141 lines
8.0 KiB
Markdown
141 lines
8.0 KiB
Markdown
# IwoooS SSH / Firewall / Network Access Owner Response Acceptance
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-15 |
|
||
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
|
||
| 工具 | `scripts/security/ssh-network-owner-response-acceptance.py` |
|
||
| Snapshot | `docs/security/ssh-network-owner-response-acceptance.snapshot.json` |
|
||
| Source inventory | `docs/security/ssh-network-access-inventory.snapshot.json` |
|
||
| Source owner request | `docs/security/ssh-network-owner-request-draft.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
本文件承接 SSH / network access repo-only 清冊與 owner request draft,把 16 個 surface 轉成 owner response acceptance 只讀帳本。它定義收到 owner 回覆後,必須如何做欄位完整性、脫敏證據、live access state、allowed source CIDR、host key pinning、port impact、firewall owner、NetworkPolicy / NodePort、WireGuard cutover、維護窗口、rollback 與 validation plan 檢查。
|
||
|
||
這不是 SSH 授權、不是 host keyscan、不是 known_hosts patch、不是 firewall / port change、不是 NetworkPolicy apply、不是 NodePort change、不是 WireGuard cutover,也不是 runtime gate。
|
||
|
||
## 2. 摘要
|
||
|
||
| 指標 | 目前值 | 說明 |
|
||
|------|--------|------|
|
||
| acceptance candidate | `16` | 每個 SSH / network request draft 一份 acceptance candidate |
|
||
| write-capable acceptance candidate | `6` | CI deploy SSH、monitoring deploy、sudoers、alert action catalog |
|
||
| live evidence required candidate | `16` | 全部都需 owner 提供脫敏 live access evidence |
|
||
| acceptance field | `29` | acceptance 欄位總數 |
|
||
| required owner field | `13` | owner 必填欄位,沿用 request draft |
|
||
| reviewer check | `15` | owner、scope、secret、CIDR、host key、port impact、firewall、NetworkPolicy、WireGuard、rollback 檢查 |
|
||
| outcome lane | `7` | waiting、quarantine、reject、supplement、review、ledger-only、runtime gate |
|
||
| blocked action | `22` | SSH、keyscan、known_hosts、firewall、port、NetworkPolicy、NodePort、WireGuard、sudo、secret、active scan、runtime gate 等 |
|
||
| request sent / recipient confirmed | `0 / 0` | 尚未送件 |
|
||
| owner response received / accepted | `0 / 0` | 尚未收到或驗收 |
|
||
| live evidence received | `0` | 不 SSH、不 keyscan、不讀 live firewall |
|
||
| runtime gate / action button | `0 / 0` | 不提供操作入口 |
|
||
|
||
## 3. Acceptance Candidate 範圍
|
||
|
||
| Candidate | 類型 | 範圍 | 驗收焦點 |
|
||
|-----------|------|------|----------|
|
||
| `ssh_network_owner_response_acceptance:ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | host owner、pinned known_hosts、ProxyJump、key owner |
|
||
| `ssh_network_owner_response_acceptance:ansible_common_ssh_args` | SSH client policy | `multi_host` | `accept-new` 是否只限 bootstrap |
|
||
| `ssh_network_owner_response_acceptance:gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | known_hosts secret metadata、缺 120 處置、key rotation owner |
|
||
| `ssh_network_owner_response_acceptance:gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | deploy SSH host owner、rollback、break-glass |
|
||
| `ssh_network_owner_response_acceptance:gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | dev/prod 邊界、deploy key scope、host key policy |
|
||
| `ssh_network_owner_response_acceptance:deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | alert deploy owner、known_hosts pinning、通知路徑 |
|
||
| `ssh_network_owner_response_acceptance:monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | read-only window、輸出脫敏、失敗處置 |
|
||
| `ssh_network_owner_response_acceptance:monitoring_exporter_deploy_ssh` | monitoring SSH deploy | `192.168.0.188` | exporter deploy owner、maintenance window、post-check |
|
||
| `ssh_network_owner_response_acceptance:backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | backup execution owner、secret redaction、restore validation |
|
||
| `ssh_network_owner_response_acceptance:host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | live sudoers hash、visudo validation、forbidden command proof |
|
||
