Files
awoooi/docs/security/IWOOOS-P0-SECURITY-INCIDENT-CONVERGENCE-GATE.md

3.9 KiB
Raw Blame History

IwoooS P0 資安事件收斂 Gate

項目 狀態
工具 scripts/security/iwooos-p0-security-incident-convergence-gate.py
Snapshot docs/security/iwooos-p0-security-incident-convergence-gate.snapshot.json
Schema iwooos_p0_security_incident_convergence_gate_v1
狀態 p0_security_incident_convergence_blocked_waiting_owner_evidence
Runtime gate 0
Action button 0

目的

這個 Gate 把目前最容易造成即時資安或服務風險的紅點收成同一張只讀總覽:

  1. Wazuh API 與 manager registry 真相。
  2. 主機入侵鑑識與 containment 決策。
  3. Public Gateway / Nginx 變更收斂。
  4. SSH / firewall / port / network policy baseline。
  5. Docker / systemd / process / port binding。
  6. 監控告警可讀性、收件與 no-false-green。
  7. SOC / Kali / Wazuh 事件 case 化。
  8. 跨專案 freeze、runtime 邊界與防衝突。

它只讀取既有 snapshot不連線 Wazuh、不 SSH、不讀 live config、不做 scan、不 reload、不封鎖端口、不重啟服務、不送通知、不建立 SOAR case、不收 secret。

目前讀回

指標 讀回
source snapshot 12
P0 lane 8
blocked lane 8
source-side rollup ready 100%
owner response received / accepted 0 / 0
redacted evidence received / accepted 0 / 0
Wazuh dashboard API connection ok 0
Wazuh dashboard API version ok 0
Wazuh manager registry accepted 0
Wazuh event ref received 0
host forensics ref received 0
Public Gateway live conf / rendered diff / nginx test / route smoke 0 / 0 / 0 / 0
monitoring post-incident readback received 0
incident case accepted 0
runtime gate / action button 0 / 0

不可誤判

  • Wazuh Dashboard index pattern 綠燈只能當局部訊號API connection、API version 與 manager registry 仍是硬 Gate。
  • route 200、Dashboard 可見、agent active、CD success、UI 可見或外部 Agent 宣稱,都不能單獨當資安完成。
  • Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊。
  • 不得貼 raw log、raw Wazuh payload、工作視窗對話、內網 IP、個人 namespace、secret、token、private key 或未脫敏截圖。

下一步優先序

優先 工作 驗收前維持
P0-1 Wazuh Dashboard API 修復 postcheck 與 manager registry owner evidence manager_registry_accepted_count=0
P0-2 Wazuh event、host forensic、containment decision 與 recovery proof refs wazuh_event_ref_received_count=0
P0-3 Nginx owner live conf、rendered diff、nginx test readback、route smoke 與 rollback refs nginx_reload_authorized_count=0
P0-4 SSH / firewall / port before-after state、actor、impact 與 rollback refs firewall_change_authorized_count=0
P0-5 Docker / systemd / process / port binding 與 dependency postcheck refs host_write_authorized_count=0
P0-6 告警訊息合約、receipt、dedupe、noise budget 與 post-change monitoring refs alert_route_accepted_count=0
P0-7 SOC case id、severity / confidence、Kali scope envelope 與 chain of custody refs incident_case_accepted_count=0
P0-8 跨專案同步、維護窗口或 break-glass、rollback owner 與 runtime authorization refs runtime_gate_count=0

驗證指令

python3 scripts/security/iwooos-p0-security-incident-convergence-gate.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/iwooos-frontend-display-redaction-guard.py --root .

邊界

這個 Gate 不是批准、不是修復完成、不是 active response、不是 Kali active scan、不是 Nginx reload、不是 firewall change、不是 host write、不是 secret rotation也不是 production write。所有 runtime 動作仍需獨立 owner、維護窗口、rollback、postcheck 與人工批准。