146 lines
7.8 KiB
Markdown
146 lines
7.8 KiB
Markdown
# IwoooS Wazuh / 主機入侵 Readback 接入計畫
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-18 |
|
||
| 狀態 | `wazuh_intrusion_readback_plan_ready_no_runtime_action` |
|
||
| 工具 | `scripts/security/wazuh-iwooos-intrusion-readback-plan.py` |
|
||
| Snapshot | `docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
Wazuh 已經建置完成,但 IwoooS 不能把「平台存在」直接誤判成「110 / 188 入侵事件已驗收、已處置、已可關閉」。本計畫把 Wazuh、主機入侵跡象、外部 Agent 高風險操作宣稱、Runner / gateway / secret 連動與 containment / recovery proof,全部轉成 IwoooS 可收件、可補件、可拒收的只讀回讀帳本。
|
||
|
||
此 artifact 不連 Wazuh API、不讀主機、不 SSH、不啟動 Wazuh active response、不隔離主機、不封鎖端口、不重啟服務、不收 secret / private key / runner token / webhook secret,也不把外部 Agent 的口頭宣稱視為已修復。
|
||
|
||
## 2. 為什麼前一版沒有作用
|
||
|
||
1. IwoooS 當時重心是只讀治理、owner gate、前台可視化與低摩擦流程,`active_runtime_gate=0`,沒有主機 containment 或 active response 權限。
|
||
2. Wazuh 的事件、agent 狀態、alert refs、FIM、auth log、process tree、network connection 與 persistence evidence 尚未成為 IwoooS source-of-truth。
|
||
3. route `200`、dashboard up、CD success、container up 或 UI 可見被過度依賴,無法證明木馬、RCE、持久化、外部 Agent live 變更或 secret 風險已被處理。
|
||
4. 外部 Agent 可以提出 live SSH、runner config、gateway、secret 或「已清除」宣稱,但缺少 Wazuh event refs 與 host forensic refs 交叉驗證。
|
||
5. 先前草稿若使用硬編碼 Wazuh URL、帳密、關閉 TLS 驗證、mock 事件或英文 SOC 前台文案,必須拒收或隔離,不能直接上線。
|
||
|
||
## 3. 固定數字
|
||
|
||
| 指標 | 數值 |
|
||
|------|------|
|
||
| Wazuh platform reported ready | `1` |
|
||
| readback candidate | `6` |
|
||
| C0 readback candidate | `6` |
|
||
| affected host alias | `2` |
|
||
| Wazuh event required candidate | `5` |
|
||
| host forensics required candidate | `5` |
|
||
| cross-project sync required candidate | `6` |
|
||
| required readback fields | `30` |
|
||
| reviewer checks | `24` |
|
||
| outcome lanes | `12` |
|
||
| blocked actions | `49` |
|
||
| Wazuh event / host forensics accepted | `0 / 0` |
|
||
| containment / recovery / postcheck accepted | `0 / 0 / 0` |
|
||
| read-only API enabled | `0` |
|
||
| active response / host write | `0 / 0` |
|
||
| runtime gate / action button | `0 / 0` |
|
||
|
||
## 4. Readback Candidate
|
||
|
||
| Candidate | 焦點 |
|
||
|-----------|------|
|
||
| `wazuh_intrusion_readback:wazuh_control_plane` | Wazuh manager / indexer / dashboard / API 健康狀態,只收脫敏 ref |
|
||
| `wazuh_intrusion_readback:host110_intrusion_signal` | host-110 入侵、gateway、runner、service 異常訊號 |
|
||
| `wazuh_intrusion_readback:host188_intrusion_signal` | host-188 入侵、惡意程式、RCE 宣稱回讀 |
|
||
| `wazuh_intrusion_readback:external_agent_live_change_claim` | 外部 Agent live 變更、修復、封鎖、清除宣稱驗證 |
|
||
| `wazuh_intrusion_readback:runner_secret_gateway_control` | Runner / secret / gateway 高價值配置連動 |
|
||
| `wazuh_intrusion_readback:containment_recovery_postcheck` | containment decision、recovery proof、postcheck 與防再發 |
|
||
|
||
## 5. 必填 Readback 欄位
|
||
|
||
1. Wazuh manager / indexer / dashboard / API health ref。
|
||
2. Wazuh agent status ref。
|
||
3. Wazuh event / alert refs。
|
||
4. host auth log refs。
|
||
5. process tree refs。
|
||
6. network connection refs。
|
||
7. file integrity refs。
|
||
8. package inventory refs。
|
||
9. persistence mechanism refs。
|
||
10. actor attribution ref。
|
||
11. incident time window ref。
|
||
12. affected scope。
|
||
13. impact summary ref。
|
||
14. containment decision。
|
||
15. containment reason ref。
|
||
16. recovery proof refs。
|
||
17. independent postcheck readback ref。
|
||
18. recurrence guard ref。
|
||
19. cross-project sync ref。
|
||
20. rollback owner。
|
||
21. followup owner。
|
||
22. redacted evidence refs。
