# IwoooS P0 資安事件收斂 Gate | 項目 | 狀態 | | --- | --- | | 工具 | `scripts/security/iwooos-p0-security-incident-convergence-gate.py` | | Snapshot | `docs/security/iwooos-p0-security-incident-convergence-gate.snapshot.json` | | Schema | `iwooos_p0_security_incident_convergence_gate_v1` | | 狀態 | `p0_security_incident_convergence_blocked_waiting_owner_evidence` | | Runtime gate | `0` | | Action button | `0` | ## 目的 這個 Gate 把目前最容易造成即時資安或服務風險的紅點收成同一張只讀總覽: 1. Wazuh API 與 manager registry 真相。 2. 主機入侵鑑識與 containment 決策。 3. Public Gateway / Nginx 變更收斂。 4. SSH / firewall / port / network policy baseline。 5. Docker / systemd / process / port binding。 6. 監控告警可讀性、收件與 no-false-green。 7. SOC / Kali / Wazuh 事件 case 化。 8. 跨專案 freeze、runtime 邊界與防衝突。 它只讀取既有 snapshot,不連線 Wazuh、不 SSH、不讀 live config、不做 scan、不 reload、不封鎖端口、不重啟服務、不送通知、不建立 SOAR case、不收 secret。 ## 目前讀回 | 指標 | 讀回 | | --- | ---: | | source snapshot | `12` | | P0 lane | `8` | | blocked lane | `8` | | source-side rollup ready | `100%` | | owner response received / accepted | `0 / 0` | | redacted evidence received / accepted | `0 / 0` | | Wazuh dashboard API connection ok | `0` | | Wazuh dashboard API version ok | `0` | | Wazuh manager registry accepted | `0` | | Wazuh event ref received | `0` | | host forensics ref received | `0` | | Public Gateway live conf / rendered diff / nginx test / route smoke | `0 / 0 / 0 / 0` | | monitoring post-incident readback received | `0` | | incident case accepted | `0` | | runtime gate / action button | `0 / 0` | ## 不可誤判 - Wazuh Dashboard index pattern 綠燈只能當局部訊號;API connection、API version 與 manager registry 仍是硬 Gate。 - route 200、Dashboard 可見、agent active、CD success、UI 可見或外部 Agent 宣稱,都不能單獨當資安完成。 - Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊。 - 不得貼 raw log、raw Wazuh payload、工作視窗對話、內網 IP、個人 namespace、secret、token、private key 或未脫敏截圖。 ## 下一步優先序 | 優先 | 工作 | 驗收前維持 | | --- | --- | --- | | P0-1 | Wazuh Dashboard API 修復 postcheck 與 manager registry owner evidence | `manager_registry_accepted_count=0` | | P0-2 | Wazuh event、host forensic、containment decision 與 recovery proof refs | `wazuh_event_ref_received_count=0` | | P0-3 | Nginx owner live conf、rendered diff、nginx test readback、route smoke 與 rollback refs | `nginx_reload_authorized_count=0` | | P0-4 | SSH / firewall / port before-after state、actor、impact 與 rollback refs | `firewall_change_authorized_count=0` | | P0-5 | Docker / systemd / process / port binding 與 dependency postcheck refs | `host_write_authorized_count=0` | | P0-6 | 告警訊息合約、receipt、dedupe、noise budget 與 post-change monitoring refs | `alert_route_accepted_count=0` | | P0-7 | SOC case id、severity / confidence、Kali scope envelope 與 chain of custody refs | `incident_case_accepted_count=0` | | P0-8 | 跨專案同步、維護窗口或 break-glass、rollback owner 與 runtime authorization refs | `runtime_gate_count=0` | ## 驗證指令 ```bash python3 scripts/security/iwooos-p0-security-incident-convergence-gate.py --root . python3 scripts/security/security-mirror-progress-guard.py --root . python3 scripts/security/iwooos-frontend-display-redaction-guard.py --root . ``` ## 邊界 這個 Gate 不是批准、不是修復完成、不是 active response、不是 Kali active scan、不是 Nginx reload、不是 firewall change、不是 host write、不是 secret rotation,也不是 production write。所有 runtime 動作仍需獨立 owner、維護窗口、rollback、postcheck 與人工批准。