Files
awoooi/docs/security/iwooos-p0-security-incident-convergence-gate.snapshot.json

448 lines
16 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"blocked_runtime_actions": [
"wazuh_api_live_query",
"wazuh_active_response",
"kali_active_scan",
"kali_execute",
"ssh_read",
"ssh_write",
"host_write",
"firewall_change",
"port_close",
"port_open",
"nginx_test",
"nginx_reload",
"docker_restart",
"systemctl_restart",
"argocd_sync",
"workflow_modification",
"repo_secret_change",
"secret_rotation",
"telegram_send",
"soar_case_create",
"auto_block",
"production_write",
"force_push"
],
"execution_boundaries": {
"action_buttons_allowed": false,
"argocd_sync_authorized": false,
"auto_block_authorized": false,
"docker_restart_authorized": false,
"firewall_change_authorized": false,
"host_write_authorized": false,
"kali_active_scan_authorized": false,
"kali_execute_authorized": false,
"nginx_reload_authorized": false,
"nginx_test_authorized": false,
"not_authorization": true,
"production_write_authorized": false,
"repo_secret_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"soar_case_create_authorized": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"systemctl_restart_authorized": false,
"telegram_send_authorized": false,
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-25T19:23:16+08:00",
"git_commit": "e1113044",
"mode": "snapshot_rollup_only_no_runtime_no_secret_collection",
"operator_interpretation": [
"這張 Gate 是 P0 事件彙總,不是 runtime 修復授權。",
"Wazuh Dashboard index pattern 綠燈只能當局部訊號API connection、API version 與 manager registry 仍是硬 Gate。",
"Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊,不能貼 raw log 或工作視窗內容。",
"所有 containment、active response、scan、reload、restart、secret rotation 與 production write 仍需獨立人工批准。"
],
"p0_lanes": [
{
"action_buttons_allowed": false,
"label": "Wazuh API 與 manager registry 真相",
"lane_id": "wazuh_dashboard_api_registry",
"next_gate": "dashboard_api_repair_postcheck_and_manager_registry_owner_evidence",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "dashboard_api_connection_ok_ref"
},
{
"accepted": false,
"evidence_id": "dashboard_api_version_ok_ref"
},
{
"accepted": false,
"evidence_id": "manager_registry_agent_counts_ref"
},
{
"accepted": false,
"evidence_id": "per_host_agent_scope_matrix_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json",
"docs/security/wazuh-managed-host-coverage-gate.snapshot.json"
],
"source_statuses": {
"wazuh_coverage": "blocked_waiting_full_host_registry_readback",
"wazuh_runtime": "blocked_waiting_manager_agent_registry_readback"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "主機入侵鑑識與 containment 決策",
"lane_id": "host_intrusion_forensics",
"next_gate": "wazuh_event_host_forensic_containment_owner_packet",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "wazuh_event_refs"
},
{
"accepted": false,
"evidence_id": "host_auth_process_network_fim_refs"
},
{
"accepted": false,
"evidence_id": "containment_decision_ref"
},
{
"accepted": false,
"evidence_id": "recovery_proof_and_postcheck_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
"docs/security/external-host-intrusion-prevention-control.snapshot.json"
],
"source_statuses": {
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
"wazuh_intrusion": "wazuh_intrusion_readback_plan_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "Public Gateway / Nginx 變更收斂",
"lane_id": "public_gateway_nginx",
"next_gate": "owner_live_conf_rendered_diff_nginx_test_route_smoke_packet",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "owner_provided_redacted_live_conf_ref"
},
{
"accepted": false,
"evidence_id": "source_to_live_rendered_diff_ref"
},
{
"accepted": false,
"evidence_id": "nginx_test_readback_ref"
},
{
"accepted": false,
"evidence_id": "route_smoke_and_rollback_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/public-gateway-preflight-inventory.snapshot.json",
"docs/security/public-gateway-post-incident-readback-plan.snapshot.json",
"docs/security/high-value-config-control-coverage.snapshot.json"
],
"source_statuses": {
"high_value_config": "coverage_matrix_ready",
"public_gateway": "repo_only_preflight_contract_ready",
"public_gateway_post_incident": "post_incident_readback_plan_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "SSH / firewall / port / network policy baseline",
"lane_id": "ssh_firewall_ports",
"next_gate": "before_after_state_actor_impact_rollback_packet",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "before_state_ref"
},
{
"accepted": false,
"evidence_id": "after_state_ref"
},
{
"accepted": false,
"evidence_id": "actor_attribution_ref"
},
{
"accepted": false,
"evidence_id": "service_health_impact_and_rollback_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/ssh-network-post-incident-readback-plan.snapshot.json",
"docs/security/port-firewall-change-evidence-acceptance.snapshot.json",
"docs/security/external-host-intrusion-prevention-control.snapshot.json"
],
"source_statuses": {
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
"port_firewall": "change_evidence_acceptance_ready_no_runtime_action",
"ssh_network_post_incident": "post_incident_readback_plan_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "Docker / systemd / process / port binding",
"lane_id": "host_runtime_services",
"next_gate": "host_runtime_forensic_service_recovery_packet",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "docker_daemon_state_ref"
},
{
"accepted": false,
"evidence_id": "systemd_unit_state_ref"
},
{
"accepted": false,
"evidence_id": "process_port_binding_ref"
},
{
"accepted": false,
"evidence_id": "dependency_and_postcheck_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/host-service-post-incident-readback-plan.snapshot.json",