|
||
23. no-secret-value attestation。
|
||
24. no-raw-log attestation。
|
||
25. no-raw-Wazuh-payload attestation。
|
||
26. no-private-key-or-runner-token attestation。
|
||
27. no-false-green attestation。
|
||
28. external-agent-claim-not-accepted attestation。
|
||
29. active-response-not-enabled attestation。
|
||
30. independent reviewer attestation。
|
||
|
||
## 6. Reviewer Checks
|
||
|
||
Reviewer 必須確認 Wazuh 平台健康、agent 狀態、Wazuh event refs、host forensic refs、actor、時間窗、affected scope、containment decision、外部 Agent 宣稱驗證、Runner / gateway / secret 連動、secret absence、raw payload absence、hardcoded credential 拒收、read-only API 預設關閉、host write 未開、active response 未開、cross-project sync、recovery proof、independent postcheck、recurrence guard、no-false-green、runtime stays zero 與 counts transition safe。
|
||
|
||
不能把 Wazuh online、agent active、route `200`、CD success、UI 可見、外部 Agent 宣稱或 dashboard 上有圖當成事件已結案。
|
||
|
||
## 7. Outcome Lanes
|
||
|
||
| lane | 用途 |
|
||
|------|------|
|
||
| `waiting_wazuh_owner_evidence` | Wazuh 已建置但尚未收到 IwoooS 可接受的脫敏事件 refs |
|
||
| `request_manager_health_supplement` | 缺 Wazuh control plane health ref |
|
||
| `request_agent_status_supplement` | 缺 host agent 狀態或 last seen ref |
|
||
| `request_host_forensics_supplement` | 缺 auth / process / network / FIM / package / persistence refs |
|
||
| `request_actor_or_time_supplement` | 缺 actor attribution、工具來源或事件時間窗 |
|
||
| `request_containment_decision` | 缺 containment decision、理由、owner 或 rollback owner |
|
||
| `quarantine_secret_or_raw_payload` | 收到 secret、private key、runner token、raw payload、raw log 或未脫敏截圖時隔離 |
|
||
| `reject_external_agent_claim_only` | 只有外部 Agent 口頭宣稱已修復、已阻擋或已清除時拒收 |
|
||
| `route_to_high_value_config_gate` | 涉及 runner、workflow、secret、gateway、firewall、systemd、Docker 或 K8s 時串到高價值配置 gate |
|
||
| `ready_for_intrusion_reviewer_review` | metadata 合格後只能進 reviewer review |
|
||
| `recurrence_guard_backfill_required` | 需補 Wazuh rule coverage、runner/gateway/secret guard、credential hygiene 或 change freeze |
|
||
| `waiting_runtime_gate` | 即使事件 refs accepted,active response 與 host containment 仍需獨立人工批准 |
|
||
|
||
## 8. 禁止動作
|
||
|
||
本階段明確阻擋 Wazuh active response、agent install / restart、manager restart、rule / decoder change、未經 owner gate 的 live query、硬編碼 Wazuh URL / 使用者 / 密碼、關閉 TLS 驗證、保存 raw payload / raw log / raw journal / raw command output、收 password / private key / runner token / webhook secret / cookie / env dump、SSH / sudo / host write、kill process、隔離主機、firewall drop、port close / open、Docker / systemd / Nginx / workflow / runner / repo secret / secret rotation / active scan / production write,以及任何 action button。
|
||
|
||
## 9. 指令
|
||
|
||
產生 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/wazuh-iwooos-intrusion-readback-plan.py \
|
||
--root . \
|
||
--output docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json \
|
||
--generated-at 2026-06-18T00:00:00+08:00
|
||
```
|
||
|
||
驗證 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/iwooos-config-control-guard.py --root .
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
## 10. 完成度
|
||
|
||
- Wazuh 接入框架 / readback plan:`100%`
|
||
- Wazuh event refs received / accepted:`0%`
|
||
- host forensic refs received / accepted:`0%`
|
||
- containment decision accepted:`0%`
|
||
- recovery proof accepted:`0%`
|
||
- read-only API enabled:`0%`
|
||
- active response / host write / runtime gate:`0%`
|
||
|
||
下一步是請 Wazuh / 主機 / 事件 owner 補脫敏 evidence refs;在 reviewer accepted 前,IwoooS 不會宣告木馬已清除、RCE 已修補、主機已乾淨、外部 Agent 宣稱已成立或 active response 可啟用。
|