feat(iwooos): add Wazuh live metadata env gate

This commit is contained in:
ogt
2026-06-24 22:44:41 +08:00
parent ab772d9126
commit 9de0cb70ca
5 changed files with 399 additions and 5 deletions

View File

@@ -33,11 +33,13 @@
- `scripts/security/wazuh-readonly-release-lane-preflight.py`
- `scripts/security/wazuh-readonly-release-owner-request.py`
- `scripts/security/wazuh-readonly-release-owner-response-acceptance.py`
- `scripts/security/wazuh-readonly-live-metadata-env-gate.py`
- `scripts/security/security-mirror-progress-guard.py`
- `docs/security/wazuh-readonly-release-gate.snapshot.json`
- `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`
- `docs/security/wazuh-readonly-release-owner-request.snapshot.json`
- `docs/security/wazuh-readonly-release-owner-response-acceptance.snapshot.json`
- `docs/security/wazuh-readonly-live-metadata-env-gate.snapshot.json`
- `docs/LOGBOOK.md`
完成內容:
@@ -54,6 +56,7 @@
- 新增 release gate snapshot 與 guard固定 source-side 已完成、Gitea push / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。
- 新增 release lane preflight snapshot 與 guard固定正式 release 前必須選擇 `formal_gitea_merge``formal_patch_apply``maintainer_local_push_with_safe_credential` 其中一條合規 lane且 owner ack / evidence 未到齊前不得 push、deploy、force push、使用明文 token workaround 或改 runtime。
- 新增 release owner request 草稿與 owner response acceptance 帳本,將 required ack flags、required evidence fields、allowed release methods、blocked actions、forbidden payloads 與 reviewer checks 機器可讀化;目前 request sent、response received / accepted、release ready、runtime gate 全部維持 `0`
- 新增 live metadata env gate固定部署後要先通過 production route readback、server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope、post-enable readback、rollback 與 no-secret / no-raw-payload attestation目前 live query authorized 仍為 `0`
## 已完成驗證
@@ -66,9 +69,10 @@ python3 scripts/security/wazuh-readonly-release-gate.py --root .
python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .
python3 scripts/security/wazuh-readonly-release-owner-request.py --root .
python3 scripts/security/wazuh-readonly-release-owner-response-acceptance.py --root .
python3 scripts/security/wazuh-readonly-live-metadata-env-gate.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/ops/doc-secrets-sanity-check.py docs apps/api/src/api/v1/iwooos.py apps/web/src/app/api/iwooos/wazuh/route.ts scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/wazuh-readonly-release-lane-preflight.py scripts/security/wazuh-readonly-release-owner-request.py scripts/security/wazuh-readonly-release-owner-response-acceptance.py
python3 -m py_compile apps/api/src/api/v1/iwooos.py scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/wazuh-readonly-release-lane-preflight.py scripts/security/wazuh-readonly-release-owner-request.py scripts/security/wazuh-readonly-release-owner-response-acceptance.py scripts/security/security-mirror-progress-guard.py
python3 scripts/ops/doc-secrets-sanity-check.py docs apps/api/src/api/v1/iwooos.py apps/web/src/app/api/iwooos/wazuh/route.ts scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/wazuh-readonly-release-lane-preflight.py scripts/security/wazuh-readonly-release-owner-request.py scripts/security/wazuh-readonly-release-owner-response-acceptance.py scripts/security/wazuh-readonly-live-metadata-env-gate.py
python3 -m py_compile apps/api/src/api/v1/iwooos.py scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/wazuh-readonly-release-lane-preflight.py scripts/security/wazuh-readonly-release-owner-request.py scripts/security/wazuh-readonly-release-owner-response-acceptance.py scripts/security/wazuh-readonly-live-metadata-env-gate.py scripts/security/security-mirror-progress-guard.py
git diff --check
```
@@ -80,8 +84,9 @@ git diff --check
