feat(iwooos): expose Wazuh host coverage gate

This commit is contained in:
ogt
2026-06-25 11:52:24 +08:00
parent c3631c35a2
commit 8042a5a9ba
7 changed files with 762 additions and 0 deletions

View File

@@ -0,0 +1,47 @@
# Wazuh 主機納管覆蓋 Gate
## 目的
本 Gate 用來防止 Wazuh 用戶端消失事故被「半套修復」誤報為完成。它只接受脫敏、可交叉檢查的納管覆蓋證據,不接受 Dashboard 畫面、TCP transport、agent service active 或口頭回覆替代 manager registry truth。
## 目前只讀判定
| 項目 | 數值 | 判定 |
| --- | ---: | --- |
| 應納管節點範圍 | 6 | 已建立覆蓋矩陣 |
| 直接觀察 agent active / transport | 2 | 只能代表部分節點仍有連線 |
| 直接觀察無 agent transport | 1 | 需要 owner 判定安裝、服務或範圍 |
| SSH 只讀受阻 | 3 | 需要合法只讀 access 或脫敏 owner export |
| Manager registry accepted | 0 | 不得宣稱所有用戶端恢復 |
| Dashboard API 退化 | 1 | 需修 stored API / RBAC / rate-limit / TLS |
| Runtime gate | 0 | 不授權主機寫入或 active response |
## 不得誤判
- Transport 連線數不等於 Wazuh manager registry 已驗收。
- Dashboard 可訪問不等於 agent 清單正常。
- 只讀 route 回 200 不等於 Wazuh live metadata 已啟用。
- 任何重新註冊 agent、重啟 Wazuh、修改主機、調整防火牆、修改機密或 active response 都必須另走維護窗口、rollback owner 與人工批准。
## 綠燈前必備證據
1. Manager registry agent counts總數、在線、離線、從未連線、最後連線時間窗。
2. 逐主機 agent scope matrix只用公開別名不列內網位址、agent 原名或 raw payload。
3. Dashboard API / RBAC / TLS 修復讀回stored API、rate-limit、run_as、TLS trust 都要有脫敏參照。
4. 唯讀認證中繼資料:只收 secret name、來源、owner、rotation / rollback owner不收明文值、雜湊或片段。
5. Owner responseowner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner。
6. IwoooS 啟用後讀回:不得回傳 raw log、agent 原名、內網位址、secret 或 host output。
## 後續優先順序
| 優先 | 工作 | 完成度 |
| --- | --- | ---: |
| P0-A | Manager registry 只讀計數與逐主機矩陣 | 0% |
| P0-B | Dashboard stored API / RBAC / rate-limit / TLS 修復 | 0% |
| P0-C | 直接無 transport 節點的合法只讀後檢 | 0% |
| P0-D | SSH 受阻節點 owner export 或只讀 access | 0% |
| P0-E | IwoooS live metadata env owner gate | 0% |
## 邊界
本文件與 `wazuh-managed-host-coverage-gate.snapshot.json` 都是 repo 內只讀治理證據;不連線 Wazuh、不收 secret、不重新註冊 agent、不重啟服務、不修改主機、不發 active response、不做 Kali active scan。

View File

@@ -0,0 +1,132 @@
{
"execution_boundaries": {
"host_write_authorized": false,
"kali_active_scan_authorized": false,
"not_authorization": true,
"raw_wazuh_payload_storage_allowed": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"wazuh_active_response_authorized": false,
"wazuh_agent_reenroll_authorized": false,
"wazuh_agent_restart_authorized": false,
"wazuh_api_live_query_authorized": false,
"wazuh_manager_restart_authorized": false
},
"forbidden_actions": [
"wazuh_agent_reenroll",
"wazuh_agent_restart",
"wazuh_manager_restart",
"wazuh_dashboard_secret_patch",
"active_response_enable",
"host_write",
"firewall_change",
"nginx_reload",
"kali_active_scan"
],
"forbidden_completion_claims": [
"所有 Wazuh 用戶端已恢復",
"所有主機已納入 Wazuh",
"Wazuh agent registry 已驗收",
"Dashboard 可見等於 registry 已恢復",
"transport 連線等於全數納管"
],
"generated_at": "2026-06-25T11:45:31+08:00",
"host_scope_matrix": [
{
"manager_registry_accepted": false,
"next_gate": "manager_registry_cross_check",
"node_id": "managed_core_node_a",
"readback_status": "agent_active_transport_observed",
"role": "核心服務節點"
},
{
"manager_registry_accepted": false,
"next_gate": "manager_registry_cross_check",
"node_id": "managed_core_node_b",
"readback_status": "agent_active_transport_observed",
"role": "資料服務節點"
},
{
"manager_registry_accepted": false,
"next_gate": "agent_install_or_service_owner_decision",
"node_id": "managed_dev_node_a",
"readback_status": "no_agent_transport_observed",
"role": "開發工作節點"
},
{
"manager_registry_accepted": false,
"next_gate": "read_only_access_or_owner_export",
"node_id": "managed_dev_node_b",
"readback_status": "ssh_readback_blocked",
"role": "開發工作節點"
},
{
"manager_registry_accepted": false,
"next_gate": "read_only_access_or_owner_export",
"node_id": "managed_control_node_a",
"readback_status": "ssh_readback_blocked",
"role": "控制平面節點"
},
{
"manager_registry_accepted": false,
"next_gate": "read_only_access_or_owner_export",
"node_id": "managed_control_node_b",
"readback_status": "ssh_readback_blocked",
"role": "控制平面節點"
}
],
"mode": "snapshot_only_no_runtime_no_secret_collection",
"operator_interpretation": [
"目前只能確認部分節點有 agent service 與 transportmanager registry 仍沒有可驗收讀回。",
"Dashboard API、RBAC、rate-limit 或 TLS 退化會讓 UI 代理清單看起來消失,但不能用 UI 畫面單獨判定 agent 全部恢復。",
"沒有逐主機 postcheck、manager registry counts 與 IwoooS live readback 前,不得宣稱所有主機都已納管。",
"重新註冊 agent、重啟 Wazuh、修改主機或改機密都必須走獨立維護窗口與 rollback owner。"
],
"required_evidence_before_green": [
{
"accepted": false,
"evidence_id": "manager_registry_agent_counts"
},
{
"accepted": false,
"evidence_id": "per_host_agent_scope_matrix"
},
{
"accepted": false,
"evidence_id": "dashboard_api_rbac_tls_repair_readback"
},
{
"accepted": false,
"evidence_id": "readonly_credential_metadata_without_secret"
},
{
"accepted": false,
"evidence_id": "owner_response_and_rollback_owner"
},
{
"accepted": false,
"evidence_id": "post_enable_iwooos_readback"
}
],
"schema_version": "wazuh_managed_host_coverage_gate_v1",
"scope": "wazuh_managed_host_coverage",
"status": "blocked_waiting_full_host_registry_readback",
"summary": {
"active_response_authorized_count": 0,
"agent_reenroll_authorized_count": 0,
"agent_restart_authorized_count": 0,
"dashboard_api_degraded_observed_count": 1,
"direct_agent_active_observed_count": 2,
"direct_agent_missing_or_no_transport_count": 1,
"direct_agent_transport_observed_count": 2,
"expected_host_scope_count": 6,
"host_write_authorized_count": 0,
"live_metadata_env_enabled_count": 0,
"manager_api_unauthenticated_response_count": 1,
"manager_registry_accepted_count": 0,
"manager_service_active_observed_count": 1,
"manager_transport_established_connection_count": 6,
"runtime_gate_count": 0,
"ssh_readback_blocked_count": 3
}
}