From 20c2c81f85f88cb63484a6136e65d5a185799017 Mon Sep 17 00:00:00 2001 From: ogt Date: Thu, 25 Jun 2026 15:13:08 +0800 Subject: [PATCH] feat(iwooos): professionalize SOC operating model --- apps/web/messages/en.json | 30 +- apps/web/messages/zh-TW.json | 30 +- apps/web/src/app/[locale]/iwooos/page.tsx | 14 +- docs/LOGBOOK.md | 30 ++ .../HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md | 2 +- docs/security/IWOOOS-POSTURE-PROJECTION.md | 4 +- ...INSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md | 18 +- ...SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md | 55 ++- .../iwooos-posture-projection.snapshot.json | 6 +- ...li-wazuh-integration-control.snapshot.json | 392 +++++++++++++++++- .../security/iwooos-config-control-guard.py | 12 +- .../security-mirror-progress-guard.py | 29 +- ...soc-siem-kali-wazuh-integration-control.py | 166 +++++++- 13 files changed, 731 insertions(+), 57 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 2cc45d0c..40b251ed 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -19380,7 +19380,7 @@ "socSiemKaliWazuhIntegration": { "eyebrow": "SOC / SIEM / 資安觀測節點 整合控制", "title": "把 Wazuh、Kali、告警鏈與主流資安機制接成同一條證據線", - "subtitle": "這張卡把 NIST CSF、CIS Controls、CISA KEV、OWASP ASVS、Wazuh、Suricata 與 Kali tooling 映射到 IwoooS 控制面;目前只顯示框架、訊號源、控制候選與 0/false 邊界,不呼叫 Wazuh、不呼叫 Kali、不送 Telegram、不建立 SOAR case、不啟動掃描或封鎖。", + "subtitle": "這張卡把 NIST CSF、NIST SP 800-61、CIS Controls、CISA、MITRE、OWASP、Wazuh、Alertmanager、OpenTelemetry、供應鏈與 Kali tooling 映射到 IwoooS 控制面;目前只顯示框架、角色、事件階段、驗證 Gate 與 0/false 邊界,不呼叫 Wazuh、不呼叫 Kali、不送 Telegram、不建立 SOAR case、不啟動掃描或封鎖。", "checkLabel": "檢核", "stateLabel": "狀態", "boundaryTitle": "SOC 整合邊界", @@ -19388,7 +19388,19 @@ "summary": { "frameworks": { "label": "框架", - "detail": "7 個主流框架已映射到 IwoooS 控制域。" + "detail": "14 個主流框架已映射到 IwoooS 控制域。" + }, + "roles": { + "label": "角色", + "detail": "9 個營運角色固定 owner、reviewer、變更、證據與風險責任。" + }, + "lifecycle": { + "label": "事件階段", + "detail": "8 段事件生命週期涵蓋準備、偵測、分流、調查、復原與學習。" + }, + "validation": { + "label": "驗證 Gate", + "detail": "18 個 Gate 固定脫敏證據、rollback、維護窗口、postcheck 與 production smoke。" }, "domains": { "label": "控制域", @@ -19406,7 +19418,7 @@ "items": { "frameworkMap": { "title": "主流框架已對齊", - "body": "NIST CSF、CIS、CISA KEV、OWASP ASVS、Wazuh、Suricata 與 Kali tooling 已映射到治理、偵測、回應與復原。" + "body": "NIST CSF、NIST SP 800-61、CIS、CISA、MITRE、OWASP、Wazuh、Alertmanager、OpenTelemetry 與 Kali tooling 已映射到治理、偵測、回應與復原。" }, "wazuhSiem": { "title": "Wazuh SIEM 待收件", @@ -19435,6 +19447,18 @@ "runtimeBoundary": { "title": "runtime 邊界維持 0 / false", "body": "Wazuh active response、Kali scan、Prometheus reload、Telegram 發送、auto block 與 action button 全部維持關閉。" + }, + "operatingModel": { + "title": "營運角色已拆分", + "body": "控制負責人、SOC 審查人、事故指揮、平台 / 服務負責人、證據保管、變更管理、AI 安全審查與風險負責人分開驗收。" + }, + "incidentLifecycle": { + "title": "事件生命週期已固定", + "body": "每個入侵、漂移、端口、告警或供應鏈事件都要走準備、偵測、分流、調查、決策、復原、學習與改善。" + }, + "validationGates": { + "title": "驗證 Gate 阻擋假綠燈", + "body": "沒有脫敏證據、secret absence、Wazuh registry、Kali scope、alert receipt、case id、rollback、維護窗口與 postcheck,就不能宣告完成。" } } }, diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 2cc45d0c..40b251ed 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -19380,7 +19380,7 @@ "socSiemKaliWazuhIntegration": { "eyebrow": "SOC / SIEM / 資安觀測節點 整合控制", "title": "把 Wazuh、Kali、告警鏈與主流資安機制接成同一條證據線", - "subtitle": "這張卡把 NIST CSF、CIS Controls、CISA KEV、OWASP ASVS、Wazuh、Suricata 與 Kali tooling 映射到 IwoooS 控制面;目前只顯示框架、訊號源、控制候選與 0/false 邊界,不呼叫 Wazuh、不呼叫 Kali、不送 Telegram、不建立 SOAR case、不啟動掃描或封鎖。", + "subtitle": "這張卡把 NIST CSF、NIST SP 800-61、CIS Controls、CISA、MITRE、OWASP、Wazuh、Alertmanager、OpenTelemetry、供應鏈與 Kali tooling 映射到 IwoooS 控制面;目前只顯示框架、角色、事件階段、驗證 Gate 與 0/false 邊界,不呼叫 Wazuh、不呼叫 Kali、不送 Telegram、不建立 SOAR case、不啟動掃描或封鎖。", "checkLabel": "檢核", "stateLabel": "狀態", "boundaryTitle": "SOC 整合邊界", @@ -19388,7 +19388,19 @@ "summary": { "frameworks": { "label": "框架", - "detail": "7 個主流框架已映射到 IwoooS 控制域。" + "detail": "14 個主流框架已映射到 IwoooS 控制域。" + }, + "roles": { + "label": "角色", + "detail": "9 個營運角色固定 owner、reviewer、變更、證據與風險責任。" + }, + "lifecycle": { + "label": "事件階段", + "detail": "8 段事件生命週期涵蓋準備、偵測、分流、調查、復原與學習。" + }, + "validation": { + "label": "驗證 Gate", + "detail": "18 個 Gate 固定脫敏證據、rollback、維護窗口、postcheck 與 production smoke。" }, "domains": { "label": "控制域", @@ -19406,7 +19418,7 @@ "items": { "frameworkMap": { "title": "主流框架已對齊", - "body": "NIST CSF、CIS、CISA KEV、OWASP ASVS、Wazuh、Suricata 與 Kali tooling 已映射到治理、偵測、回應與復原。" + "body": "NIST CSF、NIST SP 800-61、CIS、CISA、MITRE、OWASP、Wazuh、Alertmanager、OpenTelemetry 與 Kali tooling 已映射到治理、偵測、回應與復原。" }, "wazuhSiem": { "title": "Wazuh SIEM 待收件", @@ -19435,6 +19447,18 @@ "runtimeBoundary": { "title": "runtime 邊界維持 0 / false", "body": "Wazuh active response、Kali scan、Prometheus reload、Telegram 發送、auto block 與 action button 全部維持關閉。" + }, + "operatingModel": { + "title": "營運角色已拆分", + "body": "控制負責人、SOC 審查人、事故指揮、平台 / 服務負責人、證據保管、變更管理、AI 安全審查與風險負責人分開驗收。" + }, + "incidentLifecycle": { + "title": "事件生命週期已固定", + "body": "每個入侵、漂移、端口、告警或供應鏈事件都要走準備、偵測、分流、調查、決策、復原、學習與改善。" + }, + "validationGates": { + "title": "驗證 Gate 阻擋假綠燈", + "body": "沒有脫敏證據、secret absence、Wazuh registry、Kali scope、alert receipt、case id、rollback、維護窗口與 postcheck,就不能宣告完成。" } } }, diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index e0d98ee3..ea46703e 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -2388,7 +2388,10 @@ const wazuhManagedHostCoverageBoundaries = [ ] as const const socSiemKaliWazuhIntegrationSummary = [ - { key: 'frameworks', value: '7', icon: ClipboardCheck, tone: 'steady' }, + { key: 'frameworks', value: '14', icon: ClipboardCheck, tone: 'steady' }, + { key: 'roles', value: '9', icon: ShieldCheck, tone: 'steady' }, + { key: 'lifecycle', value: '8', icon: Workflow, tone: 'steady' }, + { key: 'validation', value: '18', icon: FileText, tone: 'warn' }, { key: 'domains', value: '16', icon: Network, tone: 'steady' }, { key: 'signals', value: '12', icon: Radar, tone: 'warn' }, { key: 