feat(iwooos): expose Wazuh host coverage gate
This commit is contained in:
47
docs/security/WAZUH-MANAGED-HOST-COVERAGE-GATE.md
Normal file
47
docs/security/WAZUH-MANAGED-HOST-COVERAGE-GATE.md
Normal file
@@ -0,0 +1,47 @@
|
||||
# Wazuh 主機納管覆蓋 Gate
|
||||
|
||||
## 目的
|
||||
|
||||
本 Gate 用來防止 Wazuh 用戶端消失事故被「半套修復」誤報為完成。它只接受脫敏、可交叉檢查的納管覆蓋證據,不接受 Dashboard 畫面、TCP transport、agent service active 或口頭回覆替代 manager registry truth。
|
||||
|
||||
## 目前只讀判定
|
||||
|
||||
| 項目 | 數值 | 判定 |
|
||||
| --- | ---: | --- |
|
||||
| 應納管節點範圍 | 6 | 已建立覆蓋矩陣 |
|
||||
| 直接觀察 agent active / transport | 2 | 只能代表部分節點仍有連線 |
|
||||
| 直接觀察無 agent transport | 1 | 需要 owner 判定安裝、服務或範圍 |
|
||||
| SSH 只讀受阻 | 3 | 需要合法只讀 access 或脫敏 owner export |
|
||||
| Manager registry accepted | 0 | 不得宣稱所有用戶端恢復 |
|
||||
| Dashboard API 退化 | 1 | 需修 stored API / RBAC / rate-limit / TLS |
|
||||
| Runtime gate | 0 | 不授權主機寫入或 active response |
|
||||
|
||||
## 不得誤判
|
||||
|
||||
- Transport 連線數不等於 Wazuh manager registry 已驗收。
|
||||
- Dashboard 可訪問不等於 agent 清單正常。
|
||||
- 只讀 route 回 200 不等於 Wazuh live metadata 已啟用。
|
||||
- 任何重新註冊 agent、重啟 Wazuh、修改主機、調整防火牆、修改機密或 active response 都必須另走維護窗口、rollback owner 與人工批准。
|
||||
|
||||
## 綠燈前必備證據
|
||||
|
||||
1. Manager registry agent counts:總數、在線、離線、從未連線、最後連線時間窗。
|
||||
2. 逐主機 agent scope matrix:只用公開別名,不列內網位址、agent 原名或 raw payload。
|
||||
3. Dashboard API / RBAC / TLS 修復讀回:stored API、rate-limit、run_as、TLS trust 都要有脫敏參照。
|
||||
4. 唯讀認證中繼資料:只收 secret name、來源、owner、rotation / rollback owner,不收明文值、雜湊或片段。
|
||||
5. Owner response:owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner。
|
||||
6. IwoooS 啟用後讀回:不得回傳 raw log、agent 原名、內網位址、secret 或 host output。
|
||||
|
||||
## 後續優先順序
|
||||
|
||||
| 優先 | 工作 | 完成度 |
|
||||
| --- | --- | ---: |
|
||||
| P0-A | Manager registry 只讀計數與逐主機矩陣 | 0% |
|
||||
| P0-B | Dashboard stored API / RBAC / rate-limit / TLS 修復 | 0% |
|
||||
| P0-C | 直接無 transport 節點的合法只讀後檢 | 0% |
|
||||
| P0-D | SSH 受阻節點 owner export 或只讀 access | 0% |
|
||||
| P0-E | IwoooS live metadata env owner gate | 0% |
|
||||
|
||||
## 邊界
|
||||
|
||||
本文件與 `wazuh-managed-host-coverage-gate.snapshot.json` 都是 repo 內只讀治理證據;不連線 Wazuh、不收 secret、不重新註冊 agent、不重啟服務、不修改主機、不發 active response、不做 Kali active scan。
|
||||
132
docs/security/wazuh-managed-host-coverage-gate.snapshot.json
Normal file
132
docs/security/wazuh-managed-host-coverage-gate.snapshot.json
Normal file
@@ -0,0 +1,132 @@
|
||||
{
|
||||
"execution_boundaries": {
|
||||
"host_write_authorized": false,
|
||||
"kali_active_scan_authorized": false,
|
||||
"not_authorization": true,
|
||||
"raw_wazuh_payload_storage_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"wazuh_active_response_authorized": false,
|
||||
"wazuh_agent_reenroll_authorized": false,
|
||||
"wazuh_agent_restart_authorized": false,
|
||||
"wazuh_api_live_query_authorized": false,
|
||||
"wazuh_manager_restart_authorized": false
|
||||
},
|
||||
"forbidden_actions": [
|
||||
"wazuh_agent_reenroll",
|
||||
"wazuh_agent_restart",
|
||||
"wazuh_manager_restart",
|
||||
"wazuh_dashboard_secret_patch",
|
||||
"active_response_enable",
|
||||
"host_write",
|
||||
"firewall_change",
|
||||
"nginx_reload",
|
||||
"kali_active_scan"
|
||||
],
|
||||
"forbidden_completion_claims": [
|
||||
"所有 Wazuh 用戶端已恢復",
|
||||
"所有主機已納入 Wazuh",
|
||||
"Wazuh agent registry 已驗收",
|
||||
"Dashboard 可見等於 registry 已恢復",
|
||||
"transport 連線等於全數納管"
|
||||
],
|
||||
"generated_at": "2026-06-25T11:45:31+08:00",
|
||||
"host_scope_matrix": [
|
||||
{
|
||||
