feat(iwooos): add wazuh controlled apply preflight
Some checks failed
Ansible / Reboot Recovery Contract / validate (push) Successful in 1m16s
CD Pipeline / tests (push) Failing after 35s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Code Review / ai-code-review (push) Successful in 17s
Some checks failed
Ansible / Reboot Recovery Contract / validate (push) Successful in 1m16s
CD Pipeline / tests (push) Failing after 35s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Code Review / ai-code-review (push) Successful in 17s
This commit is contained in:
@@ -0,0 +1,223 @@
|
||||
{
|
||||
"schema_version": "wazuh_runtime_controlled_apply_preflight_v1",
|
||||
"generated_at": "2026-06-28T10:30:00+08:00",
|
||||
"status": "controlled_apply_preflight_ready_no_runtime_action",
|
||||
"mode": "committed_preflight_readback_no_live_wazuh_no_secret_collection",
|
||||
"summary": {
|
||||
"expected_scope_alias_count": 6,
|
||||
"target_selector_count": 6,
|
||||
"source_of_truth_diff_count": 1,
|
||||
"check_mode_plan_count": 1,
|
||||
"dry_run_required_count": 1,
|
||||
"rollback_plan_count": 1,
|
||||
"post_apply_verifier_count": 1,
|
||||
"km_playbook_writeback_count": 1,
|
||||
"maintenance_window_required_count": 1,
|
||||
"owner_review_ready_count": 1,
|
||||
"controlled_apply_preflight_ready_count": 1,
|
||||
"controlled_apply_packet_received_count": 0,
|
||||
"controlled_apply_packet_accepted_count": 0,
|
||||
"controlled_apply_packet_quarantined_count": 0,
|
||||
"controlled_apply_runtime_action_rejected_count": 0,
|
||||
"forbidden_payload_count": 18,
|
||||
"forbidden_action_count": 20,
|
||||
"runtime_gate_count": 0,
|
||||
"wazuh_api_live_query_authorized_count": 0,
|
||||
"wazuh_active_response_authorized_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"secret_value_collection_allowed_count": 0
|
||||
},
|
||||
"target_selectors": [
|
||||
{
|
||||
"node_alias": "managed_core_node_a",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_core_node_b",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_core_node_c",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_edge_node_a",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_edge_node_b",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false
|
||||
},
|
||||
{
|
||||
"node_alias": "managed_lab_node_a",
|
||||
"scope": "wazuh_manager_registry_accepted_alias",
|
||||
"selector_kind": "public_alias_only",
|
||||
"runtime_write_allowed": false
|
||||
}
|
||||
],
|
||||
"required_packet_fields": [
|
||||
"controlled_apply_intent",
|
||||
"target_selector_aliases",
|
||||
"source_of_truth_diff_ref",
|
||||
"check_mode_plan_ref",
|
||||
"dry_run_evidence_ref",
|
||||
"blast_radius_statement",
|
||||
"rollback_plan_ref",
|
||||
"post_apply_verifier_ref",
|
||||
"km_playbook_writeback_ref",
|
||||
"maintenance_window",
|
||||
"followup_owner",
|
||||
"rollback_owner",
|
||||
"audit_receipt_ref",
|
||||
"runtime_boundary_ack"
|
||||
],
|
||||
"preflight_items": [
|
||||
{
|
||||
"item_id": "target_selector",
|
||||
"title": "Public alias target selector",
|
||||
"state_key": "target_selector_ready",
|
||||
"ready": true,
|
||||
"required_fields": [
|
||||
"target_selector_aliases"
|
||||
],
|
||||
"next_gate": "run check-mode against allowlisted route before any runtime action"
|
||||
},
|
||||
{
|
||||
"item_id": "source_of_truth_diff",
|
||||
"title": "Source-of-truth diff reference",
|
||||
"state_key": "source_of_truth_diff_ready",
|
||||
"ready": true,
|
||||
"required_fields": [
|
||||
"source_of_truth_diff_ref"
|
||||
],
|
||||
"next_gate": "review repo or playbook diff before controlled apply"
|
||||
},
|
||||
{
|
||||
"item_id": "check_mode_dry_run",
|
||||
"title": "Check-mode and dry-run evidence",
|