'runtimeGate', value: '0', icon: Lock, tone: 'locked' }, @@ -2403,11 +2406,18 @@ const socSiemKaliWazuhIntegrationItems: SocSiemKaliWazuhIntegrationItem[] = [ { key: 'supplyChain', check: 'SOC-6', state: '待關聯', icon: GitBranch, tone: 'warn' }, { key: 'soarBoundary', check: 'SOC-7', state: '不得自動', icon: Workflow, tone: 'locked' }, { key: 'runtimeBoundary', check: 'SOC-8', state: '0 / false', icon: Lock, tone: 'locked' }, + { key: 'operatingModel', check: 'SOC-9', state: 'RACI 已定義', icon: ShieldCheck, tone: 'steady' }, + { key: 'incidentLifecycle', check: 'SOC-10', state: '8 階段', icon: Workflow, tone: 'steady' }, + { key: 'validationGates', check: 'SOC-11', state: '18 Gate', icon: FileText, tone: 'warn' }, ] as const const socSiemKaliWazuhIntegrationBoundaries = [ 'soc_siem_kali_wazuh_integration_control_visible=true', - 'soc_siem_kali_wazuh_integration_control_standard_framework_count=7', + 'soc_siem_kali_wazuh_integration_control_standard_framework_count=14', + 'soc_siem_kali_wazuh_integration_control_operating_role_count=9', + 'soc_siem_kali_wazuh_integration_control_incident_lifecycle_stage_count=8', + 'soc_siem_kali_wazuh_integration_control_maturity_stage_count=7', + 'soc_siem_kali_wazuh_integration_control_validation_gate_count=18', 'soc_siem_kali_wazuh_integration_control_domain_count=16', 'soc_siem_kali_wazuh_integration_control_c0_domain_count=12', 'soc_siem_kali_wazuh_integration_control_c1_domain_count=4', diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 7c4452b2..e0345904 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -25,6 +25,36 @@ **邊界**:本輪只做 read-only wrapper live run、repo-side script / docs 修正與 guard;沒有 Docker / systemd / Nginx / firewall / K8s / ArgoCD / Wazuh runtime 寫操作,沒有 import,沒有讀 token。 +## 2026-06-25|IwoooS 主流資安營運體制化來源端補強 + +**背景**:使用者要求 IwoooS 不可只停在 Wazuh / Kali / 告警工具可見,而要把整體資訊安全機制、體制、監控、告警、Kali 112、Wazuh、Nginx / 高價值配置、供應鏈、AI Agent 與 incident response 全部用業界主流專業做法整合起來;同時不得把工作視窗對話、內部主機資訊、repo owner 或敏感內容放到前台。 + +**完成**: +- `scripts/security/soc-siem-kali-wazuh-integration-control.py` 將主流框架從 `7` 擴到 `14`,新增 NIST SP 800-61 Rev. 3、CISA Zero Trust、MITRE ATT&CK / D3FEND、OWASP SAMM、Wazuh Active Response 能力模型、Prometheus Alertmanager、OpenTelemetry、SLSA / Sigstore / SBOM 與 Suricata / Zeek NDR。 +- 同一控制矩陣新增 `9` 個營運角色、`8` 段事件生命週期、`7` 個成熟度階段與 `18` 個 validation gates;所有 gate 目前皆為 `accepted=false`、`runtime_gate_open=false`。 +- `docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json`、`docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md`、`MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md`、`IWOOOS-POSTURE-PROJECTION.md`、`HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md` 與 `iwooos-posture-projection.snapshot.json` 已同步新數字。 +- `/zh-TW/iwooos` 的 SOC / SIEM / Kali / Wazuh 卡片改為顯示 `14` 框架、`9` 角色、`8` 事件階段、`18` Gate、`16` 控制域、`12` 訊號源與 runtime gate `0`。 +- `security-mirror-progress-guard.py` 與 `iwooos-config-control-guard.py` 已同步固定 `14 / 9 / 8 / 7 / 18`,避免後續退回舊口徑或誤拉高 runtime。 + +**驗證**: +- `python3 scripts/security/soc-siem-kali-wazuh-integration-control.py --root .`:`frameworks=14 roles=9 lifecycle=8 gates=18 domains=16 signals=12 candidates=20 runtime_gate=0`。 +- `python3 scripts/security/security-mirror-progress-guard.py --root .`:通過。 +- `python3 scripts/security/iwooos-config-control-guard.py --root .`:通過。 +- `python3 scripts/security/iwooos-frontend-display-redaction-guard.py --root .`:通過。 +- `python3 scripts/ops/doc-secrets-sanity-check.py ...`:通過。 +- `python3 -m py_compile scripts/security/soc-siem-kali-wazuh-integration-control.py scripts/security/security-mirror-progress-guard.py scripts/security/iwooos-config-control-guard.py`:通過。 +- `cmp -s apps/web/messages/zh-TW.json apps/web/messages/en.json`:通過。 +- `pnpm --filter @awoooi/web typecheck`:通過。 +- `git diff --check`:通過。 + +**完成度同步**: +- SOC / SIEM / Kali / Wazuh 整合控制矩陣:`100%` 來源端。 +- 業界主流資安營運體制補強:`100%` 來源端。 +- IwoooS 資安體制完整度:`70% -> 76%` 來源端;owner evidence、Wazuh manager registry truth、Kali active scan、SOAR / active response、host write 與 runtime gate 仍為 `0%`。 +- 前台 production visible:待 commit / push / Gitea CD / desktop + mobile smoke 後補正式讀回。 + +**邊界**:本輪沒有 SSH、沒有 host write、沒有 Wazuh live API、沒有重新註冊 agent、沒有 Wazuh active response、沒有 Kali active scan 或 `/execute`、沒有 Nginx / firewall / Docker / K8s / workflow / secret 變更、沒有 Telegram live send、沒有 SOAR case create、沒有 auto block、沒有 production write,也沒有把工作視窗逐字內容放到前台。 + ## 2026-06-25|14:41 post-start quick check live wrapper 分級讀回 **背景**:第一版 `post-start-quick-check.sh` live run 將預期中的 `escrow_missing=5` 與 MOMO 非服務面 warning 一併算成 `DEGRADED`,容易讓重啟 SOP 看起來永遠差一點。這不符合本輪目標:服務恢復、資料新鮮、備份健康、DR escrow、Wazuh registry 必須分層判定。 diff --git a/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md b/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md index 7a5f0846..ee2a67dd 100644 --- a/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md +++ b/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md @@ -154,7 +154,7 @@ 已新增 `docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md`、`docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json` 與 `scripts/security/soc-siem-kali-wazuh-integration-control.py`,把 Wazuh、Kali 112、Prometheus / Alertmanager、SigNoz、Sentry、Nginx / gateway、host forensic、Docker / systemd、K8s / ArgoCD、Gitea / runner、Harbor / SBOM、backup / DR 收斂成 SOC / SIEM 只讀控制矩陣。 -固定 `standard_framework_count=7`、`control_domain_count=16`、`signal_source_count=12`、`control_candidate_count=20`、`c0_control_candidate_count=12`、`required_owner_field_count=42`、`reviewer_check_count=36`、`outcome_lane_count=14`、`blocked_action_count=103`。此更新導入 NIST CSF 2.0、CIS Controls v8.1、CISA KEV、OWASP ASVS / Logging、Wazuh XDR / SIEM、Suricata NDR / IDS 與 Kali tooling 映射,讓 `monitoring_alerting_observability` 從 `74%` 推進到 `78%`、`security_evidence_tooling` 從 `86%` 推進到 `88%`;高價值配置平均只讀成熟度從 `72%` 推進到 `73%`。 +固定 `standard_framework_count=14`、`operating_role_count=9`、`incident_lifecycle_stage_count=8`、`maturity_stage_count=7`、`validation_gate_count=18`、`control_domain_count=16`、`signal_source_count=12`、`control_candidate_count=20`、`c0_control_candidate_count=12`、`required_owner_field_count=42`、`reviewer_check_count=36`、`outcome_lane_count=14`、`blocked_action_count=103`。此更新導入 NIST CSF 2.0、NIST SP 800-61 Rev. 3、CIS Controls v8.1、CISA Zero Trust / KEV、MITRE ATT&CK / D3FEND、OWASP ASVS / SAMM、Wazuh XDR / SIEM、Wazuh Active Response 能力模型、Prometheus Alertmanager、OpenTelemetry、SLSA / Sigstore / SBOM、Suricata / Zeek 與 Kali tooling 映射,讓 `monitoring_alerting_observability` 維持 `78%`、`security_evidence_tooling` 維持 `88%`;高價值配置平均只讀成熟度仍維持 `73%`,避免因制度補強而假性提高 runtime 完成度。 此 artifact 只代表 SOC 控制面、證據欄位、拒收條件與前台 marker 已建立;Wazuh event refs、Kali scope / finding envelope、SIEM correlation rule、alert route、incident case、forensic evidence、owner response、active response、Kali active scan、Kali `/execute`、Prometheus / Alertmanager reload、Telegram 實發、SOAR case、auto block、runtime gate 與 action button 仍全部為 `0 / false`。 diff --git a/docs/security/IWOOOS-POSTURE-PROJECTION.md b/docs/security/IWOOOS-POSTURE-PROJECTION.md index 74b4662d..189d0ad8 100644 --- a/docs/security/IWOOOS-POSTURE-PROJECTION.md +++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md @@ -61,7 +61,7 @@ ## 1.8 2026-06-18 SOC / SIEM / Kali 112 / Wazuh 整合控制投影 -`soc_siem_kali_wazuh_integration_control_v1` 已投影到 `iwooos-posture-projection.snapshot.json` 與前台 marker。固定 `standard_framework_count=7`、`control_domain_count=16`、`signal_source_count=12`、`control_candidate_count=20`、`c0_control_candidate_count=12`、`c1_control_candidate_count=8`、`required_owner_field_count=42`、`reviewer_check_count=36`、`outcome_lane_count=14`、`blocked_action_count=103`,並讓 `monitoring_alerting_observability_coverage_percent=78`、`security_evidence_tooling_coverage_percent=88`、高價值配置平均只讀成熟度推進到 `73%`。 +`soc_siem_kali_wazuh_integration_control_v1` 已投影到 `iwooos-posture-projection.snapshot.json` 與前台 marker。固定 `standard_framework_count=14`、`operating_role_count=9`、`incident_lifecycle_stage_count=8`、`maturity_stage_count=7`、`validation_gate_count=18`、`control_domain_count=16`、`signal_source_count=12`、`control_candidate_count=20`、`c0_control_candidate_count=12`、`c1_control_candidate_count=8`、`required_owner_field_count=42`、`reviewer_check_count=36`、`outcome_lane_count=14`、`blocked_action_count=103`,並讓 `monitoring_alerting_observability_coverage_percent=78`、`security_evidence_tooling_coverage_percent=88`、高價值配置平均只讀成熟度推進到 `73%`。 此同步只代表前端可以顯示 Wazuh、Kali 112、Prometheus / Alertmanager、SigNoz、Sentry、Nginx / Gateway、host forensic、Docker / systemd、K8s / ArgoCD、Gitea / runner、Harbor / SBOM 與 backup / DR 的只讀 SOC 控制框架;`wazuh_event_ref_received_count`、`kali_scope_ref_accepted_count`、`kali_finding_envelope_accepted_count`、`siem_correlation_rule_accepted_count`、`alert_route_accepted_count`、`incident_case_accepted_count`、`forensic_evidence_accepted_count`、`owner_response_received_count`、`owner_response_accepted_count`、`active_response_enabled_count`、`kali_active_scan_authorized_count`、`kali_execute_authorized_count`、`prometheus_reload_authorized_count`、`alertmanager_reload_authorized_count`、`telegram_send_authorized_count`、`soar_case_create_authorized_count`、`auto_block_authorized_count`、`runtime_gate_count` 與 `action_button_count` 仍全部維持 `0`。不得把 SOC 看板、SIEM 規則候選、Kali 工具清單、Wazuh agent 可見或告警 route reachable 視為資安驗收。 @@ -81,7 +81,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence: | `cd_runner_secret_injection_post_incident_readback_plan_v1` | CD / Runner / Secret injection 事故後回讀計畫、secret metadata 70%、workflow / runner 74%、33 個必填欄位、52 類 blocked action、runtime gate 0 | | `backup_restore_post_incident_readback_plan_v1` | Backup / Restore / Escrow 事故後回讀計畫、66% 子項成熟度、34 個必填欄位、51 類 blocked action、runtime gate 0 | | `external_host_intrusion_prevention_control_v1` | 外部入侵主機防堵控制矩陣、12 個控制域、14 個 P0 防堵候選、36 個 owner 必填欄位、82 類 blocked action、runtime gate 0 | -| `soc_siem_kali_wazuh_integration_control_v1` | SOC / SIEM / Kali 112 / Wazuh 整合控制矩陣、7 個業界框架、16 個控制域、20 個控制候選、42 個 owner 必填欄位、103 類 blocked action、runtime gate 0 | +| `soc_siem_kali_wazuh_integration_control_v1` | SOC / SIEM / Kali 112 / Wazuh 整合控制矩陣、14 個業界框架、9 個營運角色、8 段事件生命週期、18 個驗證 Gate、16 個控制域、20 個控制候選、42 個 owner 必填欄位、103 類 blocked action、runtime gate 0 | | `kali_integration_status_v1` | Kali 112 observe-only 整合態勢 | | `vibework_iwooos_onboarding_handoff_v1` | VibeWork repo / product / surface / owner / evidence refs / 獨立產品邊界只讀 handoff | | `docs/LOGBOOK.md` | 部署 marker、Gitea run 與 rollout risk 邊界紀錄 | diff --git a/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md b/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md index efc4b8bb..6d86bbc1 100644 --- a/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md +++ b/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md @@ -2,8 +2,8 @@ | 項目 | 內容 | |------|------| -| 日期 | 2026-06-18 | -| 狀態 | 主流框架補齊;只讀控制路線圖 | +| 日期 | 2026-06-25 | +| 狀態 | 主流框架補齊;只讀控制路線圖;專業資安營運體制已補強 | | 適用範圍 | AWOOOI / AwoooP / IwoooS、所有主機、網站前後台、API、Nginx / Gateway、Docker / systemd、K8s / ArgoCD、CI/CD、Gitea / GitHub、Harbor / registry、Wazuh、Kali 112、監控告警、備份還原、AI Agent 與供應鏈 | | runtime 授權 | `false` | | active scan 授權 | `false` | @@ -51,6 +51,20 @@ ## 2. 必做控制域 +### 2.1 2026-06-25 體制化補強 + +IwoooS 的資安機制要符合業界主流做法,不能只停在「有 Wazuh、有 Kali、有告警」。本輪把控制面補成可被審計、可分工、可驗證、可逐步自動化的營運體制: + +| 構面 | 固定數字 | 導入目的 | +|------|----------|----------| +| 主流框架 | `14` | NIST CSF、NIST SP 800-61、CIS、CISA、MITRE、OWASP、Wazuh、Alertmanager、OpenTelemetry、SLSA / SBOM、NDR 與 Kali 對齊 | +| 營運角色 | `9` | 明確分開 control owner、SOC reviewer、incident commander、platform owner、service owner、evidence custodian、change manager、AI security reviewer 與 risk owner | +| 事件生命週期 | `8` | 從準備、偵測、分流、調查、圍堵決策、清除復原、事後學習到持續改善 | +| 成熟度階段 | `7` | L0 分散觀測到 L6 受治理低風險自動化;目前不越過只讀 evidence / owner packet | +| 驗證 Gate | `18` | owner、scope、source-to-live diff、redaction、secret absence、Wazuh registry、Kali scope、alert receipt、case id、rollback、maintenance window、postcheck 與 production smoke | + +本體制引用主流框架只代表控制模型與優先序校準,不代表採購、切換平台、啟用 active response、執行 Kali active scan、修改 Nginx、reload Alertmanager、發 Telegram live send 或允許 AI agent 直接處置。 + | 優先 | 控制域 | 要做什麼 | 第一階段驗收 | |------|--------|----------|--------------| | P0 | 資產與暴露面 | 建立 host、domain、route、service、port、package、container、repo、workflow、secret metadata、backup、AI agent 完整 inventory | 每個資產有 owner、用途、風險、來源證據、最後觀測時間 | diff --git a/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md b/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md index 15a41bf9..2f49c6f5 100644 --- a/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md +++ b/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md @@ -2,7 +2,7 @@ | 項目 | 內容 | |------|------| -| 日期 | 2026-06-18 | +| 日期 | 2026-06-25 | | 狀態 | `soc_siem_kali_wazuh_integration_control_ready_no_runtime_action` | | 工具 | `scripts/security/soc-siem-kali-wazuh-integration-control.py` | | Snapshot | `docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json` | @@ -20,11 +20,18 @@ | 框架 | 導入方式 | |------|----------| | NIST CSF 2.0 | 以 Govern、Identify、Protect、Detect、Respond、Recover 當 IwoooS SOC 主流程骨架 | +| NIST SP 800-61 Rev. 3 | 將 incident response 建議轉成 case gate、postcheck 與 lesson learned 回寫 | | CIS Controls v8.1 | 導入資產盤點、漏洞管理、稽核日誌、惡意程式防護、復原與權限審查 | +| CISA Zero Trust Maturity Model | 補 identity、device、network、application、data、visibility 與 automation 成熟度 | | CISA KEV | 已知遭利用漏洞作為套件 / image / public service 修補優先序 | -| OWASP ASVS / Logging | 前後台與 API 的 auth、access-control、錯誤與安全事件 logging,不落 secret | +| MITRE ATT&CK / D3FEND | 用攻擊技術、資料源、防禦 countermeasure 與 coverage gap 校準偵測工程 | +| OWASP ASVS / SAMM | 前後台、API、auth、access-control、secure SDLC 與 logging 驗證,不落 secret | | Wazuh XDR / SIEM | endpoint、FIM、rule、decoder、alert 與 active response dry-run 邊界 | -| Suricata / NDR / IDS | 先預留被動網路偵測 lane,IPS / inline blocking 需獨立批准 | +| Wazuh Active Response | 只採能力模型與 dry-run / rollback gate;目前不啟用 response | +| Prometheus Alertmanager | 導入 grouping、dedup、routing、silence、inhibit 與 receipt 驗收 | +| OpenTelemetry | 以 traces、metrics、logs、resource 與 semantic conventions 關聯 incident evidence | +| SLSA / Sigstore / SBOM | 將 provenance、artifact signing、SBOM 與驗章納入供應鏈 lane | +| Suricata / Zeek NDR | 先預留被動網路偵測 lane,IPS / inline blocking 需獨立批准 | | Kali tooling | Kali 112 作為只讀健康、工具版本、scope 與 finding normalization 節點 | ## 3. 控制域 @@ -52,7 +59,11 @@ | 指標 | 數值 | |------|------| -| 主流框架 | `7` | +| 主流框架 | `14` | +| 營運角色 | `9` | +| 事件生命週期階段 | `8` | +| 成熟度階段 | `7` | +| 驗證 Gate | `18` | | 控制域 | `16` | | C0 控制域 | `12` | | C1 控制域 | `4` | @@ -72,7 +83,20 @@ | active response / active scan / SOAR / auto block | `0 / 0 / 0 / 0` | | runtime gate / action button | `0 / 0` | -## 5. 第一批 P0 優先順序 +## 5. 專業資安營運體制 + +本輪補強不是把工具名稱堆到頁面,而是補上業界 SOC / CSIRT / DevSecOps 需要的責任、流程與驗證口徑。所有角色都只代表審查責任,不代表 runtime action 授權。 + +| 類型 | 數量 | IwoooS 採用方式 | +|------|------|-----------------| +| 營運角色 | `9` | IwoooS control owner、SOC reviewer、incident commander、platform owner、service owner、evidence custodian、change manager、AI security reviewer、executive risk owner | +| 事件生命週期 | `8` | 準備治理、偵測正規化、分流排序、調查關聯、圍堵決策、清除復原、事後學習、持續改善 | +| 成熟度階段 | `7` | L0 分散觀測到 L6 受治理低風險自動化;目前停在 L1 / L2 只讀證據與 owner packet | +| 驗證 Gate | `18` | owner mapping、source-to-live diff、脫敏證據、secret absence、Wazuh registry、Kali scope、alert receipt、case id、rollback、maintenance window、postcheck、production smoke 等 | + +這代表 IwoooS 後續對「主機疑似入侵、Wazuh agent 消失、Nginx 被改、端口被關、告警格式不專業、AI agent 過度執行」都必須先形成 case / evidence / owner / rollback / postcheck,再進入人審或 dry-run。沒有這些欄位時,前台可以顯示風險與下一步,但不能顯示成已修復、已授權或可執行。 + +## 6. 第一批 P0 優先順序 | 優先 | 候選 | 狀態 | |------|------|------| @@ -89,7 +113,7 @@ | P0-11 | Incident case / owner response / escalation queue | `waiting_soc_owner_packet` | | P0-12 | 鑑識證據、chain of custody、redaction 與保存期 | `waiting_soc_owner_packet` | -## 6. Runtime 升級順序 +## 7. Runtime 升級順序 1. Repo / snapshot / guard / frontstage marker 完成。 2. Owner 補齊 Wazuh、Kali、host forensic、gateway diff、alert route、supply-chain、KEV / CVE、backup / DR 的脫敏 evidence refs。 @@ -97,13 +121,14 @@ 4. 只讀 ingestion 或 mirror 可在獨立批准後啟用。 5. Active response、Kali active scan、credentialed scan、SOAR case create、firewall containment、IPS / blocking 另開維護窗口與 runtime approval。 -## 7. 禁止動作 +## 8. 禁止動作 本階段明確阻擋 Wazuh live API 查詢、Wazuh active response、Wazuh agent / rule / decoder 變更、raw Wazuh payload 儲存、Kali `/scan`、Kali `/execute`、Nmap / Nuclei / Nikto / Trivy / Lynis live scan、Kali package update、Kali reboot、SSH / sudo、host log 讀取、Docker / systemd、Nginx、certbot、DNS、firewall、WireGuard、NodePort、NetworkPolicy、ArgoCD、kubectl、Helm、Prometheus reload、Alertmanager reload、Grafana / SigNoz / Sentry / Langfuse 設定、Telegram 實發、SOAR playbook、auto block、secret rotation、workflow / runner / deploy key / webhook / repo secret 變更、raw packet / raw log / 未脫敏截圖、database migration、production write、runtime gate、action button、force push、refs sync 與 GitHub primary switch。 -## 8. 完成度 +## 9. 完成度 - SOC / SIEM / Kali / Wazuh 整合控制矩陣:`100%` +- 業界主流資安營運體制補強:`100%` 來源端 - 前台只讀可視化:待本輪驗證 - 高價值配置 monitoring / alerting / observability 只讀成熟度:`78%` - security evidence tooling 只讀成熟度:`88%` @@ -114,7 +139,7 @@ 下一步不是直接掃描或封鎖,而是收齊 owner packet:Wazuh event refs、Kali scope refs、host forensic refs、alert chain refs、gateway diff refs、supply-chain refs、KEV / CVE refs、incident case refs、rollback owner 與 postcheck。驗收前 IwoooS 不宣稱主機乾淨、不宣稱木馬已清除、不宣稱 SIEM 已完成閉環,也不提供任何執行按鈕。 -## 9. 2026-06-18 主流 AISOC 補齊 +## 10. 2026-06-18 主流 AISOC 補齊 已新增 `docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md`,把主流框架與 AISOC 解決方案拆成 IwoooS 可執行工作包。補齊範圍包含 NIST CSF、CIS Controls、CISA Zero Trust、CISA KEV、MITRE ATT&CK / D3FEND、OWASP ASVS / SAMM / SCVS、SLSA、Sigstore、NIST AI RMF、OWASP LLM Top 10、MITRE ATLAS、CSA AI Controls Matrix、OCSF、Sigma、MISP / OpenCTI、Wazuh、Suricata、Zeek、TheHive / Cortex,以及 Microsoft Sentinel / Security Copilot、Google SecOps / Agentic SOC、Cortex XSIAM、CrowdStrike Falcon Next-Gen SIEM / Charlotte AI、Splunk ES / SOAR、Elastic AI SOC Engine、IBM QRadar SOAR、SentinelOne Purple AI 的能力模型。 @@ -130,3 +155,15 @@ 6. P0-F KEV / package / image / SBOM 關聯。 