129 lines
9.1 KiB
Markdown
129 lines
9.1 KiB
Markdown
# IwoooS 外部入侵主機防堵控制矩陣
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-18 |
|
||
| 狀態 | `external_host_intrusion_prevention_control_ready_no_runtime_action` |
|
||
| 工具 | `scripts/security/external-host-intrusion-prevention-control.py` |
|
||
| Snapshot | `docs/security/external-host-intrusion-prevention-control.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
此矩陣把「全力防堵外部入侵主機」從口頭要求轉成 IwoooS 可驗收、可拒收、可排序的 P0 控制面。它把所有容易造成即時資安危害的面向放在同一張矩陣:公開入口、DNS / TLS、Nginx、SSH / sudo、端口 / 防火牆、WireGuard、NodePort、Docker / systemd、process、K8s / ArgoCD、RBAC、runner、workflow、deploy key、webhook、secret、Wazuh、套件更新、backup / restore、monitoring / alerting、跨專案 freeze 與 break-glass。
|
||
|
||
本階段不直接連主機、不 SSH、不讀 live config、不改 Nginx、不改 firewall、不啟用 Wazuh active response、不重啟服務、不更新套件、不輪替 secret、不跑 active scan。它的作用是先建立「誰能批准、要看什麼證據、什麼要拒收、什麼仍為 0」的防堵控制基線。
|
||
|
||
## 2. 為什麼舊機制沒有擋住
|
||
|
||
1. 先前 IwoooS 的主體是只讀治理、owner gate、前台可視化與低摩擦收件,`active_runtime_gate=0`,沒有主機 containment、firewall drop、Wazuh active response 或 secret rotation 權限。
|
||
2. Wazuh 已建置只能代表偵測平台存在;若沒有 event refs、agent status refs、host forensic refs、config diff refs 與 containment decision,IwoooS 不能判斷 110 / 188 類主機事件已防堵。
|
||
3. Nginx、端口、防火牆、runner、workflow、secret、Docker / systemd、K8s / ArgoCD 與 backup / restore 原本分散在不同清冊,沒有一個「外部入侵防堵」的統一優先序。
|
||
4. route `200`、dashboard up、container up、CD success、UI 可見或外部 Agent 宣稱,過去容易被誤讀成服務恢復或風險降低,但它們都不能證明木馬清除、RCE 修補、持久化移除或 credential 未外洩。
|
||
5. 未建立維護窗口、rollback owner、validation metrics、postcheck owner 與跨專案同步前,直接封 port、reload、restart、upgrade 或 sync 會造成服務中斷與二次事故。
|
||
|
||
## 3. 完整工作範圍
|
||
|
||
| 範圍 | 要控管的項目 |
|
||
|------|--------------|
|
||
| 主機 | host OS、SSH、sudo、authorized_keys、known_hosts、systemd、Docker、process、port binding、套件、kernel、Wazuh agent、backup agent、排程 |
|
||
| 公開入口 | DNS、TLS、certbot、Nginx、public gateway、upstream、WebSocket、ACME challenge、public / admin / API route |
|
||
| 網路 | firewall、WireGuard、NodePort、NetworkPolicy、VIP、內網 service dependency、監控接收端 |
|
||
| 容器與叢集 | Docker compose、Harbor / registry、K8s manifest、ArgoCD、RBAC、Secret metadata、image pull、Pod scheduling |
|
||
| 供應鏈 | Gitea workflow、runner、deploy key、webhook、repo secret name、branch protection、CODEOWNERS、artifact / image source |
|
||
| 憑證與秘密 | secret value、token、cookie、private key、env dump、credential escrow、rotation decision、redaction attestation |
|
||
| 偵測與回應 | Wazuh manager / indexer / dashboard / API、agent status、rule / decoder、event refs、active response dry-run、Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse |
|
||
| 資料與復原 | backup freshness、restore drill、offsite sync、remote delete guard、retention、rollback、cold-start / DR scorecard |
|
||
| 產品面 | AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、stock / public websites、API、admin、webhook、AI provider route |
|
||
| 協作治理 | 多 Session 同步、維護窗口、break-glass、operator notification、postcheck、no-false-green、LOGBOOK / deploy marker |
|
||
|
||
## 4. 固定數字
|
||
|
||
| 指標 | 數值 |
|
||
|------|------|
|
||
| prevention domain | `12` |
|
||
| control candidate | `14` |
|
||
| C0 control candidate | `10` |
|
||
| C1 control candidate | `4` |
|
||
| P0 control candidate | `14` |
|
||
| host alias | `4` |
|
||
| sensor alias | `1` |
|
||
| required owner fields | `36` |
|
||
| reviewer checks | `34` |
|
||
| outcome lanes | `12` |
|
||
| blocked actions | `82` |
|
||
| owner response received / accepted | `0 / 0` |
|
||
| prevention control accepted | `0` |
|
||
| Wazuh active response enabled | `0` |
|
||
| host write / firewall change / Nginx reload | `0 / 0 / 0` |
|
||
| package upgrade / active scan / production write | `0 / 0 / 0` |
|
||
| runtime gate / action button | `0 / 0` |
|
||
|
||
## 5. P0 防堵候選優先序
|
||
|
||
| 優先 | 候選 | 狀態 |
|
||
|------|------|------|
|
||
| P0-1 | 公開入口 / Nginx 變更 freeze 與 source-to-live diff | `waiting_owner_prevention_packet` |
|
||
| P0-2 | SSH / sudo / authorized_keys / known_hosts 存取收斂 | `waiting_owner_prevention_packet` |
|
