Files
awoooi/docs/security/WAZUH-IWOOOS-INTRUSION-READBACK-PLAN.md
Your Name ac9ee65c3a
All checks were successful
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / tests (push) Successful in 1m34s
CD Pipeline / build-and-deploy (push) Successful in 5m16s
CD Pipeline / post-deploy-checks (push) Successful in 1m38s
feat(iwooos): 接入 Wazuh 入侵回讀 gate
2026-06-18 09:20:25 +08:00

146 lines
7.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Wazuh / 主機入侵 Readback 接入計畫
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-18 |
| 狀態 | `wazuh_intrusion_readback_plan_ready_no_runtime_action` |
| 工具 | `scripts/security/wazuh-iwooos-intrusion-readback-plan.py` |
| Snapshot | `docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
Wazuh 已經建置完成,但 IwoooS 不能把「平台存在」直接誤判成「110 / 188 入侵事件已驗收、已處置、已可關閉」。本計畫把 Wazuh、主機入侵跡象、外部 Agent 高風險操作宣稱、Runner / gateway / secret 連動與 containment / recovery proof全部轉成 IwoooS 可收件、可補件、可拒收的只讀回讀帳本。
此 artifact 不連 Wazuh API、不讀主機、不 SSH、不啟動 Wazuh active response、不隔離主機、不封鎖端口、不重啟服務、不收 secret / private key / runner token / webhook secret也不把外部 Agent 的口頭宣稱視為已修復。
## 2. 為什麼前一版沒有作用
1. IwoooS 當時重心是只讀治理、owner gate、前台可視化與低摩擦流程`active_runtime_gate=0`,沒有主機 containment 或 active response 權限。
2. Wazuh 的事件、agent 狀態、alert refs、FIM、auth log、process tree、network connection 與 persistence evidence 尚未成為 IwoooS source-of-truth。
3. route `200`、dashboard up、CD success、container up 或 UI 可見被過度依賴無法證明木馬、RCE、持久化、外部 Agent live 變更或 secret 風險已被處理。
4. 外部 Agent 可以提出 live SSH、runner config、gateway、secret 或「已清除」宣稱,但缺少 Wazuh event refs 與 host forensic refs 交叉驗證。
5. 先前草稿若使用硬編碼 Wazuh URL、帳密、關閉 TLS 驗證、mock 事件或英文 SOC 前台文案,必須拒收或隔離,不能直接上線。
## 3. 固定數字
| 指標 | 數值 |
|------|------|
| Wazuh platform reported ready | `1` |
| readback candidate | `6` |
| C0 readback candidate | `6` |
| affected host alias | `2` |
| Wazuh event required candidate | `5` |
| host forensics required candidate | `5` |
| cross-project sync required candidate | `6` |
| required readback fields | `30` |
| reviewer checks | `24` |
| outcome lanes | `12` |
| blocked actions | `49` |
| Wazuh event / host forensics accepted | `0 / 0` |
| containment / recovery / postcheck accepted | `0 / 0 / 0` |
| read-only API enabled | `0` |
| active response / host write | `0 / 0` |
| runtime gate / action button | `0 / 0` |
## 4. Readback Candidate
| Candidate | 焦點 |
|-----------|------|
| `wazuh_intrusion_readback:wazuh_control_plane` | Wazuh manager / indexer / dashboard / API 健康狀態,只收脫敏 ref |
| `wazuh_intrusion_readback:host110_intrusion_signal` | host-110 入侵、gateway、runner、service 異常訊號 |
| `wazuh_intrusion_readback:host188_intrusion_signal` | host-188 入侵、惡意程式、RCE 宣稱回讀 |
| `wazuh_intrusion_readback:external_agent_live_change_claim` | 外部 Agent live 變更、修復、封鎖、清除宣稱驗證 |
| `wazuh_intrusion_readback:runner_secret_gateway_control` | Runner / secret / gateway 高價值配置連動 |
| `wazuh_intrusion_readback:containment_recovery_postcheck` | containment decision、recovery proof、postcheck 與防再發 |
## 5. 必填 Readback 欄位
1. Wazuh manager / indexer / dashboard / API health ref。
2. Wazuh agent status ref。
3. Wazuh event / alert refs。
4. host auth log refs。
5. process tree refs。
6. network connection refs。
7. file integrity refs。
8. package inventory refs。
9. persistence mechanism refs。
10. actor attribution ref。
11. incident time window ref。
12. affected scope。
13. impact summary ref。
14. containment decision。
15. containment reason ref。