7. P0-G Incident case gate。 8. P0-H AI Agent 權限閘。 + +## 11. 2026-06-25 專業體制化補強 + +本輪把原本 `7` 個主流框架擴到 `14` 個,並新增 `9` 個營運角色、`8` 段事件生命週期、`7` 階成熟度與 `18` 個驗證 Gate。這些欄位已寫入 `docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json`,並由 `security-mirror-progress-guard.py` 固定檢查。 + +新的完成度口徑: + +- SOC / SIEM / Kali / Wazuh 整合控制矩陣:`100%` 來源端。 +- 業界主流體制化補強:`100%` 來源端。 +- IwoooS 資安體制完整度:`70% -> 76%` 來源端;owner evidence、Wazuh manager registry truth、Kali active scan、SOAR / active response 與 runtime gate 仍維持 `0%`。 +- 前台可視化:需完成 production desktop / mobile smoke 後才可宣告 production visible。 +- runtime / host write / active response / active scan / auto block:全部維持 `0 / false`。 diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json index a3e61dd6..a35c24fa 100644 --- a/docs/security/iwooos-posture-projection.snapshot.json +++ b/docs/security/iwooos-posture-projection.snapshot.json @@ -9327,10 +9327,13 @@ "soc_siem_kali_wazuh_integration_control_first_layer": true, "soc_siem_kali_wazuh_integration_control_forensic_evidence_accepted_count": 0, "soc_siem_kali_wazuh_integration_control_incident_case_accepted_count": 0, + "soc_siem_kali_wazuh_integration_control_incident_lifecycle_stage_count": 8, "soc_siem_kali_wazuh_integration_control_kali_active_scan_authorized_count": 0, "soc_siem_kali_wazuh_integration_control_kali_execute_authorized_count": 0, "soc_siem_kali_wazuh_integration_control_kali_finding_envelope_accepted_count": 0, "soc_siem_kali_wazuh_integration_control_kali_scope_ref_accepted_count": 0, + "soc_siem_kali_wazuh_integration_control_maturity_stage_count": 7, + "soc_siem_kali_wazuh_integration_control_operating_role_count": 9, "soc_siem_kali_wazuh_integration_control_outcome_lane_count": 14, "soc_siem_kali_wazuh_integration_control_owner_response_accepted_count": 0, "soc_siem_kali_wazuh_integration_control_owner_response_received_count": 0, @@ -9343,8 +9346,9 @@ "soc_siem_kali_wazuh_integration_control_siem_correlation_rule_accepted_count": 0, "soc_siem_kali_wazuh_integration_control_signal_source_count": 12, "soc_siem_kali_wazuh_integration_control_soar_case_create_authorized_count": 0, - "soc_siem_kali_wazuh_integration_control_standard_framework_count": 7, + "soc_siem_kali_wazuh_integration_control_standard_framework_count": 14, "soc_siem_kali_wazuh_integration_control_telegram_send_authorized_count": 0, + "soc_siem_kali_wazuh_integration_control_validation_gate_count": 18, "soc_siem_kali_wazuh_integration_control_wazuh_event_ref_received_count": 0, "source_control_primary_readiness_item_count": 6, "ssh_firewall_network_access_coverage_percent": 70, diff --git a/docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json b/docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json index 1c060016..07879f5f 100644 --- a/docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json +++ b/docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json @@ -404,8 +404,158 @@ "wazuh_active_response_authorized": false, "wazuh_api_live_query_authorized": false }, - "generated_at": "2026-06-18T18:30:00+08:00", - "git_commit": "9013fbdc", + "generated_at": "2026-06-25T16:20:00+08:00", + "git_commit": "c07fefbe", + "incident_lifecycle_stages": [ + { + "control_intent": "資產、owner、控制域、例外、權限與證據模板先就緒。", + "label": "準備與治理", + "runtime_gate_open": false, + "stage_id": "prepare_govern" + }, + { + "control_intent": "Wazuh、Alertmanager、SigNoz、Sentry、Nginx、K8s、Gitea 訊號統一成脫敏事件。", + "label": "偵測與正規化", + "runtime_gate_open": false, + "stage_id": "detect_normalize" + }, + { + "control_intent": "用 severity、confidence、KEV、ATT&CK、asset criticality 與 noise budget 排序。", + "label": "分流與排序", + "runtime_gate_open": false, + "stage_id": "triage_prioritize" + }, + { + "control_intent": "串 Wazuh event、Kali scope、host forensic、gateway diff、supply-chain 與 timeline refs。", + "label": "調查與關聯", + "runtime_gate_open": false, + "stage_id": "investigate_correlate" + }, + { + "control_intent": "只產生 containment 候選;無 owner、rollback、maintenance window 不得執行。", + "label": "圍堵決策", + "runtime_gate_open": false, + "stage_id": "containment_decision" + }, + { + "control_intent": "清除、修補、還原與服務恢復都必須有 postcheck 與 no-false-green 證據。", + "label": "清除與復原", + "runtime_gate_open": false, + "stage_id": "eradicate_recover" + }, + { + "control_intent": "回寫 detection gap、false positive、playbook、owner SLA、LOGBOOK 與風險例外。", + "label": "事後學習", + "runtime_gate_open": false, + "stage_id": "post_incident_learning" + }, + { + "control_intent": "用 KPI、演練、tabletop、purple-team 與 evidence aging 收斂下一輪優先序。", + "label": "持續改善", + "runtime_gate_open": false, + "stage_id": "continuous_improvement" + } + ], + "maturity_stages": [ + { + "entry_criteria": "工具與文件分散,不能宣稱 SOC 形成。", + "label": "分散觀測", + "runtime_gate_open": false, + "stage_id": "L0" + }, + { + "entry_criteria": "repo / snapshot / guard / frontstage marker 可重跑,runtime 維持 0。", + "label": "只讀證據", + "runtime_gate_open": false, + "stage_id": "L1" + }, + { + "entry_criteria": "owner、scope、evidence refs、rollback、postcheck 與 redaction 證明可驗收。", + "label": "Owner Packet", + "runtime_gate_open": false, + "stage_id": "L2" + }, + { + "entry_criteria": "在獨立批准後接只讀 live metadata,仍不執行 response。", + "label": "Live Metadata 只讀", + "runtime_gate_open": false, + "stage_id": "L3" + }, + { + "entry_criteria": "SOAR / active response / scan 只跑 dry-run、blast radius 與 rollback 演練。", + "label": "Dry-run Automation", + "runtime_gate_open": false, + "stage_id": "L4" + }, + { + "entry_criteria": "人工批准、維護窗口與 postcheck 完成後,才允許可回滾 response。", + "label": "Human-approved Response", + "runtime_gate_open": false, + "stage_id": "L5" + }, + { + "entry_criteria": "僅低風險、可回滾、已演練、有 receipt 的動作可逐步自動化。", + "label": "Governed Low-risk Autonomy", + "runtime_gate_open": false, + "stage_id": "L6" + } + ], + "operating_roles": [ + { + "label": "IwoooS 控制負責人", + "responsibility": "維護控制域、例外、進度口徑與 LOGBOOK;不能直接開 runtime。", + "role_id": "iwooos_control_owner", + "runtime_gate_open": false + }, + { + "label": "SOC 審查人", + "responsibility": "審查 Wazuh / Kali / alert / forensic refs 是否脫敏、可交叉驗證。", + "role_id": "soc_reviewer", + "runtime_gate_open": false + }, + { + "label": "事故指揮", + "responsibility": "在 incident case 中確認 severity、scope、containment 候選與升級路線。", + "role_id": "incident_commander", + "runtime_gate_open": false + }, + { + "label": "平台負責人", + "responsibility": "負責 Nginx、K8s、Docker、systemd、runner 與 release impact 判讀。", + "role_id": "platform_owner", + "runtime_gate_open": false + }, + { + "label": "服務負責人", + "responsibility": "負責產品 / API / website / webhook 的影響範圍、驗證與回復責任。", + "role_id": "service_owner", + "runtime_gate_open": false + }, + { + "label": "證據保管人", + "responsibility": "維護 redacted evidence refs、chain of custody、retention 與 raw absence 證明。", + "role_id": "evidence_custodian", + "runtime_gate_open": false + }, + { + "label": "變更管理人", + "responsibility": "確認維護窗口、rollback owner、postcheck 與跨專案同步。", + "role_id": "change_manager", + "runtime_gate_open": false + }, + { + "label": "AI 安全審查人", + "responsibility": "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。", + "role_id": "ai_security_reviewer", + "runtime_gate_open": false + }, + { + "label": "風險負責人", + "responsibility": "接受風險、例外期限、治理報告與資源優先序。", + "role_id": "executive_risk_owner", + "runtime_gate_open": false + } + ], "outcome_lanes": [ { "lane_id": "waiting_soc_owner_packet", @@ -741,7 +891,22 @@ "Detect", "Respond", "Recover" - ] + ], + "source_url": "https://www.nist.gov/cyberframework" + }, + { + "framework_id": "nist_sp_800_61_r3", + "integration_intent": "將事件處理生命週期轉成 IwoooS case gate、postcheck 與 lesson learned 回寫。", + "label": "NIST SP 800-61 Rev. 3", + "mapped_functions": [ + "Prepare", + "Detect", + "Analyze", + "Respond", + "Recover", + "Improve" + ], + "source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final" }, { "framework_id": "cis_controls_v8_1", @@ -754,7 +919,22 @@ "Malware", "Recovery", "Access" - ] + ], + "source_url": "https://www.cisecurity.org/controls/v8" + }, + { + "framework_id": "cisa_zero_trust_maturity_model", + "integration_intent": "以 identity、device、network、application、data 與 visibility / automation 作為零信任成熟度對照。", + "label": "CISA Zero Trust Maturity Model", + "mapped_functions": [ + "Identity", + "Devices", + "Networks", + "Applications", + "Data", + "Visibility" + ], + "source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model" }, { "framework_id": "cisa_kev_prioritization", @@ -764,18 +944,35 @@ "Known exploited vulnerability", "Patch priority", "Owner SLA" - ] + ], + "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { - "framework_id": "owasp_asvs_logging", - "integration_intent": "把應用層安全事件、拒絕存取、驗證失敗與敏感資料不落 log 納入前後台驗證。", - "label": "OWASP ASVS / Logging", + "framework_id": "mitre_attack_d3fend", + "integration_intent": "以 ATT&CK 描述攻擊行為與資料源,再用 D3FEND 對應防禦與驗證缺口。", + "label": "MITRE ATT&CK / D3FEND", "mapped_functions": [ - "Auth log", - "Access-control log", - "No secret in log", - "Verification" - ] + "Tactic", + "Technique", + "Data source", + "Detection", + "Mitigation", + "Countermeasure" + ], + "source_url": "https://attack.mitre.org/" + }, + { + "framework_id": "owasp_asvs_samm", + "integration_intent": "把應用層安全驗證、secure SDLC 與 API / auth / logging 控制納入 IwoooS。", + "label": "OWASP ASVS / SAMM", + "mapped_functions": [ + "Security requirement", + "Verification", + "Secure SDLC", + "Logging", + "Access control" + ], + "source_url": "https://owasp.org/www-project-application-security-verification-standard/" }, { "framework_id": "wazuh_xdr_siem", @@ -788,18 +985,76 @@ "Decoder", "Alert", "Active response dry-run" - ] + ], + "source_url": "https://documentation.wazuh.com/current/index.html" }, { - "framework_id": "suricata_ndr_ids", + "framework_id": "wazuh_active_response_model", + "integration_intent": "只採用 active response 的能力模型;IwoooS 目前只做 dry-run 與 rollback gate,不啟用 response。", + "label": "Wazuh Active Response", + "mapped_functions": [ + "Trigger", + "Command", + "Scope", + "Timeout", + "Rollback", + "Dry-run gate" + ], + "source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html" + }, + { + "framework_id": "prometheus_alertmanager", + "integration_intent": "把告警分組、去重、路由、抑制與 receipt 驗收納入 no-false-green 告警鏈。", + "label": "Prometheus Alertmanager", + "mapped_functions": [ + "Grouping", + "Deduplication", + "Routing", + "Silencing", + "Inhibition", + "Receipt" + ], + "source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/" + }, + { + "framework_id": "opentelemetry_observability", + "integration_intent": "以 vendor-neutral telemetry 口徑把 traces、metrics、logs 與 resource 關聯到事件證據。", + "label": "OpenTelemetry observability", + "mapped_functions": [ + "Trace", + "Metric", + "Log", + "Resource", + "Correlation", + "Semantic convention" + ], + "source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/" + }, + { + "framework_id": "slsa_sigstore_sbom", + "integration_intent": "把 build provenance、artifact integrity、SBOM 與簽章驗證轉成供應鏈 evidence lane。", + "label": "SLSA / Sigstore / SBOM", + "mapped_functions": [ + "Provenance", + "Build integrity", + "Artifact signing", + "SBOM", + "Verification" + ], + "source_url": "https://slsa.dev/" + }, + { + "framework_id": "ndr_ids_suricata_zeek", "integration_intent": "將網路偵測與封包層線索納入未來 NDR lane;IPS 仍需獨立批准。", - "label": "Suricata NDR / IDS", + "label": "Suricata / Zeek NDR", "mapped_functions": [ "Network detection", "Passive telemetry", "Rule hit", + "Flow", "Future IPS gate" - ] + ], + "source_url": "https://suricata.io/" }, { "framework_id": "kali_assessment_tooling", @@ -811,7 +1066,8 @@ "Safe crawl", "Tool version", "Finding normalization" - ] + ], + "source_url": "https://www.kali.org/docs/" } ], "status": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action", @@ -831,11 +1087,14 @@ "coverage_percent_after_soc_integration_control": 78, "forensic_evidence_accepted_count": 0, "incident_case_accepted_count": 0, + "incident_lifecycle_stage_count": 8, "kali_active_scan_authorized_count": 0, "kali_execute_authorized_count": 