Files
awoooi/docs/security/IWOOOS-P0-SECURITY-INCIDENT-CONVERGENCE-GATE.md

78 lines
3.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS P0 資安事件收斂 Gate
| 項目 | 狀態 |
| --- | --- |
| 工具 | `scripts/security/iwooos-p0-security-incident-convergence-gate.py` |
| Snapshot | `docs/security/iwooos-p0-security-incident-convergence-gate.snapshot.json` |
| Schema | `iwooos_p0_security_incident_convergence_gate_v1` |
| 狀態 | `p0_security_incident_convergence_blocked_waiting_owner_evidence` |
| Runtime gate | `0` |
| Action button | `0` |
## 目的
這個 Gate 把目前最容易造成即時資安或服務風險的紅點收成同一張只讀總覽:
1. Wazuh API 與 manager registry 真相。
2. 主機入侵鑑識與 containment 決策。
3. Public Gateway / Nginx 變更收斂。
4. SSH / firewall / port / network policy baseline。
5. Docker / systemd / process / port binding。
6. 監控告警可讀性、收件與 no-false-green。
7. SOC / Kali / Wazuh 事件 case 化。
8. 跨專案 freeze、runtime 邊界與防衝突。
它只讀取既有 snapshot不連線 Wazuh、不 SSH、不讀 live config、不做 scan、不 reload、不封鎖端口、不重啟服務、不送通知、不建立 SOAR case、不收 secret。
## 目前讀回
| 指標 | 讀回 |
| --- | ---: |
| source snapshot | `12` |
| P0 lane | `8` |
| blocked lane | `8` |
| source-side rollup ready | `100%` |
| owner response received / accepted | `0 / 0` |
| redacted evidence received / accepted | `0 / 0` |
| Wazuh dashboard API connection ok | `0` |
| Wazuh dashboard API version ok | `0` |
| Wazuh manager registry accepted | `0` |
| Wazuh event ref received | `0` |
| host forensics ref received | `0` |
| Public Gateway live conf / rendered diff / nginx test / route smoke | `0 / 0 / 0 / 0` |
| monitoring post-incident readback received | `0` |
| incident case accepted | `0` |
| runtime gate / action button | `0 / 0` |
## 不可誤判
- Wazuh Dashboard index pattern 綠燈只能當局部訊號API connection、API version 與 manager registry 仍是硬 Gate。
- route 200、Dashboard 可見、agent active、CD success、UI 可見或外部 Agent 宣稱,都不能單獨當資安完成。
- Nginx、firewall、host runtime、monitoring 與 SOC evidence 必須用脫敏 owner refs 補齊。
- 不得貼 raw log、raw Wazuh payload、工作視窗對話、內網 IP、個人 namespace、secret、token、private key 或未脫敏截圖。
## 下一步優先序
| 優先 | 工作 | 驗收前維持 |
| --- | --- | --- |
| P0-1 | Wazuh Dashboard API 修復 postcheck 與 manager registry owner evidence | `manager_registry_accepted_count=0` |
| P0-2 | Wazuh event、host forensic、containment decision 與 recovery proof refs | `wazuh_event_ref_received_count=0` |
| P0-3 | Nginx owner live conf、rendered diff、nginx test readback、route smoke 與 rollback refs | `nginx_reload_authorized_count=0` |
| P0-4 | SSH / firewall / port before-after state、actor、impact 與 rollback refs | `firewall_change_authorized_count=0` |
| P0-5 | Docker / systemd / process / port binding 與 dependency postcheck refs | `host_write_authorized_count=0` |
| P0-6 | 告警訊息合約、receipt、dedupe、noise budget 與 post-change monitoring refs | `alert_route_accepted_count=0` |
| P0-7 | SOC case id、severity / confidence、Kali scope envelope 與 chain of custody refs | `incident_case_accepted_count=0` |
| P0-8 | 跨專案同步、維護窗口或 break-glass、rollback owner 與 runtime authorization refs | `runtime_gate_count=0` |
## 驗證指令
```bash
python3 scripts/security/iwooos-p0-security-incident-convergence-gate.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/iwooos-frontend-display-redaction-guard.py --root .
```
## 邊界
這個 Gate 不是批准、不是修復完成、不是 active response、不是 Kali active scan、不是 Nginx reload、不是 firewall change、不是 host write、不是 secret rotation也不是 production write。所有 runtime 動作仍需獨立 owner、維護窗口、rollback、postcheck 與人工批准。