78 lines
3.9 KiB
Markdown
78 lines
3.9 KiB
Markdown
# IwoooS P0 資安事件收斂 Gate
|
||
|
||
| 項目 | 狀態 |
|
||
| --- | --- |
|
||
| 工具 | `scripts/security/iwooos-p0-security-incident-convergence-gate.py` |
|
||
| Snapshot | `docs/security/iwooos-p0-security-incident-convergence-gate.snapshot.json` |
|
||
| Schema | `iwooos_p0_security_incident_convergence_gate_v1` |
|
||
| 狀態 | `p0_security_incident_convergence_blocked_waiting_owner_evidence` |
|
||
| Runtime gate | `0` |
|
||
| Action button | `0` |
|
||
|
||
## 目的
|
||
|
||
這個 Gate 把目前最容易造成即時資安或服務風險的紅點收成同一張只讀總覽:
|
||
|
||
1. Wazuh API 與 manager registry 真相。
|
||
2. 主機入侵鑑識與 containment 決策。
|
||
3. Public Gateway / Nginx 變更收斂。
|
||
4. SSH / firewall / port / network policy baseline。
|
||
5. Docker / systemd / process / port binding。
|
||
6. 監控告警可讀性、收件與 no-false-green。
|
||
7. SOC / Kali / Wazuh 事件 case 化。
|
||
8. 跨專案 freeze、runtime 邊界與防衝突。
|
||
|
||
它只讀取既有 snapshot,不連線 Wazuh、不 SSH、不讀 live config、不做 scan、不 reload、不封鎖端口、不重啟服務、不送通知、不建立 SOAR case、不收 secret。
|
||
|
||
## 目前讀回
|
||
|
||
| 指標 | 讀回 |
|
||
| --- | ---: |
|
||
| source snapshot | `12` |
|
||
| P0 lane | `8` |
|
||
| blocked lane | `8` |
|
||
| source-side rollup ready | `100%` |
|
||
| owner response received / accepted | `0 / 0` |
|
||
| redacted evidence received / accepted | `0 / 0` |
|
||
| Wazuh dashboard API connection ok | `0` |
|
||
| Wazuh dashboard API version ok | `0` |
|
||
| Wazuh manager registry accepted | `0` |
|
||
| Wazuh event ref received | `0` |
|
||
| host forensics ref received | `0` |
|
||
| Public Gateway live conf / rendered diff / nginx test / route smoke | `0 / 0 / 0 / 0` |
|
||
| monitoring post-incident readback received | `0` |
|
||
| incident case accepted | `0` |
|
||
| runtime gate / action button | `0 / 0` |
|
||
|
||
## 不可誤判
|
||
|
||
- Wazuh Dashboard index pattern 綠燈只能當局部訊號;API connection、API version 與 manager registry 仍是硬 Gate。
|
||
- route 200、Dashboard 可見、agent active、CD success、UI 可見或外部 Agent 宣稱,都不能單獨當資安完成。
|
||
- Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊。
|
||
- 不得貼 raw log、raw Wazuh payload、工作視窗對話、內網 IP、個人 namespace、secret、token、private key 或未脫敏截圖。
|
||
|
||
## 下一步優先序
|
||
|
||
| 優先 | 工作 | 驗收前維持 |
|
||
| --- | --- | --- |
|
||
| P0-1 | Wazuh Dashboard API 修復 postcheck 與 manager registry owner evidence | `manager_registry_accepted_count=0` |
|
||
| P0-2 | Wazuh event、host forensic、containment decision 與 recovery proof refs | `wazuh_event_ref_received_count=0` |
|
||
| P0-3 | Nginx owner live conf、rendered diff、nginx test readback、route smoke 與 rollback refs | `nginx_reload_authorized_count=0` |
|
||
| P0-4 | SSH / firewall / port before-after state、actor、impact 與 rollback refs | `firewall_change_authorized_count=0` |
|
||
| P0-5 | Docker / systemd / process / port binding 與 dependency postcheck refs | `host_write_authorized_count=0` |
|
||
| P0-6 | 告警訊息合約、receipt、dedupe、noise budget 與 post-change monitoring refs | `alert_route_accepted_count=0` |
|
||
| P0-7 | SOC case id、severity / confidence、Kali scope envelope 與 chain of custody refs | `incident_case_accepted_count=0` |
|
||
| P0-8 | 跨專案同步、維護窗口或 break-glass、rollback owner 與 runtime authorization refs | `runtime_gate_count=0` |
|
||
|
||
## 驗證指令
|
||
|
||
```bash
|
||
python3 scripts/security/iwooos-p0-security-incident-convergence-gate.py --root .
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
python3 scripts/security/iwooos-frontend-display-redaction-guard.py --root .
|
||
```
|
||
|
||
## 邊界
|
||
|
||
這個 Gate 不是批准、不是修復完成、不是 active response、不是 Kali active scan、不是 Nginx reload、不是 firewall change、不是 host write、不是 secret rotation,也不是 production write。所有 runtime 動作仍需獨立 owner、維護窗口、rollback、postcheck 與人工批准。
|