9.1 KiB
IwoooS 外部入侵主機防堵控制矩陣
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-18 |
| 狀態 | external_host_intrusion_prevention_control_ready_no_runtime_action |
| 工具 | scripts/security/external-host-intrusion-prevention-control.py |
| Snapshot | docs/security/external-host-intrusion-prevention-control.snapshot.json |
| runtime gate | 0 |
1. 目的
此矩陣把「全力防堵外部入侵主機」從口頭要求轉成 IwoooS 可驗收、可拒收、可排序的 P0 控制面。它把所有容易造成即時資安危害的面向放在同一張矩陣:公開入口、DNS / TLS、Nginx、SSH / sudo、端口 / 防火牆、WireGuard、NodePort、Docker / systemd、process、K8s / ArgoCD、RBAC、runner、workflow、deploy key、webhook、secret、Wazuh、套件更新、backup / restore、monitoring / alerting、跨專案 freeze 與 break-glass。
本階段不直接連主機、不 SSH、不讀 live config、不改 Nginx、不改 firewall、不啟用 Wazuh active response、不重啟服務、不更新套件、不輪替 secret、不跑 active scan。它的作用是先建立「誰能批准、要看什麼證據、什麼要拒收、什麼仍為 0」的防堵控制基線。
2. 為什麼舊機制沒有擋住
- 先前 IwoooS 的主體是只讀治理、owner gate、前台可視化與低摩擦收件,
active_runtime_gate=0,沒有主機 containment、firewall drop、Wazuh active response 或 secret rotation 權限。 - Wazuh 已建置只能代表偵測平台存在;若沒有 event refs、agent status refs、host forensic refs、config diff refs 與 containment decision,IwoooS 不能判斷 110 / 188 類主機事件已防堵。
- Nginx、端口、防火牆、runner、workflow、secret、Docker / systemd、K8s / ArgoCD 與 backup / restore 原本分散在不同清冊,沒有一個「外部入侵防堵」的統一優先序。
- route
200、dashboard up、container up、CD success、UI 可見或外部 Agent 宣稱,過去容易被誤讀成服務恢復或風險降低,但它們都不能證明木馬清除、RCE 修補、持久化移除或 credential 未外洩。 - 未建立維護窗口、rollback owner、validation metrics、postcheck owner 與跨專案同步前,直接封 port、reload、restart、upgrade 或 sync 會造成服務中斷與二次事故。
3. 完整工作範圍
| 範圍 | 要控管的項目 |
|---|---|
| 主機 | host OS、SSH、sudo、authorized_keys、known_hosts、systemd、Docker、process、port binding、套件、kernel、Wazuh agent、backup agent、排程 |
| 公開入口 | DNS、TLS、certbot、Nginx、public gateway、upstream、WebSocket、ACME challenge、public / admin / API route |
| 網路 | firewall、WireGuard、NodePort、NetworkPolicy、VIP、內網 service dependency、監控接收端 |
| 容器與叢集 | Docker compose、Harbor / registry、K8s manifest、ArgoCD、RBAC、Secret metadata、image pull、Pod scheduling |
| 供應鏈 | Gitea workflow、runner、deploy key、webhook、repo secret name、branch protection、CODEOWNERS、artifact / image source |
| 憑證與秘密 | secret value、token、cookie、private key、env dump、credential escrow、rotation decision、redaction attestation |
| 偵測與回應 | Wazuh manager / indexer / dashboard / API、agent status、rule / decoder、event refs、active response dry-run、Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse |
| 資料與復原 | backup freshness、restore drill、offsite sync、remote delete guard、retention、rollback、cold-start / DR scorecard |
| 產品面 | AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、stock / public websites、API、admin、webhook、AI provider route |
| 協作治理 | 多 Session 同步、維護窗口、break-glass、operator notification、postcheck、no-false-green、LOGBOOK / deploy marker |
4. 固定數字
| 指標 | 數值 |
|---|---|
| prevention domain | 12 |
| control candidate | 14 |
| C0 control candidate | 10 |
| C1 control candidate | 4 |
| P0 control candidate | 14 |
| host alias | 4 |
| sensor alias | 1 |
| required owner fields | 36 |
| reviewer checks | 34 |
| outcome lanes | 12 |
| blocked actions | 82 |
| owner response received / accepted | 0 / 0 |
| prevention control accepted | 0 |
| Wazuh active response enabled | 0 |
| host write / firewall change / Nginx reload | 0 / 0 / 0 |
| package upgrade / active scan / production write | 0 / 0 / 0 |
| runtime gate / action button | 0 / 0 |
5. P0 防堵候選優先序
| 優先 | 候選 | 狀態 |
|---|---|---|
| P0-1 | 公開入口 / Nginx 變更 freeze 與 source-to-live diff | waiting_owner_prevention_packet |
| P0-2 | SSH / sudo / authorized_keys / known_hosts 存取收斂 | waiting_owner_prevention_packet |
