3.9 KiB
3.9 KiB
IwoooS P0 資安事件收斂 Gate
| 項目 | 狀態 |
|---|---|
| 工具 | scripts/security/iwooos-p0-security-incident-convergence-gate.py |
| Snapshot | docs/security/iwooos-p0-security-incident-convergence-gate.snapshot.json |
| Schema | iwooos_p0_security_incident_convergence_gate_v1 |
| 狀態 | p0_security_incident_convergence_blocked_waiting_owner_evidence |
| Runtime gate | 0 |
| Action button | 0 |
目的
這個 Gate 把目前最容易造成即時資安或服務風險的紅點收成同一張只讀總覽:
- Wazuh API 與 manager registry 真相。
- 主機入侵鑑識與 containment 決策。
- Public Gateway / Nginx 變更收斂。
- SSH / firewall / port / network policy baseline。
- Docker / systemd / process / port binding。
- 監控告警可讀性、收件與 no-false-green。
- SOC / Kali / Wazuh 事件 case 化。
- 跨專案 freeze、runtime 邊界與防衝突。
它只讀取既有 snapshot,不連線 Wazuh、不 SSH、不讀 live config、不做 scan、不 reload、不封鎖端口、不重啟服務、不送通知、不建立 SOAR case、不收 secret。
目前讀回
| 指標 | 讀回 |
|---|---|
| source snapshot | 12 |
| P0 lane | 8 |
| blocked lane | 8 |
| source-side rollup ready | 100% |
| owner response received / accepted | 0 / 0 |
| redacted evidence received / accepted | 0 / 0 |
| Wazuh dashboard API connection ok | 0 |
| Wazuh dashboard API version ok | 0 |
| Wazuh manager registry accepted | 0 |
| Wazuh event ref received | 0 |
| host forensics ref received | 0 |
| Public Gateway live conf / rendered diff / nginx test / route smoke | 0 / 0 / 0 / 0 |
| monitoring post-incident readback received | 0 |
| incident case accepted | 0 |
| runtime gate / action button | 0 / 0 |
不可誤判
- Wazuh Dashboard index pattern 綠燈只能當局部訊號;API connection、API version 與 manager registry 仍是硬 Gate。
- route 200、Dashboard 可見、agent active、CD success、UI 可見或外部 Agent 宣稱,都不能單獨當資安完成。
- Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊。
- 不得貼 raw log、raw Wazuh payload、工作視窗對話、內網 IP、個人 namespace、secret、token、private key 或未脫敏截圖。
下一步優先序
| 優先 | 工作 | 驗收前維持 |
|---|---|---|
| P0-1 | Wazuh Dashboard API 修復 postcheck 與 manager registry owner evidence | manager_registry_accepted_count=0 |
| P0-2 | Wazuh event、host forensic、containment decision 與 recovery proof refs | wazuh_event_ref_received_count=0 |
| P0-3 | Nginx owner live conf、rendered diff、nginx test readback、route smoke 與 rollback refs | nginx_reload_authorized_count=0 |
| P0-4 | SSH / firewall / port before-after state、actor、impact 與 rollback refs | firewall_change_authorized_count=0 |
| P0-5 | Docker / systemd / process / port binding 與 dependency postcheck refs | host_write_authorized_count=0 |
| P0-6 | 告警訊息合約、receipt、dedupe、noise budget 與 post-change monitoring refs | alert_route_accepted_count=0 |
| P0-7 | SOC case id、severity / confidence、Kali scope envelope 與 chain of custody refs | incident_case_accepted_count=0 |
| P0-8 | 跨專案同步、維護窗口或 break-glass、rollback owner 與 runtime authorization refs | runtime_gate_count=0 |
驗證指令
python3 scripts/security/iwooos-p0-security-incident-convergence-gate.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/iwooos-frontend-display-redaction-guard.py --root .
邊界
這個 Gate 不是批准、不是修復完成、不是 active response、不是 Kali active scan、不是 Nginx reload、不是 firewall change、不是 host write、不是 secret rotation,也不是 production write。所有 runtime 動作仍需獨立 owner、維護窗口、rollback、postcheck 與人工批准。