- `wazuh-readonly-release-lane-preflight``ready=0 acks=0/6 evidence=0/6 runtime_gate=0`
- `wazuh-readonly-release-owner-request``drafts=1 sent=0 accepted=0 runtime_gate=0`
- `wazuh-readonly-release-owner-response-acceptance``received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`
- `wazuh-readonly-live-metadata-env-gate``route_readback=0 owner=0 secret_meta=0 live_query=0 runtime_gate=0`
- `security-mirror-progress-guard``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `doc-secrets-sanity-check``DOC_SECRET_SANITY_OK scanned_files=972`
- `doc-secrets-sanity-check``DOC_SECRET_SANITY_OK scanned_files=973`
- `py_compile`:通過。
- `git diff --check`:通過。
@@ -103,7 +108,7 @@ git am /private/tmp/awoooi-iwooos-wazuh-boundary-release-patch-<timestamp>/*.pat
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .``WAZUH_READONLY_RELEASE_GATE_OK source=1 push=0 deploy=0 readback=0 runtime_gate=0`
- `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .``WAZUH_READONLY_RELEASE_LANE_PREFLIGHT_OK ready=0 acks=0/6 evidence=0/6 runtime_gate=0`
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `python3 scripts/ops/doc-secrets-sanity-check.py ...``DOC_SECRET_SANITY_OK scanned_files=972`
- `python3 scripts/ops/doc-secrets-sanity-check.py ...``DOC_SECRET_SANITY_OK scanned_files=973`
- `python3 -m py_compile ...`:通過。
- `git diff --check`:通過。
@@ -179,6 +184,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json
| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 push/deploy/readback 仍 blocked |
| Wazuh release lane preflight | `100%` | 已完成owner acks `0/6`、evidence `0/6`、正式 release ready `0` |
| Wazuh release owner request / acceptance | `100%` | 已完成只讀草稿與收件帳本request sent `0`、response accepted `0` |
| Wazuh live metadata env gate | `100%` | 已完成只讀 gateroute readback / owner / secret metadata / live query 仍 `0` |
| 乾淨套用 proof | `100%` | patch set 可落在最新 `gitea/main` 並通過同組 guard最終 hash 以 release 前 readback 為準 |
| Gitea push | `0%` | 受控 workspace HTTPS credential 缺失 |
| Production deploy / readback | `0%` | 等待 release lane |
@@ -191,6 +197,6 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json
1. 先依 `wazuh-readonly-release-owner-request.snapshot.json` 補 release lane owner response選擇 formal merge、formal patch apply 或安全 credential push並補 6 個 ack 與 6 個 evidence 欄位。
2. 解決受控 workspace Gitea HTTPS push 認證,或由正式 release lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD。
3. 部署後先驗證 `/api/iwooos/wazuh` 不再 404且預設 disabled 邊界正確。
4.開 owner gate 決定是否啟用 server-side Wazuh read-only metadata query。
4.`wazuh-readonly-live-metadata-env-gate.snapshot.json` 補 server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope 與 post-enable readback才可考慮啟用 Wazuh read-only metadata query。
5. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof。
6. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。

View File

@@ -0,0 +1,145 @@
{
"blocked_actions": [
"collect_wazuh_password",
"collect_wazuh_token",
"collect_wazuh_raw_payload",
"hardcode_wazuh_base_url",
"hardcode_wazuh_username",
"hardcode_wazuh_password",
"disable_tls_verification",
"enable_env_before_production_route_readback",
"enable_env_without_secret_owner",
"enable_wazuh_live_metadata_without_owner_gate",
"enable_wazuh_active_response",
"wazuh_manager_restart",
"wazuh_rule_change",
"wazuh_decoder_change",
"k8s_secret_manual_patch",
"argocd_manual_sync",
"docker_restart",
"nginx_or_gateway_workaround_for_404",
"firewall_change",
"host_write",
"kali_active_scan",
"production_deploy_without_release_lane",
"mark_predeploy_404_as_passed_readback"
],
"execution_boundaries": {
"argocd_sync_authorized": false,
"docker_restart_authorized": false,
"firewall_change_authorized": false,
"host_write_authorized": false,
