯示 NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。",
"risk": "MEDIUM",
"required_before_action": [
"dry-run hardening design",
"scanner tool compatibility review",
"override rollback file plan",
"health check plan",
"manual approval"
]
},
{
"gap_id": "execute-endpoint-present",
"current_evidence": "Kali Scanner API 文件化存在 /execute path仍是 block candidate。",
"risk": "HIGH",
"required_before_action": [
"separate high-risk approval",
"allowlist / disable gate design",
"audit event design",
"runtime gate",
"manual exception record"
]
}
],
"owner_response_handoff": {
"status": "ready_not_dispatched",
"request_dispatch_authorized": false,
"required_response_fields": [
"owner_role_or_team",
"maintenance_window_start_end_taipei",
"change_scope",
"rollback_owner",
"validation_owner",
"communication_owner",
"reboot_decision",
"redacted_evidence_refs",
"followup_owner"
],
"forbidden_inputs": [
"password value",
"token value",
"private key",
"API key value",
"runner token",
"raw secret",
"command to execute",
"apt upgrade request",
"service restart request",
"hardening apply request",
"active scan request",
"execute endpoint request"
],
"response_received": false,
"response_accepted": false
},
"maintenance_window_draft": {
"window_status": "waiting_owner_selection",
"candidate_window": "建議由 owner 指定台北時間低流量 2 小時窗口;本草案不自動指定日期或開始維護。",
"change_lanes": [
{
"lane_id": "package-update-planning",
"description": "整理 full-upgrade / autoremove / reboot 的人工批准前檢查,不執行 apt upgrade。",
"authorization_required": "kali-full-upgrade-reboot approval + rollback owner + post-check owner",
"current_authorized": false
},
{
"lane_id": "networking-service-review",
"description": "釐清 networking.service failed 是否為 expected / legacy / real failure不直接 restart。",
"authorization_required": "service owner decision + out-of-band access + rollback path",
"current_authorized": false
},
{
"lane_id": "scanner-systemd-hardening-dry-run-design",
"description": "設計 kali-scanner.service hardening override 的 dry-run / compatibility review不套用 hardening。",
"authorization_required": "scanner owner decision + health compatibility review + rollback file plan",
"current_authorized": false
},
{
"lane_id": "post-maintenance-validation",
"description": "定義維護後 scanner health、Docker service、failed units、pending updates、reboot required 與 AwoooP / IwoooS evidence readback。",
"authorization_required": "validation owner + evidence refs + reviewer acceptance",
"current_authorized": false
}
],
"pre_window_checks": [
"確認 maintenance window owner response 已收到且 accepted。",
"確認 package / service / hardening / reboot scope 沒有混在同一個未批准動作中。",
"確認不保存任何 credential value。",
"確認 rollback owner 與 validation owner 已指定。",
"確認 out-of-band access 與停止條件已定義。",
"確認 active scan、credentialed scan 與 /execute 仍未授權。"
]
},
"rollback_plan_draft": [
{
"rollback_item": "package update rollback",
"required_evidence": [
"pre-window package list snapshot ref",
"apt history / dpkg log redacted ref",
"rollback owner",
"reboot decision"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "networking.service restart rollback",
"required_evidence": [
"current network service model",
"out-of-band access confirmation",
"previous service state snapshot ref",
"rollback owner"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "systemd hardening override rollback",
"required_evidence": [
"override file path",
"scanner tool compatibility result",
"scanner health before / after refs",
"rollback owner"
],
"owner_status": "waiting_owner_assignment"
}
],
"post_check_plan": [
"scanner API /health returns healthy",
"kali-scanner.service active / enabled",
"node-exporter container up",
"wg-easy container healthy",
"failed systemd units reviewed",
"pending update count recorded",
"reboot required flag recorded",
"service hardening state recorded",
"AwoooP / IwoooS evidence refs updated",
"no active scan or /execute call occurred during maintenance unless separately approved"
],
"acceptance_rules": [
"本草案完成不代表 maintenance window 已批准。",
"maintenance owner response received / accepted 前,不得執行 apt upgrade、restart、hardening 或 reboot。",
"任何 active scan、credentialed scan 或 /execute 都必須走獨立 approval gate不可包進維護窗口。",
"所有 evidence refs 必須脫敏,不保存 credential value。",
"維護後若任何 post-check 失敗,只能建立人工 follow-up不得自動補救。"
],
"forbidden_actions": [
"apt_upgrade",
"apt_full_upgrade",
"apt_autoremove",
"restart_networking_service",
"apply_systemd_hardening",
"reboot_host",
"active_scan",
"credentialed_scan",
"call_execute_endpoint",
"store_credential_value",
"change_firewall",
"change_networkpolicy",
"change_rbac",
"enable_runtime_blocking_control"
]
}

View File

@@ -150,7 +150,7 @@
"未來批准後建立 Kali scan result ingestion adapter先只接收 redacted findings",
"把 /execute endpoint 改成預設停用或單獨 high-risk approval path",
"把 Harbor scan failure 轉成 security finding / ops finding不直接自動修復",
"安排 Kali rolling full-upgrade 維護窗口與 reboot gate"
"依 docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗"
],
"still_forbidden": [
"run_active_scan_without_scope_approval",