# IwoooS 外部入侵主機防堵控制矩陣 | 項目 | 內容 | |------|------| | 日期 | 2026-06-18 | | 狀態 | `external_host_intrusion_prevention_control_ready_no_runtime_action` | | 工具 | `scripts/security/external-host-intrusion-prevention-control.py` | | Snapshot | `docs/security/external-host-intrusion-prevention-control.snapshot.json` | | runtime gate | `0` | ## 1. 目的 此矩陣把「全力防堵外部入侵主機」從口頭要求轉成 IwoooS 可驗收、可拒收、可排序的 P0 控制面。它把所有容易造成即時資安危害的面向放在同一張矩陣:公開入口、DNS / TLS、Nginx、SSH / sudo、端口 / 防火牆、WireGuard、NodePort、Docker / systemd、process、K8s / ArgoCD、RBAC、runner、workflow、deploy key、webhook、secret、Wazuh、套件更新、backup / restore、monitoring / alerting、跨專案 freeze 與 break-glass。 本階段不直接連主機、不 SSH、不讀 live config、不改 Nginx、不改 firewall、不啟用 Wazuh active response、不重啟服務、不更新套件、不輪替 secret、不跑 active scan。它的作用是先建立「誰能批准、要看什麼證據、什麼要拒收、什麼仍為 0」的防堵控制基線。 ## 2. 為什麼舊機制沒有擋住 1. 先前 IwoooS 的主體是只讀治理、owner gate、前台可視化與低摩擦收件,`active_runtime_gate=0`,沒有主機 containment、firewall drop、Wazuh active response 或 secret rotation 權限。 2. Wazuh 已建置只能代表偵測平台存在;若沒有 event refs、agent status refs、host forensic refs、config diff refs 與 containment decision,IwoooS 不能判斷 110 / 188 類主機事件已防堵。 3. Nginx、端口、防火牆、runner、workflow、secret、Docker / systemd、K8s / ArgoCD 與 backup / restore 原本分散在不同清冊,沒有一個「外部入侵防堵」的統一優先序。 4. route `200`、dashboard up、container up、CD success、UI 可見或外部 Agent 宣稱,過去容易被誤讀成服務恢復或風險降低,但它們都不能證明木馬清除、RCE 修補、持久化移除或 credential 未外洩。 5. 未建立維護窗口、rollback owner、validation metrics、postcheck owner 與跨專案同步前,直接封 port、reload、restart、upgrade 或 sync 會造成服務中斷與二次事故。 ## 3. 完整工作範圍 | 範圍 | 要控管的項目 | |------|--------------| | 主機 | host OS、SSH、sudo、authorized_keys、known_hosts、systemd、Docker、process、port binding、套件、kernel、Wazuh agent、backup agent、排程 | | 公開入口 | DNS、TLS、certbot、Nginx、public gateway、upstream、WebSocket、ACME challenge、public / admin / API route | | 網路 | firewall、WireGuard、NodePort、NetworkPolicy、VIP、內網 service dependency、監控接收端 | | 容器與叢集 | Docker compose、Harbor / registry、K8s manifest、ArgoCD、RBAC、Secret metadata、image pull、Pod scheduling | | 供應鏈 | Gitea workflow、runner、deploy key、webhook、repo secret name、branch protection、CODEOWNERS、artifact / image source | | 憑證與秘密 | secret value、token、cookie、private key、env dump、credential escrow、rotation decision、redaction attestation | | 偵測與回應 | Wazuh manager / indexer / dashboard / API、agent status、rule / decoder、event refs、active response dry-run、Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse | | 資料與復原 | backup freshness、restore drill、offsite sync、remote delete guard、retention、rollback、cold-start / DR scorecard | | 產品面 | AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、stock / public websites、API、admin、webhook、AI provider route | | 協作治理 | 多 Session 同步、維護窗口、break-glass、operator notification、postcheck、no-false-green、LOGBOOK / deploy marker | ## 4. 固定數字 | 指標 | 數值 | |------|------| | prevention domain | `12` | | control candidate | `14` | | C0 control candidate | `10` | | C1 control candidate | `4` | | P0 control candidate | `14` | | host alias | `4` | | sensor alias | `1` | | required owner fields | `36` | | reviewer checks | `34` | | outcome lanes | `12` | | blocked actions | `82` | | owner response received / accepted | `0 / 0` | | prevention control accepted | `0` | | Wazuh active response enabled | `0` | | host write / firewall change / Nginx reload | `0 / 0 / 0` | | package upgrade / active scan / production write | `0 / 0 / 0` | | runtime gate / action button | `0 / 0` | ## 5. P0 防堵候選優先序 | 優先 | 候選 | 狀態 | |------|------|------| | P0-1 | 公開入口 / Nginx 變更 freeze 與 source-to-live diff | `waiting_owner_prevention_packet` | | P0-2 | SSH / sudo / authorized_keys / known_hosts 存取收斂 | `waiting_owner_prevention_packet` | | P0-3 | 端口 / 防火牆 / WireGuard / NodePort baseline | `waiting_owner_prevention_packet` | | P0-4 | Docker / systemd / process / persistence baseline | `waiting_owner_prevention_packet` | | P0-5 | K8s / ArgoCD drift、RBAC 與 Secret metadata containment | `waiting_owner_prevention_packet` | | P0-6 | Runner / workflow / deploy key / secret freeze | `waiting_owner_prevention_packet` | | P0-7 | 疑似 credential exposure 的輪替決策 gate | `waiting_owner_prevention_packet` | | P0-8 | Wazuh event triage 與事件分流 gate | `waiting_owner_prevention_packet` | | P0-9 | Wazuh active response dry-run / blast radius / rollback | `waiting_owner_prevention_packet` | | P0-10 | Backup / restore / rollback 可用性防堵 gate | `waiting_owner_prevention_packet` | | P0-11 | 套件更新 / CVE 修補維護窗口候選 | `waiting_owner_prevention_packet` | | P0-12 | 公開 / 後台 / API runtime auth 與 route guard | `waiting_owner_prevention_packet` | | P0-13 | 監控 / 告警 / route 200 no-false-green gate | `waiting_owner_prevention_packet` | | P0-14 | 跨專案 freeze、break-glass 與 operator sync | `waiting_owner_prevention_packet` | ## 6. 必填 owner 欄位 每個防堵候選至少需要 owner role、owner team、decision、decision reason、affected scope aliases、exposed surface aliases、current risk、immediate harm if delayed、redacted evidence refs、Wazuh event refs、host forensic refs、config diff refs、before / after state、maintenance window、break-glass reason、rollback owner、rollback plan、validation metrics、postcheck owner、cross-project sync ref、communication channel、secret absence、raw payload absence、no internal-name publication、no-false-green、service / AI / monitoring / backup impact、recurrence guard、followup owner、expiry / review date 與 reviewer attestation。 未補齊前只能停在 `waiting_owner_prevention_packet`,不能進 runtime 防堵。 ## 7. 拒收與隔離條件 1. 收到 password、private key、runner token、webhook secret、cookie、session、env dump、secret hash 或 partial token。 2. 收到 raw Wazuh payload、raw syslog、raw journal、完整命令輸出、未脫敏截圖或可還原內部 IP / 帳號 namespace 的內容。 3. 只有外部 Agent 宣稱已清除、已封鎖、已修復、已 Zero-Trust,但沒有 Wazuh event refs 與 host forensic refs。 4. 只有 route `200`、dashboard up、agent active、container up、CD success、UI 可見或 alert quiet。 5. 缺 maintenance window、rollback owner、validation metrics、postcheck owner 或跨專案同步。 ## 8. 禁止動作 本階段明確阻擋 SSH / sudo、host live config read、Nginx test / reload / conf write、certbot renew、DNS / route / upstream / WebSocket change、iptables / firewall / WireGuard / NodePort / NetworkPolicy change、Docker / systemd / process / reboot、apt update / upgrade、Wazuh active response / agent / rule / decoder change、ArgoCD sync、kubectl、Helm、RBAC、K8s secret、workflow、runner、deploy key、webhook、repo secret、secret rotation、secret store read、raw payload storage、active scan、exploit validation、backup / restore / offsite sync、remote delete、retention change、database migration、production write、action button、runtime gate 與 force push。 ## 9. 指令 產生 committed snapshot: ```bash python3 scripts/security/external-host-intrusion-prevention-control.py \ --root . \ --output docs/security/external-host-intrusion-prevention-control.snapshot.json \ --generated-at 2026-06-18T15:30:00+08:00 ``` 驗證 guard: ```bash python3 scripts/security/iwooos-config-control-guard.py --root . python3 scripts/security/security-mirror-progress-guard.py --root . ``` ## 10. 完成度 - 外部入侵防堵控制矩陣 / repo artifact:`100%` - 前台可視化與脫敏 marker:`100%` - owner response received / accepted:`0%` - Wazuh event refs / host forensic refs accepted:`0%` - containment decision / prevention control accepted:`0%` - Wazuh active response enabled:`0%` - host write / firewall change / Nginx reload / package upgrade / active scan:`0%` - runtime gate / action button:`0%` 下一步是把 14 個 P0 防堵候選交給 owner 補脫敏證據、維護窗口、rollback owner 與 postcheck。驗收前,IwoooS 不宣告主機已乾淨、木馬已清除、RCE 已修補、外部入侵已防堵,也不自動執行任何主機或網路變更。