"k8s_secret_patch_authorized": false,
"kali_active_scan_authorized": false,
"nginx_gateway_workaround_authorized": false,
"not_authorization": true,
"production_deploy_authorized": false,
"raw_wazuh_payload_storage_allowed": false,
"repo_write_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false
},
"generated_at": "2026-06-24T22:42:00+08:00",
"live_metadata_candidate": {
"candidate_id": "iwooos_wazuh_readonly_live_metadata_env",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"post_enable_readback_command": "python3 scripts/security/wazuh-readonly-production-readback.py --json",
"production_route_readback_ref": null,
"readonly_account_scope_ref": null,
"runtime_gate": false,
"secret_source_metadata_ref": null,
"server_side_env_keys": [
"IWOOOS_WAZUH_READONLY_ENABLED",
"WAZUH_API_BASE_URL",
"WAZUH_API_USERNAME",
"WAZUH_API_PASSWORD"
],
"status": "waiting_release_readback_and_live_metadata_owner_response",
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false,
"wazuh_manager_health_ref": null
},
"mode": "repo_gate_no_secret_no_runtime_no_wazuh_query",
"operator_interpretation": [
"此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位與禁止動作已固定。",
"Production route 必須先不加 --allow-predeploy-404 readback 通過,才能考慮 server-side env enable。",
"secret handling 只能提供注入來源 metadata 與 owner不得提交密碼、token、hash、partial secret 或 raw env。",
"Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate不能互相代替。"
],
"outcome_lanes": [
"waiting_release_readback",
"waiting_live_metadata_owner_response",
"request_secret_source_metadata_supplement",
"request_wazuh_manager_health_supplement",
"request_readonly_account_scope_supplement",
"quarantine_secret_or_raw_payload",
"reject_runtime_workaround",
"ready_for_live_metadata_reviewer_validation",
"waiting_post_enable_readback",
"waiting_runtime_gate"
],
"required_owner_fields": [
"wazuh_live_metadata_owner",
"release_readback_ref",
"secret_injection_owner",
"secret_source_metadata_ref",
"wazuh_manager_health_ref",
"wazuh_api_tls_validation_ref",
"readonly_account_scope_ref",
"agent_alias_mapping_policy",
"post_enable_readback_command",
"rollback_owner",
"maintenance_window",
"validation_plan",
"no_secret_value_attestation",
"no_raw_payload_attestation",
"active_response_separate_gate_ack"
],
"reviewer_checks": [
"production_route_readback_passed_before_env_enable",
"server_side_env_keys_present_as_metadata_only",
"secret_value_absent",
"secret_source_metadata_ref_present",
"wazuh_api_base_url_https_only",
"readonly_account_scope_present",
"wazuh_manager_health_ref_present",
"agent_alias_mapping_policy_present",
"post_enable_readback_command_present",
"rollback_owner_present",
"maintenance_window_present",
"validation_plan_present",
"no_raw_wazuh_payload",
"active_response_gate_separate",
"runtime_gate_stays_zero_until_reviewer_acceptance"
],
"schema_version": "iwooos_wazuh_readonly_live_metadata_env_gate_v1",
"server_side_env_keys": [
"IWOOOS_WAZUH_READONLY_ENABLED",
"WAZUH_API_BASE_URL",
"WAZUH_API_USERNAME",
"WAZUH_API_PASSWORD"
],
"status": "blocked_waiting_release_readback_and_live_metadata_owner_response",
"summary": {
"blocked_action_count": 23,
"host_write_authorized_count": 0,
"live_metadata_owner_response_accepted_count": 0,
"live_metadata_owner_response_received_count": 0,
"outcome_lane_count": 10,
"post_enable_readback_passed_count": 0,
"production_route_readback_passed_count": 0,
"readonly_account_scope_accepted_count": 0,
"required_owner_field_count": 15,
"reviewer_check_count": 15,
"runtime_gate_count": 0,
"secret_source_metadata_accepted_count": 0,
"server_side_env_key_count": 4,
"wazuh_active_response_authorized_count": 0,
"wazuh_api_live_query_authorized_count": 0,
"wazuh_manager_health_ref_accepted_count": 0
}
}