||||
"state_key": "check_mode_dry_run_ready",
|
||||
"ready": true,
|
||||
"required_fields": [
|
||||
"check_mode_plan_ref",
|
||||
"dry_run_evidence_ref"
|
||||
],
|
||||
"next_gate": "store dry-run evidence reference without raw host output"
|
||||
},
|
||||
{
|
||||
"item_id": "rollback",
|
||||
"title": "Rollback plan",
|
||||
"state_key": "rollback_ready",
|
||||
"ready": true,
|
||||
"required_fields": [
|
||||
"rollback_plan_ref",
|
||||
"rollback_owner"
|
||||
],
|
||||
"next_gate": "rollback must remain available before apply"
|
||||
},
|
||||
{
|
||||
"item_id": "post_apply_verifier",
|
||||
"title": "Post-apply verifier",
|
||||
"state_key": "post_apply_verifier_ready",
|
||||
"ready": true,
|
||||
"required_fields": [
|
||||
"post_apply_verifier_ref"
|
||||
],
|
||||
"next_gate": "verifier readback must run after any future controlled apply"
|
||||
},
|
||||
{
|
||||
"item_id": "learning_writeback",
|
||||
"title": "KM and PlayBook trust writeback",
|
||||
"state_key": "learning_writeback_ready",
|
||||
"ready": true,
|
||||
"required_fields": [
|
||||
"km_playbook_writeback_ref",
|
||||
"audit_receipt_ref"
|
||||
],
|
||||
"next_gate": "writeback receipt required after verifier"
|
||||
}
|
||||
],
|
||||
"outcome_lanes": [
|
||||
"accepted_for_controlled_apply_preflight_review_only",
|
||||
"request_controlled_apply_packet_supplement",
|
||||
"quarantine_sensitive_payload",
|
||||
"reject_runtime_action_request"
|
||||
],
|
||||
"forbidden_payloads": [
|
||||
"secret_value",
|
||||
"token_value",
|
||||
"private_key",
|
||||
"cookie",
|
||||
"session",
|
||||
"authorization_header",
|
||||
"client.keys",
|
||||
"raw_wazuh_payload",
|
||||
"raw_agent_identity",
|
||||
"raw_hostname",
|
||||
"internal_ip",
|
||||
"full_cli_output",
|
||||
"full_journal",
|
||||
"raw_dashboard_request",
|
||||
"unredacted_screenshot",
|
||||
"private_namespace",
|
||||
"raw_env_file",
|
||||
"raw_runtime_volume"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"wazuh_api_live_query",
|
||||
"wazuh_active_response",
|
||||
"wazuh_agent_restart",
|
||||
"wazuh_agent_reenroll",
|
||||
"wazuh_manager_restart",
|
||||
"host_write",
|
||||
"systemd_restart",
|
||||
"docker_restart",
|
||||
"nginx_reload",
|
||||
"firewall_change",
|
||||
"kali_active_scan",
|
||||
"credentialed_scan",
|
||||
"exploit_attempt",
|
||||
"secret_rotation",
|
||||
"k8s_apply",
|
||||
"argocd_sync",
|
||||
"database_migration",
|
||||
"force_push",
|
||||
"repo_ref_delete",
|
||||
"workflow_trigger"
|
||||
],
|
||||
"execution_boundaries": {
|
||||
"active_scan_authorized": false,
|
||||
"alertmanager_reload_authorized": false,
|
||||
"auto_block_authorized": false,
|
||||
"credentialed_scan_authorized": false,
|
||||
"firewall_change_authorized": false,
|
||||
"host_write_authorized": false,
|
||||
"kali_execute_authorized": false,
|
||||
"kali_scan_authorized": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"production_write_authorized": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"runtime_gate_open": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"telegram_send_authorized": false,
|
||||
"wazuh_active_response_authorized": false,
|
||||
"wazuh_api_live_query_authorized": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
"no_false_green_rules": [
|
||||
"Controlled apply preflight ready does not open runtime gate.",
|
||||
"Target selectors are public aliases only and do not authorize host writes.",
|
||||
"Check-mode and dry-run references do not authorize live Wazuh queries.",
|
||||
"Rollback and verifier readiness does not authorize active response.",
|
||||
"KM and PlayBook writeback readiness does not permit secret collection."
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user