16. recovery proof refs。
17. independent postcheck readback ref。
18. recurrence guard ref。
19. cross-project sync ref。
20. rollback owner。
21. followup owner。
22. redacted evidence refs。
23. no-secret-value attestation。
24. no-raw-log attestation。
25. no-raw-Wazuh-payload attestation。
26. no-private-key-or-runner-token attestation。
27. no-false-green attestation。
28. external-agent-claim-not-accepted attestation。
29. active-response-not-enabled attestation。
30. independent reviewer attestation。
## 6. Reviewer Checks
Reviewer 必須確認 Wazuh 平台健康、agent 狀態、Wazuh event refs、host forensic refs、actor、時間窗、affected scope、containment decision、外部 Agent 宣稱驗證、Runner / gateway / secret 連動、secret absence、raw payload absence、hardcoded credential 拒收、read-only API 預設關閉、host write 未開、active response 未開、cross-project sync、recovery proof、independent postcheck、recurrence guard、no-false-green、runtime stays zero 與 counts transition safe。
不能把 Wazuh online、agent active、route `200`、CD success、UI 可見、外部 Agent 宣稱或 dashboard 上有圖當成事件已結案。
## 7. Outcome Lanes
| lane | 用途 |
|------|------|
| `waiting_wazuh_owner_evidence` | Wazuh 已建置但尚未收到 IwoooS 可接受的脫敏事件 refs |
| `request_manager_health_supplement` | 缺 Wazuh control plane health ref |
| `request_agent_status_supplement` | 缺 host agent 狀態或 last seen ref |
| `request_host_forensics_supplement` | 缺 auth / process / network / FIM / package / persistence refs |
| `request_actor_or_time_supplement` | 缺 actor attribution、工具來源或事件時間窗 |
| `request_containment_decision` | 缺 containment decision、理由、owner 或 rollback owner |
| `quarantine_secret_or_raw_payload` | 收到 secret、private key、runner token、raw payload、raw log 或未脫敏截圖時隔離 |
| `reject_external_agent_claim_only` | 只有外部 Agent 口頭宣稱已修復、已阻擋或已清除時拒收 |
| `route_to_high_value_config_gate` | 涉及 runner、workflow、secret、gateway、firewall、systemd、Docker 或 K8s 時串到高價值配置 gate |
| `ready_for_intrusion_reviewer_review` | metadata 合格後只能進 reviewer review |
| `recurrence_guard_backfill_required` | 需補 Wazuh rule coverage、runner/gateway/secret guard、credential hygiene 或 change freeze |
| `waiting_runtime_gate` | 即使事件 refs acceptedactive response 與 host containment 仍需獨立人工批准 |
## 8. 禁止動作
本階段明確阻擋 Wazuh active response、agent install / restart、manager restart、rule / decoder change、未經 owner gate 的 live query、硬編碼 Wazuh URL / 使用者 / 密碼、關閉 TLS 驗證、保存 raw payload / raw log / raw journal / raw command output、收 password / private key / runner token / webhook secret / cookie / env dump、SSH / sudo / host write、kill process、隔離主機、firewall drop、port close / open、Docker / systemd / Nginx / workflow / runner / repo secret / secret rotation / active scan / production write以及任何 action button。
## 9. 指令
產生 committed snapshot
```bash
python3 scripts/security/wazuh-iwooos-intrusion-readback-plan.py \
--root . \
--output docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json \
--generated-at 2026-06-18T00:00:00+08:00
```
驗證 guard
```bash
python3 scripts/security/iwooos-config-control-guard.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 10. 完成度
- Wazuh 接入框架 / readback plan`100%`
- Wazuh event refs received / accepted`0%`
- host forensic refs received / accepted`0%`
- containment decision accepted`0%`
- recovery proof accepted`0%`
- read-only API enabled`0%`
- active response / host write / runtime gate`0%`
下一步是請 Wazuh / 主機 / 事件 owner 補脫敏 evidence refs在 reviewer accepted 前IwoooS 不會宣告木馬已清除、RCE 已修補、主機已乾淨、外部 Agent 宣稱已成立或 active response 可啟用。