Files
awoooi/docs/security/EXTERNAL-HOST-INTRUSION-PREVENTION-CONTROL.md
Your Name 5820ca90cc
Some checks failed
CD Pipeline / tests (push) Successful in 1m45s
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / build-and-deploy (push) Successful in 17m44s
CD Pipeline / post-deploy-checks (push) Has been cancelled
feat(iwooos): 新增外部入侵主機防堵控制
2026-06-18 10:24:33 +08:00

9.1 KiB
Raw Blame History

IwoooS 外部入侵主機防堵控制矩陣

項目 內容
日期 2026-06-18
狀態 external_host_intrusion_prevention_control_ready_no_runtime_action
工具 scripts/security/external-host-intrusion-prevention-control.py
Snapshot docs/security/external-host-intrusion-prevention-control.snapshot.json
runtime gate 0

1. 目的

此矩陣把「全力防堵外部入侵主機」從口頭要求轉成 IwoooS 可驗收、可拒收、可排序的 P0 控制面。它把所有容易造成即時資安危害的面向放在同一張矩陣公開入口、DNS / TLS、Nginx、SSH / sudo、端口 / 防火牆、WireGuard、NodePort、Docker / systemd、process、K8s / ArgoCD、RBAC、runner、workflow、deploy key、webhook、secret、Wazuh、套件更新、backup / restore、monitoring / alerting、跨專案 freeze 與 break-glass。

本階段不直接連主機、不 SSH、不讀 live config、不改 Nginx、不改 firewall、不啟用 Wazuh active response、不重啟服務、不更新套件、不輪替 secret、不跑 active scan。它的作用是先建立「誰能批准、要看什麼證據、什麼要拒收、什麼仍為 0」的防堵控制基線。

2. 為什麼舊機制沒有擋住

  1. 先前 IwoooS 的主體是只讀治理、owner gate、前台可視化與低摩擦收件active_runtime_gate=0,沒有主機 containment、firewall drop、Wazuh active response 或 secret rotation 權限。
  2. Wazuh 已建置只能代表偵測平台存在;若沒有 event refs、agent status refs、host forensic refs、config diff refs 與 containment decisionIwoooS 不能判斷 110 / 188 類主機事件已防堵。
  3. Nginx、端口、防火牆、runner、workflow、secret、Docker / systemd、K8s / ArgoCD 與 backup / restore 原本分散在不同清冊,沒有一個「外部入侵防堵」的統一優先序。
  4. route 200、dashboard up、container up、CD success、UI 可見或外部 Agent 宣稱過去容易被誤讀成服務恢復或風險降低但它們都不能證明木馬清除、RCE 修補、持久化移除或 credential 未外洩。
  5. 未建立維護窗口、rollback owner、validation metrics、postcheck owner 與跨專案同步前,直接封 port、reload、restart、upgrade 或 sync 會造成服務中斷與二次事故。

3. 完整工作範圍

範圍 要控管的項目
主機 host OS、SSH、sudo、authorized_keys、known_hosts、systemd、Docker、process、port binding、套件、kernel、Wazuh agent、backup agent、排程
公開入口 DNS、TLS、certbot、Nginx、public gateway、upstream、WebSocket、ACME challenge、public / admin / API route
網路 firewall、WireGuard、NodePort、NetworkPolicy、VIP、內網 service dependency、監控接收端
容器與叢集 Docker compose、Harbor / registry、K8s manifest、ArgoCD、RBAC、Secret metadata、image pull、Pod scheduling
供應鏈 Gitea workflow、runner、deploy key、webhook、repo secret name、branch protection、CODEOWNERS、artifact / image source
憑證與秘密 secret value、token、cookie、private key、env dump、credential escrow、rotation decision、redaction attestation
偵測與回應 Wazuh manager / indexer / dashboard / API、agent status、rule / decoder、event refs、active response dry-run、Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse
資料與復原 backup freshness、restore drill、offsite sync、remote delete guard、retention、rollback、cold-start / DR scorecard
產品面 AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、stock / public websites、API、admin、webhook、AI provider route
協作治理 多 Session 同步、維護窗口、break-glass、operator notification、postcheck、no-false-green、LOGBOOK / deploy marker

4. 固定數字

指標 數值
prevention domain 12
control candidate 14
C0 control candidate 10
C1 control candidate 4
P0 control candidate 14
host alias 4
sensor alias 1
required owner fields 36
reviewer checks 34
outcome lanes 12
blocked actions 82
owner response received / accepted 0 / 0
prevention control accepted 0
Wazuh active response enabled 0
host write / firewall change / Nginx reload 0 / 0 / 0
package upgrade / active scan / production write 0 / 0 / 0
runtime gate / action button 0 / 0

