448 lines
16 KiB
JSON
448 lines
16 KiB
JSON
{
|
||
"blocked_runtime_actions": [
|
||
"wazuh_api_live_query",
|
||
"wazuh_active_response",
|
||
"kali_active_scan",
|
||
"kali_execute",
|
||
"ssh_read",
|
||
"ssh_write",
|
||
"host_write",
|
||
"firewall_change",
|
||
"port_close",
|
||
"port_open",
|
||
"nginx_test",
|
||
"nginx_reload",
|
||
"docker_restart",
|
||
"systemctl_restart",
|
||
"argocd_sync",
|
||
"workflow_modification",
|
||
"repo_secret_change",
|
||
"secret_rotation",
|
||
"telegram_send",
|
||
"soar_case_create",
|
||
"auto_block",
|
||
"production_write",
|
||
"force_push"
|
||
],
|
||
"execution_boundaries": {
|
||
"action_buttons_allowed": false,
|
||
"argocd_sync_authorized": false,
|
||
"auto_block_authorized": false,
|
||
"docker_restart_authorized": false,
|
||
"firewall_change_authorized": false,
|
||
"host_write_authorized": false,
|
||
"kali_active_scan_authorized": false,
|
||
"kali_execute_authorized": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_test_authorized": false,
|
||
"not_authorization": true,
|
||
"production_write_authorized": false,
|
||
"repo_secret_change_authorized": false,
|
||
"runtime_execution_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"soar_case_create_authorized": false,
|
||
"ssh_read_authorized": false,
|
||
"ssh_write_authorized": false,
|
||
"systemctl_restart_authorized": false,
|
||
"telegram_send_authorized": false,
|
||
"wazuh_active_response_authorized": false,
|
||
"wazuh_api_live_query_authorized": false,
|
||
"workflow_modification_authorized": false
|
||
},
|
||
"generated_at": "2026-06-25T19:23:16+08:00",
|
||
"git_commit": "e1113044",
|
||
"mode": "snapshot_rollup_only_no_runtime_no_secret_collection",
|
||
"operator_interpretation": [
|
||
"這張 Gate 是 P0 事件彙總,不是 runtime 修復授權。",
|
||
"Wazuh Dashboard index pattern 綠燈只能當局部訊號;API connection、API version 與 manager registry 仍是硬 Gate。",
|
||
"Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊,不能貼 raw log 或工作視窗內容。",
|
||
"所有 containment、active response、scan、reload、restart、secret rotation 與 production write 仍需獨立人工批准。"
|
||
],
|
||
"p0_lanes": [
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "Wazuh API 與 manager registry 真相",
|
||
"lane_id": "wazuh_dashboard_api_registry",
|
||
"next_gate": "dashboard_api_repair_postcheck_and_manager_registry_owner_evidence",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "dashboard_api_connection_ok_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "dashboard_api_version_ok_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "manager_registry_agent_counts_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "per_host_agent_scope_matrix_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json",
|
||
"docs/security/wazuh-managed-host-coverage-gate.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"wazuh_coverage": "blocked_waiting_full_host_registry_readback",
|
||
"wazuh_runtime": "blocked_waiting_manager_agent_registry_readback"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "主機入侵鑑識與 containment 決策",
|
||
"lane_id": "host_intrusion_forensics",
|
||
"next_gate": "wazuh_event_host_forensic_containment_owner_packet",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "wazuh_event_refs"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "host_auth_process_network_fim_refs"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "containment_decision_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "recovery_proof_and_postcheck_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
|
||
"docs/security/external-host-intrusion-prevention-control.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
|
||
"wazuh_intrusion": "wazuh_intrusion_readback_plan_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "Public Gateway / Nginx 變更收斂",
|
||
"lane_id": "public_gateway_nginx",
|
||
"next_gate": "owner_live_conf_rendered_diff_nginx_test_route_smoke_packet",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "owner_provided_redacted_live_conf_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "source_to_live_rendered_diff_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "nginx_test_readback_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "route_smoke_and_rollback_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"docs/security/public-gateway-post-incident-readback-plan.snapshot.json",
|
||
"docs/security/high-value-config-control-coverage.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"high_value_config": "coverage_matrix_ready",
|
||
"public_gateway": "repo_only_preflight_contract_ready",
|
||
"public_gateway_post_incident": "post_incident_readback_plan_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "SSH / firewall / port / network policy baseline",
|
||
"lane_id": "ssh_firewall_ports",
|
||
"next_gate": "before_after_state_actor_impact_rollback_packet",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "before_state_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "after_state_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "actor_attribution_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "service_health_impact_and_rollback_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/ssh-network-post-incident-readback-plan.snapshot.json",
|
||
"docs/security/port-firewall-change-evidence-acceptance.snapshot.json",
|
||
"docs/security/external-host-intrusion-prevention-control.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
|
||
"port_firewall": "change_evidence_acceptance_ready_no_runtime_action",
|
||
"ssh_network_post_incident": "post_incident_readback_plan_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "Docker / systemd / process / port binding",
|
||
"lane_id": "host_runtime_services",
|
||
"next_gate": "host_runtime_forensic_service_recovery_packet",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "docker_daemon_state_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "systemd_unit_state_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "process_port_binding_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "dependency_and_postcheck_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/host-service-post-incident-readback-plan.snapshot.json",