"docs/security/external-host-intrusion-prevention-control.snapshot.json"
],
"source_statuses": {
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
"host_service_post_incident": "post_incident_readback_plan_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "監控告警可讀性、收件與 no-false-green",
"lane_id": "monitoring_alert_receipt",
"next_gate": "alert_receipt_noise_budget_readable_message_contract",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "alert_route_receipt_ref"
},
{
"accepted": false,
"evidence_id": "message_contract_readability_ref"
},
{
"accepted": false,
"evidence_id": "dedupe_noise_budget_ref"
},
{
"accepted": false,
"evidence_id": "post_change_monitoring_window_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/monitoring-post-incident-readback-plan.snapshot.json",
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
],
"source_statuses": {
"monitoring_post_incident": "post_incident_readback_plan_ready_no_runtime_action",
"soc_integration": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "SOC / Kali / Wazuh 事件 case 化",
"lane_id": "soc_kali_wazuh_case",
"next_gate": "incident_case_owner_severity_confidence_chain_of_custody_packet",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "incident_case_ref"
},
{
"accepted": false,
"evidence_id": "severity_confidence_mapping_ref"
},
{
"accepted": false,
"evidence_id": "kali_scope_and_finding_envelope_ref"
},
{
"accepted": false,
"evidence_id": "chain_of_custody_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json",
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json"
],
"source_statuses": {
"soc_integration": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action",
"wazuh_intrusion": "wazuh_intrusion_readback_plan_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
},
{
"action_buttons_allowed": false,
"label": "跨專案 freeze、runtime 邊界與防衝突",
"lane_id": "cross_project_freeze_runtime_boundary",
"next_gate": "cross_project_sync_runtime_authorization_owner_packet",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"priority": "P0",
"redacted_evidence_accepted": false,
"redacted_evidence_received": false,
"required_evidence": [
{
"accepted": false,
"evidence_id": "cross_project_sync_ref"
},
{
"accepted": false,
"evidence_id": "maintenance_window_or_break_glass_ref"
},
{
"accepted": false,
"evidence_id": "rollback_owner_ref"
},
{
"accepted": false,
"evidence_id": "runtime_authorization_ref"
}
],
"runtime_authorized": false,
"source_snapshot_refs": [
"docs/security/external-host-intrusion-prevention-control.snapshot.json",
"docs/security/high-value-config-control-coverage.snapshot.json",
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
],
"source_statuses": {
"external_host": "external_host_intrusion_prevention_control_ready_no_runtime_action",
"high_value_config": "coverage_matrix_ready",
"soc_integration": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action"
},
"status": "blocked_waiting_owner_evidence"
}
],
"schema_version": "iwooos_p0_security_incident_convergence_gate_v1",
"source_snapshot_refs": {
"external_host": "docs/security/external-host-intrusion-prevention-control.snapshot.json",
"high_value_config": "docs/security/high-value-config-control-coverage.snapshot.json",
"host_service_post_incident": "docs/security/host-service-post-incident-readback-plan.snapshot.json",
"monitoring_post_incident": "docs/security/monitoring-post-incident-readback-plan.snapshot.json",
"port_firewall": "docs/security/port-firewall-change-evidence-acceptance.snapshot.json",
"public_gateway": "docs/security/public-gateway-preflight-inventory.snapshot.json",
"public_gateway_post_incident": "docs/security/public-gateway-post-incident-readback-plan.snapshot.json",
"soc_integration": "docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json",
"ssh_network_post_incident": "docs/security/ssh-network-post-incident-readback-plan.snapshot.json",
"wazuh_coverage": "docs/security/wazuh-managed-host-coverage-gate.snapshot.json",
"wazuh_intrusion": "docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
"wazuh_runtime": "docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json"
},
"status": "p0_security_incident_convergence_blocked_waiting_owner_evidence",
"summary": {
"action_button_count": 0,
"alert_route_accepted_count": 0,
"blocked_lane_count": 8,
"containment_decision_accepted_count": 0,
"dashboard_api_connection_ok_count": 0,
"dashboard_api_version_ok_count": 0,
"dashboard_index_pattern_ok_count": 3,
"direct_agent_active_observed_count": 2,
"expected_host_scope_count": 6,
"external_host_coverage_percent": 74,
"external_host_prevention_candidate_count": 14,
"firewall_change_authorized_count": 0,
"gateway_post_incident_readback_received_count": 0,
"high_value_config_average_coverage_percent": 73,
"high_value_config_category_count": 14,
"host_forensics_ref_received_count": 0,
"host_service_post_incident_readback_received_count": 0,
"host_write_authorized_count": 0,
"incident_case_accepted_count": 0,
"kali_active_scan_authorized_count": 0,
"manager_registry_accepted_count": 0,
"monitoring_post_incident_readback_received_count": 0,
"nginx_reload_authorized_count": 0,
"nginx_test_evidence_count": 0,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"p0_lane_count": 8,
"port_firewall_change_evidence_received_count": 0,
"public_gateway_live_conf_received_count": 0,
"public_gateway_rendered_diff_ready_count": 0,
"recovery_proof_accepted_count": 0,
"redacted_evidence_accepted_count": 0,
"redacted_evidence_received_count": 0,
"route_smoke_evidence_count": 0,
"runtime_gate_count": 0,
"source_side_rollup_ready_percent": 100,
"source_snapshot_count": 12,
"ssh_network_post_incident_readback_received_count": 0,
"wazuh_active_response_authorized_count": 0,
"wazuh_event_ref_received_count": 0
}
}