Files
awoooi/docs/security/EXTERNAL-HOST-INTRUSION-PREVENTION-CONTROL.md
Your Name 5820ca90cc
Some checks failed
CD Pipeline / tests (push) Successful in 1m45s
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / build-and-deploy (push) Successful in 17m44s
CD Pipeline / post-deploy-checks (push) Has been cancelled
feat(iwooos): 新增外部入侵主機防堵控制
2026-06-18 10:24:33 +08:00

129 lines
9.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS 外部入侵主機防堵控制矩陣
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-18 |
| 狀態 | `external_host_intrusion_prevention_control_ready_no_runtime_action` |
| 工具 | `scripts/security/external-host-intrusion-prevention-control.py` |
| Snapshot | `docs/security/external-host-intrusion-prevention-control.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
此矩陣把「全力防堵外部入侵主機」從口頭要求轉成 IwoooS 可驗收、可拒收、可排序的 P0 控制面。它把所有容易造成即時資安危害的面向放在同一張矩陣公開入口、DNS / TLS、Nginx、SSH / sudo、端口 / 防火牆、WireGuard、NodePort、Docker / systemd、process、K8s / ArgoCD、RBAC、runner、workflow、deploy key、webhook、secret、Wazuh、套件更新、backup / restore、monitoring / alerting、跨專案 freeze 與 break-glass。
本階段不直接連主機、不 SSH、不讀 live config、不改 Nginx、不改 firewall、不啟用 Wazuh active response、不重啟服務、不更新套件、不輪替 secret、不跑 active scan。它的作用是先建立「誰能批准、要看什麼證據、什麼要拒收、什麼仍為 0」的防堵控制基線。
## 2. 為什麼舊機制沒有擋住
1. 先前 IwoooS 的主體是只讀治理、owner gate、前台可視化與低摩擦收件`active_runtime_gate=0`,沒有主機 containment、firewall drop、Wazuh active response 或 secret rotation 權限。
2. Wazuh 已建置只能代表偵測平台存在;若沒有 event refs、agent status refs、host forensic refs、config diff refs 與 containment decisionIwoooS 不能判斷 110 / 188 類主機事件已防堵。
3. Nginx、端口、防火牆、runner、workflow、secret、Docker / systemd、K8s / ArgoCD 與 backup / restore 原本分散在不同清冊,沒有一個「外部入侵防堵」的統一優先序。
4. route `200`、dashboard up、container up、CD success、UI 可見或外部 Agent 宣稱過去容易被誤讀成服務恢復或風險降低但它們都不能證明木馬清除、RCE 修補、持久化移除或 credential 未外洩。
5. 未建立維護窗口、rollback owner、validation metrics、postcheck owner 與跨專案同步前,直接封 port、reload、restart、upgrade 或 sync 會造成服務中斷與二次事故。
## 3. 完整工作範圍
| 範圍 | 要控管的項目 |
|------|--------------|
| 主機 | host OS、SSH、sudo、authorized_keys、known_hosts、systemd、Docker、process、port binding、套件、kernel、Wazuh agent、backup agent、排程 |
| 公開入口 | DNS、TLS、certbot、Nginx、public gateway、upstream、WebSocket、ACME challenge、public / admin / API route |
| 網路 | firewall、WireGuard、NodePort、NetworkPolicy、VIP、內網 service dependency、監控接收端 |
| 容器與叢集 | Docker compose、Harbor / registry、K8s manifest、ArgoCD、RBAC、Secret metadata、image pull、Pod scheduling |
| 供應鏈 | Gitea workflow、runner、deploy key、webhook、repo secret name、branch protection、CODEOWNERS、artifact / image source |
| 憑證與秘密 | secret value、token、cookie、private key、env dump、credential escrow、rotation decision、redaction attestation |
| 偵測與回應 | Wazuh manager / indexer / dashboard / API、agent status、rule / decoder、event refs、active response dry-run、Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse |
| 資料與復原 | backup freshness、restore drill、offsite sync、remote delete guard、retention、rollback、cold-start / DR scorecard |
| 產品面 | AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、stock / public websites、API、admin、webhook、AI provider route |
| 協作治理 | 多 Session 同步、維護窗口、break-glass、operator notification、postcheck、no-false-green、LOGBOOK / deploy marker |
## 4. 固定數字
| 指標 | 數值 |
|------|------|
| prevention domain | `12` |
| control candidate | `14` |
| C0 control candidate | `10` |
| C1 control candidate | `4` |
| P0 control candidate | `14` |
| host alias | `4` |
| sensor alias | `1` |
| required owner fields | `36` |
| reviewer checks | `34` |
| outcome lanes | `12` |
| blocked actions | `82` |
| owner response received / accepted | `0 / 0` |
| prevention control accepted | `0` |
| Wazuh active response enabled | `0` |
| host write / firewall change / Nginx reload | `0 / 0 / 0` |
| package upgrade / active scan / production write | `0 / 0 / 0` |
| runtime gate / action button | `0 / 0` |
## 5. P0 防堵候選優先序
| 優先 | 候選 | 狀態 |
|------|------|------|