"manager_registry_accepted": false,
|
||||
"next_gate": "manager_registry_cross_check",
|
||||
"node_id": "managed_core_node_a",
|
||||
"readback_status": "agent_active_transport_observed",
|
||||
"role": "核心服務節點"
|
||||
},
|
||||
{
|
||||
"manager_registry_accepted": false,
|
||||
"next_gate": "manager_registry_cross_check",
|
||||
"node_id": "managed_core_node_b",
|
||||
"readback_status": "agent_active_transport_observed",
|
||||
"role": "資料服務節點"
|
||||
},
|
||||
{
|
||||
"manager_registry_accepted": false,
|
||||
"next_gate": "agent_install_or_service_owner_decision",
|
||||
"node_id": "managed_dev_node_a",
|
||||
"readback_status": "no_agent_transport_observed",
|
||||
"role": "開發工作節點"
|
||||
},
|
||||
{
|
||||
"manager_registry_accepted": false,
|
||||
"next_gate": "read_only_access_or_owner_export",
|
||||
"node_id": "managed_dev_node_b",
|
||||
"readback_status": "ssh_readback_blocked",
|
||||
"role": "開發工作節點"
|
||||
},
|
||||
{
|
||||
"manager_registry_accepted": false,
|
||||
"next_gate": "read_only_access_or_owner_export",
|
||||
"node_id": "managed_control_node_a",
|
||||
"readback_status": "ssh_readback_blocked",
|
||||
"role": "控制平面節點"
|
||||
},
|
||||
{
|
||||
"manager_registry_accepted": false,
|
||||
"next_gate": "read_only_access_or_owner_export",
|
||||
"node_id": "managed_control_node_b",
|
||||
"readback_status": "ssh_readback_blocked",
|
||||
"role": "控制平面節點"
|
||||
}
|
||||
],
|
||||
"mode": "snapshot_only_no_runtime_no_secret_collection",
|
||||
"operator_interpretation": [
|
||||
"目前只能確認部分節點有 agent service 與 transport;manager registry 仍沒有可驗收讀回。",
|
||||
"Dashboard API、RBAC、rate-limit 或 TLS 退化會讓 UI 代理清單看起來消失,但不能用 UI 畫面單獨判定 agent 全部恢復。",
|
||||
"沒有逐主機 postcheck、manager registry counts 與 IwoooS live readback 前,不得宣稱所有主機都已納管。",
|
||||
"重新註冊 agent、重啟 Wazuh、修改主機或改機密都必須走獨立維護窗口與 rollback owner。"
|
||||
],
|
||||
"required_evidence_before_green": [
|
||||
{
|
||||
"accepted": false,
|
||||
"evidence_id": "manager_registry_agent_counts"
|
||||
},
|
||||
{
|
||||
"accepted": false,
|
||||
"evidence_id": "per_host_agent_scope_matrix"
|
||||
},
|
||||
{
|
||||
"accepted": false,
|
||||
"evidence_id": "dashboard_api_rbac_tls_repair_readback"
|
||||
},
|
||||
{
|
||||
"accepted": false,
|
||||
"evidence_id": "readonly_credential_metadata_without_secret"
|
||||
},
|
||||
{
|
||||
"accepted": false,
|
||||
"evidence_id": "owner_response_and_rollback_owner"
|
||||
},
|
||||
{
|
||||
"accepted": false,
|
||||
"evidence_id": "post_enable_iwooos_readback"
|
||||
}
|
||||
],
|
||||
"schema_version": "wazuh_managed_host_coverage_gate_v1",
|
||||
"scope": "wazuh_managed_host_coverage",
|
||||
"status": "blocked_waiting_full_host_registry_readback",
|
||||
"summary": {
|
||||
"active_response_authorized_count": 0,
|
||||
"agent_reenroll_authorized_count": 0,
|
||||
"agent_restart_authorized_count": 0,
|
||||
"dashboard_api_degraded_observed_count": 1,
|
||||
"direct_agent_active_observed_count": 2,
|
||||
"direct_agent_missing_or_no_transport_count": 1,
|
||||
"direct_agent_transport_observed_count": 2,
|
||||
"expected_host_scope_count": 6,
|
||||
"host_write_authorized_count": 0,
|
||||
"live_metadata_env_enabled_count": 0,
|
||||
"manager_api_unauthenticated_response_count": 1,
|
||||
"manager_registry_accepted_count": 0,
|
||||
"manager_service_active_observed_count": 1,
|
||||
"manager_transport_established_connection_count": 6,
|
||||
"runtime_gate_count": 0,
|
||||
"ssh_readback_blocked_count": 3
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user