|
||
"docs/security/external-host-intrusion-prevention-control.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
|
||
"host_service_post_incident": "post_incident_readback_plan_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "監控告警可讀性、收件與 no-false-green",
|
||
"lane_id": "monitoring_alert_receipt",
|
||
"next_gate": "alert_receipt_noise_budget_readable_message_contract",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "alert_route_receipt_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "message_contract_readability_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "dedupe_noise_budget_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "post_change_monitoring_window_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/monitoring-post-incident-readback-plan.snapshot.json",
|
||
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"monitoring_post_incident": "post_incident_readback_plan_ready_no_runtime_action",
|
||
"soc_integration": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "SOC / Kali / Wazuh 事件 case 化",
|
||
"lane_id": "soc_kali_wazuh_case",
|
||
"next_gate": "incident_case_owner_severity_confidence_chain_of_custody_packet",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "incident_case_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "severity_confidence_mapping_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "kali_scope_and_finding_envelope_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "chain_of_custody_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json",
|
||
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"soc_integration": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action",
|
||
"wazuh_intrusion": "wazuh_intrusion_readback_plan_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"label": "跨專案 freeze、runtime 邊界與防衝突",
|
||
"lane_id": "cross_project_freeze_runtime_boundary",
|
||
"next_gate": "cross_project_sync_runtime_authorization_owner_packet",
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"priority": "P0",
|
||
"redacted_evidence_accepted": false,
|
||
"redacted_evidence_received": false,
|
||
"required_evidence": [
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "cross_project_sync_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "maintenance_window_or_break_glass_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "rollback_owner_ref"
|
||
},
|
||
{
|
||
"accepted": false,
|
||
"evidence_id": "runtime_authorization_ref"
|
||
}
|
||
],
|
||
"runtime_authorized": false,
|
||
"source_snapshot_refs": [
|
||
"docs/security/external-host-intrusion-prevention-control.snapshot.json",
|
||
"docs/security/high-value-config-control-coverage.snapshot.json",
|
||
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
|
||
],
|
||
"source_statuses": {
|
||
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
|
||
"high_value_config": "coverage_matrix_ready",
|
||
"soc_integration": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action"
|
||
},
|
||
"status": "blocked_waiting_owner_evidence"
|
||
}
|
||
],
|
||
"schema_version": "iwooos_p0_security_incident_convergence_gate_v1",
|
||
"source_snapshot_refs": {
|
||
"external_host": "docs/security/external-host-intrusion-prevention-control.snapshot.json",
|
||
"high_value_config": "docs/security/high-value-config-control-coverage.snapshot.json",
|
||
"host_service_post_incident": "docs/security/host-service-post-incident-readback-plan.snapshot.json",
|
||
"monitoring_post_incident": "docs/security/monitoring-post-incident-readback-plan.snapshot.json",
|
||
"port_firewall": "docs/security/port-firewall-change-evidence-acceptance.snapshot.json",
|
||
"public_gateway": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"public_gateway_post_incident": "docs/security/public-gateway-post-incident-readback-plan.snapshot.json",
|
||
"soc_integration": "docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json",
|
||
"ssh_network_post_incident": "docs/security/ssh-network-post-incident-readback-plan.snapshot.json",
|
||
"wazuh_coverage": "docs/security/wazuh-managed-host-coverage-gate.snapshot.json",
|
||
"wazuh_intrusion": "docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
|
||
"wazuh_runtime": "docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json"
|
||
},
|
||
"status": "p0_security_incident_convergence_blocked_waiting_owner_evidence",
|
||
"summary": {
|
||
"action_button_count": 0,
|
||
"alert_route_accepted_count": 0,
|
||
"blocked_lane_count": 8,
|
||
"containment_decision_accepted_count": 0,
|
||
"dashboard_api_connection_ok_count": 0,
|
||
"dashboard_api_version_ok_count": 0,
|
||
"dashboard_index_pattern_ok_count": 3,
|
||
"direct_agent_active_observed_count": 2,
|
||
"expected_host_scope_count": 6,
|
||
"external_host_coverage_percent": 74,
|
||
"external_host_prevention_candidate_count": 14,
|
||
"firewall_change_authorized_count": 0,
|
||
"gateway_post_incident_readback_received_count": 0,
|
||
"high_value_config_average_coverage_percent": 73,
|
||
"high_value_config_category_count": 14,
|
||
"host_forensics_ref_received_count": 0,
|
||
"host_service_post_incident_readback_received_count": 0,
|
||
"host_write_authorized_count": 0,
|
||
"incident_case_accepted_count": 0,
|
||
"kali_active_scan_authorized_count": 0,
|
||
"manager_registry_accepted_count": 0,
|
||
"monitoring_post_incident_readback_received_count": 0,
|
||
"nginx_reload_authorized_count": 0,
|
||
"nginx_test_evidence_count": 0,
|
||
"owner_response_accepted_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"p0_lane_count": 8,
|
||
"port_firewall_change_evidence_received_count": 0,
|
||
"public_gateway_live_conf_received_count": 0,
|
||
"public_gateway_rendered_diff_ready_count": 0,
|
||
"recovery_proof_accepted_count": 0,
|
||
"redacted_evidence_accepted_count": 0,
|
||
"redacted_evidence_received_count": 0,
|
||
"route_smoke_evidence_count": 0,
|
||
"runtime_gate_count": 0,
|
||
"source_side_rollup_ready_percent": 100,
|
||
"source_snapshot_count": 12,
|
||
"ssh_network_post_incident_readback_received_count": 0,
|
||
"wazuh_active_response_authorized_count": 0,
|
||
"wazuh_event_ref_received_count": 0
|
||
}
|
||
}
|