| `ssh_network_owner_response_acceptance:k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | ingress / egress owner、live policy diff、route smoke |
|
||
| `ssh_network_owner_response_acceptance:argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | Prometheus scrape owner、NodePort exposure owner |
|
||
| `ssh_network_owner_response_acceptance:argocd_metrics_nodeport` | K8s NodePort | `argocd_nodeport_30882_30883` | NodePort exposure owner、firewall owner、source whitelist |
|
||
| `ssh_network_owner_response_acceptance:velero_metrics_nodeport` | K8s NodePort | `velero_nodeport_30885` | backup metrics exposure、firewall owner |
|
||
| `ssh_network_owner_response_acceptance:wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | WireGuard owner、firewall rule owner、canary / rollback |
|
||
| `ssh_network_owner_response_acceptance:alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | action owner、read/write/admin 分級、cooldown、post-check |
|
||
|
||
## 4. Reviewer Checks
|
||
|
||
1. `owner_identity_present`
|
||
2. `decision_reason_present`
|
||
3. `affected_scope_matches_surface`
|
||
4. `redacted_refs_only`
|
||
5. `secret_or_key_value_absent`
|
||
6. `live_access_state_metadata_only`
|
||
7. `allowed_source_cidr_metadata_only`
|
||
8. `host_key_pinning_shape`
|
||
9. `port_impact_review`
|
||
10. `firewall_owner_present`
|
||
11. `network_policy_nodeport_review`
|
||
12. `wireguard_cutover_separate_gate`
|
||
13. `maintenance_window_present`
|
||
14. `rollback_validation_present`
|
||
15. `counts_transition_safe`
|
||
|
||
## 5. Outcome Lanes
|
||
|
||
| Lane | 說明 |
|
||
|------|------|
|
||
| `waiting_owner_response` | 尚未收到 owner response;所有 accepted / runtime count 維持 0 |
|
||
| `quarantine_raw_payload` | 收到 raw firewall dump、SSH key、private key、token 或不可保存內容時只能隔離 |
|
||
| `reject_secret_or_key_value` | 出現 secret value、key material、credential derivative 或未脫敏 payload 時直接拒收 |
|
||
| `request_supplement` | 欄位不足、scope 不清、CIDR / owner / rollback / validation 缺失時要求補件 |
|
||
| `ready_for_network_review` | metadata 合格後,只能進 network / firewall reviewer review |
|
||
| `owner_review_only_update` | 只允許更新只讀 owner review ledger,不得改 port、firewall、known_hosts 或 policy |
|
||
| `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
|
||
|
||
## 6. 禁止動作
|
||
|
||
1. `ssh_read`
|
||
2. `ssh_write`
|
||
3. `host_keyscan`
|
||
4. `known_hosts_patch`
|
||
5. `firewall_change`
|
||
6. `port_close`
|
||
7. `port_open`
|
||
8. `network_policy_apply`
|
||
9. `nodeport_change`
|
||
10. `wireguard_change`
|
||
11. `sudo_action`
|
||
12. `deploy_ssh_action`
|
||
13. `secret_value_collection`
|
||
14. `ssh_key_collection`
|
||
15. `active_scan`
|
||
16. `runtime_gate_open`
|
||
17. `live_firewall_read`
|
||
18. `live_sudoers_read`
|
||
19. `raw_key_material_storage`
|
||
20. `raw_firewall_dump_storage`
|
||
21. `mark_owner_response_accepted_without_reviewer_record`
|
||
22. `add_action_button`
|
||
|
||
## 7. 指令
|
||
|
||
產生 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/ssh-network-owner-response-acceptance.py \
|
||
--root . \
|
||
--inventory-report docs/security/ssh-network-access-inventory.snapshot.json \
|
||
--owner-request-report docs/security/ssh-network-owner-request-draft.snapshot.json \
|
||
--output docs/security/ssh-network-owner-response-acceptance.snapshot.json \
|
||
--generated-at 2026-06-15T01:18:00+08:00
|
||
```
|
||
|
||
驗證 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
## 8. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| owner response acceptance ledger artifact | `100%` | 16 份 acceptance candidate、snapshot、文件與 guard 已固定 |
|
||
| request dispatch | `0%` | 尚未送件 |
|
||
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
|
||
| live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall |
|
||
| SSH / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 未授權且未執行 |
|
||
| runtime gate / production write | `0%` | 未授權且未執行 |
|