| P0-1 | 公開入口 / Nginx 變更 freeze 與 source-to-live diff | `waiting_owner_prevention_packet` |
| P0-2 | SSH / sudo / authorized_keys / known_hosts 存取收斂 | `waiting_owner_prevention_packet` |
| P0-3 | 端口 / 防火牆 / WireGuard / NodePort baseline | `waiting_owner_prevention_packet` |
| P0-4 | Docker / systemd / process / persistence baseline | `waiting_owner_prevention_packet` |
| P0-5 | K8s / ArgoCD drift、RBAC 與 Secret metadata containment | `waiting_owner_prevention_packet` |
| P0-6 | Runner / workflow / deploy key / secret freeze | `waiting_owner_prevention_packet` |
| P0-7 | 疑似 credential exposure 的輪替決策 gate | `waiting_owner_prevention_packet` |
| P0-8 | Wazuh event triage 與事件分流 gate | `waiting_owner_prevention_packet` |
| P0-9 | Wazuh active response dry-run / blast radius / rollback | `waiting_owner_prevention_packet` |
| P0-10 | Backup / restore / rollback 可用性防堵 gate | `waiting_owner_prevention_packet` |
| P0-11 | 套件更新 / CVE 修補維護窗口候選 | `waiting_owner_prevention_packet` |
| P0-12 | 公開 / 後台 / API runtime auth 與 route guard | `waiting_owner_prevention_packet` |
| P0-13 | 監控 / 告警 / route 200 no-false-green gate | `waiting_owner_prevention_packet` |
| P0-14 | 跨專案 freeze、break-glass 與 operator sync | `waiting_owner_prevention_packet` |
## 6. 必填 owner 欄位
每個防堵候選至少需要 owner role、owner team、decision、decision reason、affected scope aliases、exposed surface aliases、current risk、immediate harm if delayed、redacted evidence refs、Wazuh event refs、host forensic refs、config diff refs、before / after state、maintenance window、break-glass reason、rollback owner、rollback plan、validation metrics、postcheck owner、cross-project sync ref、communication channel、secret absence、raw payload absence、no internal-name publication、no-false-green、service / AI / monitoring / backup impact、recurrence guard、followup owner、expiry / review date 與 reviewer attestation。
未補齊前只能停在 `waiting_owner_prevention_packet`,不能進 runtime 防堵。
## 7. 拒收與隔離條件
1. 收到 password、private key、runner token、webhook secret、cookie、session、env dump、secret hash 或 partial token。
2. 收到 raw Wazuh payload、raw syslog、raw journal、完整命令輸出、未脫敏截圖或可還原內部 IP / 帳號 namespace 的內容。
3. 只有外部 Agent 宣稱已清除、已封鎖、已修復、已 Zero-Trust但沒有 Wazuh event refs 與 host forensic refs。
4. 只有 route `200`、dashboard up、agent active、container up、CD success、UI 可見或 alert quiet。
5. 缺 maintenance window、rollback owner、validation metrics、postcheck owner 或跨專案同步。
## 8. 禁止動作
本階段明確阻擋 SSH / sudo、host live config read、Nginx test / reload / conf write、certbot renew、DNS / route / upstream / WebSocket change、iptables / firewall / WireGuard / NodePort / NetworkPolicy change、Docker / systemd / process / reboot、apt update / upgrade、Wazuh active response / agent / rule / decoder change、ArgoCD sync、kubectl、Helm、RBAC、K8s secret、workflow、runner、deploy key、webhook、repo secret、secret rotation、secret store read、raw payload storage、active scan、exploit validation、backup / restore / offsite sync、remote delete、retention change、database migration、production write、action button、runtime gate 與 force push。
## 9. 指令
產生 committed snapshot
```bash
python3 scripts/security/external-host-intrusion-prevention-control.py \
--root . \
--output docs/security/external-host-intrusion-prevention-control.snapshot.json \
--generated-at 2026-06-18T15:30:00+08:00
```
驗證 guard
```bash
python3 scripts/security/iwooos-config-control-guard.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 10. 完成度
- 外部入侵防堵控制矩陣 / repo artifact`100%`
- 前台可視化與脫敏 marker`100%`
- owner response received / accepted`0%`
- Wazuh event refs / host forensic refs accepted`0%`
- containment decision / prevention control accepted`0%`
- Wazuh active response enabled`0%`
- host write / firewall change / Nginx reload / package upgrade / active scan`0%`
- runtime gate / action button`0%`
下一步是把 14 個 P0 防堵候選交給 owner 補脫敏證據、維護窗口、rollback owner 與 postcheck。驗收前IwoooS 不宣告主機已乾淨、木馬已清除、RCE 已修補、外部入侵已防堵,也不自動執行任何主機或網路變更。