||
| P0-3 | 端口 / 防火牆 / WireGuard / NodePort baseline | `waiting_owner_prevention_packet` |
|
||
| P0-4 | Docker / systemd / process / persistence baseline | `waiting_owner_prevention_packet` |
|
||
| P0-5 | K8s / ArgoCD drift、RBAC 與 Secret metadata containment | `waiting_owner_prevention_packet` |
|
||
| P0-6 | Runner / workflow / deploy key / secret freeze | `waiting_owner_prevention_packet` |
|
||
| P0-7 | 疑似 credential exposure 的輪替決策 gate | `waiting_owner_prevention_packet` |
|
||
| P0-8 | Wazuh event triage 與事件分流 gate | `waiting_owner_prevention_packet` |
|
||
| P0-9 | Wazuh active response dry-run / blast radius / rollback | `waiting_owner_prevention_packet` |
|
||
| P0-10 | Backup / restore / rollback 可用性防堵 gate | `waiting_owner_prevention_packet` |
|
||
| P0-11 | 套件更新 / CVE 修補維護窗口候選 | `waiting_owner_prevention_packet` |
|
||
| P0-12 | 公開 / 後台 / API runtime auth 與 route guard | `waiting_owner_prevention_packet` |
|
||
| P0-13 | 監控 / 告警 / route 200 no-false-green gate | `waiting_owner_prevention_packet` |
|
||
| P0-14 | 跨專案 freeze、break-glass 與 operator sync | `waiting_owner_prevention_packet` |
|
||
|
||
## 6. 必填 owner 欄位
|
||
|
||
每個防堵候選至少需要 owner role、owner team、decision、decision reason、affected scope aliases、exposed surface aliases、current risk、immediate harm if delayed、redacted evidence refs、Wazuh event refs、host forensic refs、config diff refs、before / after state、maintenance window、break-glass reason、rollback owner、rollback plan、validation metrics、postcheck owner、cross-project sync ref、communication channel、secret absence、raw payload absence、no internal-name publication、no-false-green、service / AI / monitoring / backup impact、recurrence guard、followup owner、expiry / review date 與 reviewer attestation。
|
||
|
||
未補齊前只能停在 `waiting_owner_prevention_packet`,不能進 runtime 防堵。
|
||
|
||
## 7. 拒收與隔離條件
|
||
|
||
1. 收到 password、private key、runner token、webhook secret、cookie、session、env dump、secret hash 或 partial token。
|
||
2. 收到 raw Wazuh payload、raw syslog、raw journal、完整命令輸出、未脫敏截圖或可還原內部 IP / 帳號 namespace 的內容。
|
||
3. 只有外部 Agent 宣稱已清除、已封鎖、已修復、已 Zero-Trust,但沒有 Wazuh event refs 與 host forensic refs。
|
||
4. 只有 route `200`、dashboard up、agent active、container up、CD success、UI 可見或 alert quiet。
|
||
5. 缺 maintenance window、rollback owner、validation metrics、postcheck owner 或跨專案同步。
|
||
|
||
## 8. 禁止動作
|
||
|
||
本階段明確阻擋 SSH / sudo、host live config read、Nginx test / reload / conf write、certbot renew、DNS / route / upstream / WebSocket change、iptables / firewall / WireGuard / NodePort / NetworkPolicy change、Docker / systemd / process / reboot、apt update / upgrade、Wazuh active response / agent / rule / decoder change、ArgoCD sync、kubectl、Helm、RBAC、K8s secret、workflow、runner、deploy key、webhook、repo secret、secret rotation、secret store read、raw payload storage、active scan、exploit validation、backup / restore / offsite sync、remote delete、retention change、database migration、production write、action button、runtime gate 與 force push。
|
||
|
||
## 9. 指令
|
||
|
||
產生 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/external-host-intrusion-prevention-control.py \
|
||
--root . \
|
||
--output docs/security/external-host-intrusion-prevention-control.snapshot.json \
|
||
--generated-at 2026-06-18T15:30:00+08:00
|
||
```
|
||
|
||
驗證 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/iwooos-config-control-guard.py --root .
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
## 10. 完成度
|
||
|
||
- 外部入侵防堵控制矩陣 / repo artifact:`100%`
|
||
- 前台可視化與脫敏 marker:`100%`
|
||
- owner response received / accepted:`0%`
|
||
- Wazuh event refs / host forensic refs accepted:`0%`
|
||
- containment decision / prevention control accepted:`0%`
|
||
- Wazuh active response enabled:`0%`
|
||
- host write / firewall change / Nginx reload / package upgrade / active scan:`0%`
|
||
- runtime gate / action button:`0%`
|
||
|
||
下一步是把 14 個 P0 防堵候選交給 owner 補脫敏證據、維護窗口、rollback owner 與 postcheck。驗收前,IwoooS 不宣告主機已乾淨、木馬已清除、RCE 已修補、外部入侵已防堵,也不自動執行任何主機或網路變更。
|