5. P0 防堵候選優先序

優先 候選 狀態
P0-1 公開入口 / Nginx 變更 freeze 與 source-to-live diff waiting_owner_prevention_packet
P0-2 SSH / sudo / authorized_keys / known_hosts 存取收斂 waiting_owner_prevention_packet
P0-3 端口 / 防火牆 / WireGuard / NodePort baseline waiting_owner_prevention_packet
P0-4 Docker / systemd / process / persistence baseline waiting_owner_prevention_packet
P0-5 K8s / ArgoCD drift、RBAC 與 Secret metadata containment waiting_owner_prevention_packet
P0-6 Runner / workflow / deploy key / secret freeze waiting_owner_prevention_packet
P0-7 疑似 credential exposure 的輪替決策 gate waiting_owner_prevention_packet
P0-8 Wazuh event triage 與事件分流 gate waiting_owner_prevention_packet
P0-9 Wazuh active response dry-run / blast radius / rollback waiting_owner_prevention_packet
P0-10 Backup / restore / rollback 可用性防堵 gate waiting_owner_prevention_packet
P0-11 套件更新 / CVE 修補維護窗口候選 waiting_owner_prevention_packet
P0-12 公開 / 後台 / API runtime auth 與 route guard waiting_owner_prevention_packet
P0-13 監控 / 告警 / route 200 no-false-green gate waiting_owner_prevention_packet
P0-14 跨專案 freeze、break-glass 與 operator sync waiting_owner_prevention_packet

6. 必填 owner 欄位

每個防堵候選至少需要 owner role、owner team、decision、decision reason、affected scope aliases、exposed surface aliases、current risk、immediate harm if delayed、redacted evidence refs、Wazuh event refs、host forensic refs、config diff refs、before / after state、maintenance window、break-glass reason、rollback owner、rollback plan、validation metrics、postcheck owner、cross-project sync ref、communication channel、secret absence、raw payload absence、no internal-name publication、no-false-green、service / AI / monitoring / backup impact、recurrence guard、followup owner、expiry / review date 與 reviewer attestation。

未補齊前只能停在 waiting_owner_prevention_packet,不能進 runtime 防堵。

7. 拒收與隔離條件

  1. 收到 password、private key、runner token、webhook secret、cookie、session、env dump、secret hash 或 partial token。
  2. 收到 raw Wazuh payload、raw syslog、raw journal、完整命令輸出、未脫敏截圖或可還原內部 IP / 帳號 namespace 的內容。
  3. 只有外部 Agent 宣稱已清除、已封鎖、已修復、已 Zero-Trust但沒有 Wazuh event refs 與 host forensic refs。
  4. 只有 route 200、dashboard up、agent active、container up、CD success、UI 可見或 alert quiet。
  5. 缺 maintenance window、rollback owner、validation metrics、postcheck owner 或跨專案同步。

8. 禁止動作

本階段明確阻擋 SSH / sudo、host live config read、Nginx test / reload / conf write、certbot renew、DNS / route / upstream / WebSocket change、iptables / firewall / WireGuard / NodePort / NetworkPolicy change、Docker / systemd / process / reboot、apt update / upgrade、Wazuh active response / agent / rule / decoder change、ArgoCD sync、kubectl、Helm、RBAC、K8s secret、workflow、runner、deploy key、webhook、repo secret、secret rotation、secret store read、raw payload storage、active scan、exploit validation、backup / restore / offsite sync、remote delete、retention change、database migration、production write、action button、runtime gate 與 force push。

9. 指令

產生 committed snapshot

python3 scripts/security/external-host-intrusion-prevention-control.py \
  --root . \
  --output docs/security/external-host-intrusion-prevention-control.snapshot.json \
  --generated-at 2026-06-18T15:30:00+08:00

驗證 guard

python3 scripts/security/iwooos-config-control-guard.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .

10. 完成度

  • 外部入侵防堵控制矩陣 / repo artifact100%
  • 前台可視化與脫敏 marker100%
  • owner response received / accepted0%
  • Wazuh event refs / host forensic refs accepted0%
  • containment decision / prevention control accepted0%
  • Wazuh active response enabled0%
  • host write / firewall change / Nginx reload / package upgrade / active scan0%
  • runtime gate / action button0%

下一步是把 14 個 P0 防堵候選交給 owner 補脫敏證據、維護窗口、rollback owner 與 postcheck。驗收前IwoooS 不宣告主機已乾淨、木馬已清除、RCE 已修補、外部入侵已防堵,也不自動執行任何主機或網路變更。