| P0-3 | 端口 / 防火牆 / WireGuard / NodePort baseline | waiting_owner_prevention_packet |
| P0-4 | Docker / systemd / process / persistence baseline | waiting_owner_prevention_packet |
| P0-5 | K8s / ArgoCD drift、RBAC 與 Secret metadata containment | waiting_owner_prevention_packet |
| P0-6 | Runner / workflow / deploy key / secret freeze | waiting_owner_prevention_packet |
| P0-7 | 疑似 credential exposure 的輪替決策 gate | waiting_owner_prevention_packet |
| P0-8 | Wazuh event triage 與事件分流 gate | waiting_owner_prevention_packet |
| P0-9 | Wazuh active response dry-run / blast radius / rollback | waiting_owner_prevention_packet |
| P0-10 | Backup / restore / rollback 可用性防堵 gate | waiting_owner_prevention_packet |
| P0-11 | 套件更新 / CVE 修補維護窗口候選 | waiting_owner_prevention_packet |
| P0-12 | 公開 / 後台 / API runtime auth 與 route guard | waiting_owner_prevention_packet |
| P0-13 | 監控 / 告警 / route 200 no-false-green gate | waiting_owner_prevention_packet |
| P0-14 | 跨專案 freeze、break-glass 與 operator sync | waiting_owner_prevention_packet |
6. 必填 owner 欄位
每個防堵候選至少需要 owner role、owner team、decision、decision reason、affected scope aliases、exposed surface aliases、current risk、immediate harm if delayed、redacted evidence refs、Wazuh event refs、host forensic refs、config diff refs、before / after state、maintenance window、break-glass reason、rollback owner、rollback plan、validation metrics、postcheck owner、cross-project sync ref、communication channel、secret absence、raw payload absence、no internal-name publication、no-false-green、service / AI / monitoring / backup impact、recurrence guard、followup owner、expiry / review date 與 reviewer attestation。
未補齊前只能停在 waiting_owner_prevention_packet,不能進 runtime 防堵。
7. 拒收與隔離條件
- 收到 password、private key、runner token、webhook secret、cookie、session、env dump、secret hash 或 partial token。
- 收到 raw Wazuh payload、raw syslog、raw journal、完整命令輸出、未脫敏截圖或可還原內部 IP / 帳號 namespace 的內容。
- 只有外部 Agent 宣稱已清除、已封鎖、已修復、已 Zero-Trust,但沒有 Wazuh event refs 與 host forensic refs。
- 只有 route
200、dashboard up、agent active、container up、CD success、UI 可見或 alert quiet。 - 缺 maintenance window、rollback owner、validation metrics、postcheck owner 或跨專案同步。
8. 禁止動作
本階段明確阻擋 SSH / sudo、host live config read、Nginx test / reload / conf write、certbot renew、DNS / route / upstream / WebSocket change、iptables / firewall / WireGuard / NodePort / NetworkPolicy change、Docker / systemd / process / reboot、apt update / upgrade、Wazuh active response / agent / rule / decoder change、ArgoCD sync、kubectl、Helm、RBAC、K8s secret、workflow、runner、deploy key、webhook、repo secret、secret rotation、secret store read、raw payload storage、active scan、exploit validation、backup / restore / offsite sync、remote delete、retention change、database migration、production write、action button、runtime gate 與 force push。
9. 指令
產生 committed snapshot:
python3 scripts/security/external-host-intrusion-prevention-control.py \
--root . \
--output docs/security/external-host-intrusion-prevention-control.snapshot.json \
--generated-at 2026-06-18T15:30:00+08:00
驗證 guard:
python3 scripts/security/iwooos-config-control-guard.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
10. 完成度
- 外部入侵防堵控制矩陣 / repo artifact:
100% - 前台可視化與脫敏 marker:
100% - owner response received / accepted:
0% - Wazuh event refs / host forensic refs accepted:
0% - containment decision / prevention control accepted:
0% - Wazuh active response enabled:
0% - host write / firewall change / Nginx reload / package upgrade / active scan:
0% - runtime gate / action button:
0%
下一步是把 14 個 P0 防堵候選交給 owner 補脫敏證據、維護窗口、rollback owner 與 postcheck。驗收前,IwoooS 不宣告主機已乾淨、木馬已清除、RCE 已修補、外部入侵已防堵,也不自動執行任何主機或網路變更。