0, "kali_finding_envelope_accepted_count": 0, "kali_scope_ref_accepted_count": 0, + "maturity_stage_count": 7, "monitoring_alerting_observability_coverage_percent_after_soc_control": 78, + "operating_role_count": 9, "outcome_lane_count": 14, "owner_response_accepted_count": 0, "owner_response_received_count": 0, @@ -849,8 +1108,101 @@ "siem_correlation_rule_accepted_count": 0, "signal_source_count": 12, "soar_case_create_authorized_count": 0, - "standard_framework_count": 7, + "standard_framework_count": 14, "telegram_send_authorized_count": 0, + "validation_gate_count": 18, "wazuh_event_ref_received_count": 0 - } + }, + "validation_gates": [ + { + "accepted": false, + "gate_id": "asset_owner_mapping_verified", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "source_to_live_diff_available", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "redacted_evidence_refs_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "raw_payload_absence_attested", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "secret_value_absence_attested", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "wazuh_manager_registry_truth_received", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "kali_scope_and_finding_envelope_accepted", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "alert_route_receipt_available", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "incident_case_id_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "severity_confidence_mapping_reviewed", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "forensic_time_window_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "chain_of_custody_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "kev_or_cve_prioritization_done", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "rollback_owner_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "maintenance_window_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "postcheck_metrics_present", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "cross_project_sync_recorded", + "runtime_gate_open": false + }, + { + "accepted": false, + "gate_id": "production_desktop_mobile_smoke_passed", + "runtime_gate_open": false + } + ] } diff --git a/scripts/security/iwooos-config-control-guard.py b/scripts/security/iwooos-config-control-guard.py index 0258d846..e2027132 100644 --- a/scripts/security/iwooos-config-control-guard.py +++ b/scripts/security/iwooos-config-control-guard.py @@ -939,7 +939,11 @@ ARTIFACT_SPECS = [ "schema": "soc_siem_kali_wazuh_integration_control_v1", "status": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action", "list_counts": { - "standard_frameworks": 7, + "standard_frameworks": 14, + "operating_roles": 9, + "incident_lifecycle_stages": 8, + "maturity_stages": 7, + "validation_gates": 18, "control_domains": 16, "signal_sources": 12, "control_candidates": 20, @@ -949,7 +953,11 @@ ARTIFACT_SPECS = [ "required_owner_fields": 42, }, "summary_counts": { - "standard_framework_count": 7, + "standard_framework_count": 14, + "operating_role_count": 9, + "incident_lifecycle_stage_count": 8, + "maturity_stage_count": 7, + "validation_gate_count": 18, "control_domain_count": 16, "c0_control_domain_count": 12, "c1_control_domain_count": 4, diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index fee145c1..9aa41b0f 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -3532,7 +3532,11 @@ def validate(root: Path) -> None: "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action", ) for key, expected in { - "standard_frameworks": 7, + "standard_frameworks": 14, + "operating_roles": 9, + "incident_lifecycle_stages": 8, + "maturity_stages": 7, + "validation_gates": 18, "control_domains": 16, "signal_sources": 12, "control_candidates": 20, @@ -3546,7 +3550,11 @@ def validate(root: Path) -> None: expected, ) expected_soc_siem_kali_wazuh_integration_summary = { - "standard_framework_count": 7, + "standard_framework_count": 14, + "operating_role_count": 9, + "incident_lifecycle_stage_count": 8, + "maturity_stage_count": 7, + "validation_gate_count": 18, "control_domain_count": 16, "c0_control_domain_count": 12, "c1_control_domain_count": 4, @@ -8247,7 +8255,11 @@ def validate(root: Path) -> None: "external_host_intrusion_prevention_control_reviewer_check_count": 34, "external_host_intrusion_prevention_control_blocked_action_count": 82, "external_host_intrusion_prevention_control_runtime_gate_count": 0, - "soc_siem_kali_wazuh_integration_control_standard_framework_count": 7, + "soc_siem_kali_wazuh_integration_control_standard_framework_count": 14, + "soc_siem_kali_wazuh_integration_control_operating_role_count": 9, + "soc_siem_kali_wazuh_integration_control_incident_lifecycle_stage_count": 8, + "soc_siem_kali_wazuh_integration_control_maturity_stage_count": 7, + "soc_siem_kali_wazuh_integration_control_validation_gate_count": 18, "soc_siem_kali_wazuh_integration_control_domain_count": 16, "soc_siem_kali_wazuh_integration_control_c0_domain_count": 12, "soc_siem_kali_wazuh_integration_control_c1_domain_count": 4, @@ -18584,7 +18596,7 @@ def validate(root: Path) -> None: list(web_messages_en["iwooos"]["socSiemKaliWazuhIntegration"].keys()), key, ) - for key in ["frameworks", "domains", "signals", "runtimeGate"]: + for key in ["frameworks", "roles", "lifecycle", "validation", "domains", "signals", "runtimeGate"]: assert_contains( "web_messages.zh-TW.iwooos.socSiemKaliWazuhIntegration.summary", list(web_messages_zh["iwooos"]["socSiemKaliWazuhIntegration"]["summary"].keys()), @@ -18604,6 +18616,9 @@ def validate(root: Path) -> None: "supplyChain", "soarBoundary", "runtimeBoundary", + "operatingModel", + "incidentLifecycle", + "validationGates", ]: assert_contains( "web_messages.zh-TW.iwooos.socSiemKaliWazuhIntegration.items", @@ -18639,7 +18654,11 @@ def validate(root: Path) -> None: ) for text in [ "soc_siem_kali_wazuh_integration_control_visible=true", - "soc_siem_kali_wazuh_integration_control_standard_framework_count=7", + "soc_siem_kali_wazuh_integration_control_standard_framework_count=14", + "soc_siem_kali_wazuh_integration_control_operating_role_count=9", + "soc_siem_kali_wazuh_integration_control_incident_lifecycle_stage_count=8", + "soc_siem_kali_wazuh_integration_control_maturity_stage_count=7", + "soc_siem_kali_wazuh_integration_control_validation_gate_count=18", "soc_siem_kali_wazuh_integration_control_domain_count=16", "soc_siem_kali_wazuh_integration_control_c0_domain_count=12", "soc_siem_kali_wazuh_integration_control_c1_domain_count=4", diff --git a/scripts/security/soc-siem-kali-wazuh-integration-control.py b/scripts/security/soc-siem-kali-wazuh-integration-control.py index 9da1c270..bef158c0 100644 --- a/scripts/security/soc-siem-kali-wazuh-integration-control.py +++ b/scripts/security/soc-siem-kali-wazuh-integration-control.py @@ -28,47 +28,157 @@ STANDARD_FRAMEWORKS = [ { "framework_id": "nist_csf_2_0", "label": "NIST CSF 2.0", + "source_url": "https://www.nist.gov/cyberframework", "mapped_functions": ["Govern", "Identify", "Protect", "Detect", "Respond", "Recover"], "integration_intent": "將資安監控與回應放進治理、辨識、防護、偵測、回應與復原閉環。", }, + { + "framework_id": "nist_sp_800_61_r3", + "label": "NIST SP 800-61 Rev. 3", + "source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final", + "mapped_functions": ["Prepare", "Detect", "Analyze", "Respond", "Recover", "Improve"], + "integration_intent": "將事件處理生命週期轉成 IwoooS case gate、postcheck 與 lesson learned 回寫。", + }, { "framework_id": "cis_controls_v8_1", "label": "CIS Controls v8.1", + "source_url": "https://www.cisecurity.org/controls/v8", "mapped_functions": ["Inventory", "Vulnerability", "Audit Log", "Malware", "Recovery", "Access"], "integration_intent": "把資產、弱點、稽核日誌、惡意程式防護、復原與權限審查納入 IwoooS。", }, + { + "framework_id": "cisa_zero_trust_maturity_model", + "label": "CISA Zero Trust Maturity Model", + "source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model", + "mapped_functions": ["Identity", "Devices", "Networks", "Applications", "Data", "Visibility"], + "integration_intent": "以 identity、device、network、application、data 與 visibility / automation 作為零信任成熟度對照。", + }, { "framework_id": "cisa_kev_prioritization", "label": "CISA KEV 優先化", + "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "mapped_functions": ["Known exploited vulnerability", "Patch priority", "Owner SLA"], "integration_intent": "以已知遭利用漏洞作為漏洞修補與維護窗口排序依據。", }, { - "framework_id": "owasp_asvs_logging", - "label": "OWASP ASVS / Logging", - "mapped_functions": ["Auth log", "Access-control log", "No secret in log", "Verification"], - "integration_intent": "把應用層安全事件、拒絕存取、驗證失敗與敏感資料不落 log 納入前後台驗證。", + "framework_id": "mitre_attack_d3fend", + "label": "MITRE ATT&CK / D3FEND", + "source_url": "https://attack.mitre.org/", + "mapped_functions": ["Tactic", "Technique", "Data source", "Detection", "Mitigation", "Countermeasure"], + "integration_intent": "以 ATT&CK 描述攻擊行為與資料源,再用 D3FEND 對應防禦與驗證缺口。", + }, + { + "framework_id": "owasp_asvs_samm", + "label": "OWASP ASVS / SAMM", + "source_url": "https://owasp.org/www-project-application-security-verification-standard/", + "mapped_functions": ["Security requirement", "Verification", "Secure SDLC", "Logging", "Access control"], + "integration_intent": "把應用層安全驗證、secure SDLC 與 API / auth / logging 控制納入 IwoooS。", }, { "framework_id": "wazuh_xdr_siem", "label": "Wazuh XDR / SIEM", + "source_url": "https://documentation.wazuh.com/current/index.html", "mapped_functions": ["Agent telemetry", "FIM", "Rule", "Decoder", "Alert", "Active response dry-run"], "integration_intent": "將 endpoint / host 訊號、檔案完整性、事件規則與 response 邊界納入 IwoooS。", }, { - "framework_id": "suricata_ndr_ids", - "label": "Suricata NDR / IDS", - "mapped_functions": ["Network detection", "Passive telemetry", "Rule hit", "Future IPS gate"], + "framework_id": "wazuh_active_response_model", + "label": "Wazuh Active Response", + "source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html", + "mapped_functions": ["Trigger", "Command", "Scope", "Timeout", "Rollback", "Dry-run gate"], + "integration_intent": "只採用 active response 的能力模型;IwoooS 目前只做 dry-run 與 rollback gate,不啟用 response。", + }, + { + "framework_id": "prometheus_alertmanager", + "label": "Prometheus Alertmanager", + "source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/", + "mapped_functions": ["Grouping", "Deduplication", "Routing", "Silencing", "Inhibition", "Receipt"], + "integration_intent": "把告警分組、去重、路由、抑制與 receipt 驗收納入 no-false-green 告警鏈。", + }, + { + "framework_id": "opentelemetry_observability", + "label": "OpenTelemetry observability", + "source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/", + "mapped_functions": ["Trace", "Metric", "Log", "Resource", "Correlation", "Semantic convention"], + "integration_intent": "以 vendor-neutral telemetry 口徑把 traces、metrics、logs 與 resource 關聯到事件證據。", + }, + { + "framework_id": "slsa_sigstore_sbom", + "label": "SLSA / Sigstore / SBOM", + "source_url": "https://slsa.dev/", + "mapped_functions": ["Provenance", "Build integrity", "Artifact signing", "SBOM", "Verification"], + "integration_intent": "把 build provenance、artifact integrity、SBOM 與簽章驗證轉成供應鏈 evidence lane。", + }, + { + "framework_id": "ndr_ids_suricata_zeek", + "label": "Suricata / Zeek NDR", + "source_url": "https://suricata.io/", + "mapped_functions": ["Network detection", "Passive telemetry", "Rule hit", "Flow", "Future IPS gate"], "integration_intent": "將網路偵測與封包層線索納入未來 NDR lane;IPS 仍需獨立批准。", }, { "framework_id": "kali_assessment_tooling", "label": "Kali assessment tooling", + "source_url": "https://www.kali.org/docs/", "mapped_functions": ["Health", "Scope", "Safe crawl", "Tool version", "Finding normalization"], "integration_intent": "Kali 112 作為安全驗證與工具節點,先接只讀 health / scope / finding contract。", }, ] +OPERATING_ROLES = [ + ("iwooos_control_owner", "IwoooS 控制負責人", "維護控制域、例外、進度口徑與 LOGBOOK;不能直接開 runtime。"), + ("soc_reviewer", "SOC 審查人", "審查 Wazuh / Kali / alert / forensic refs 是否脫敏、可交叉驗證。"), + ("incident_commander", "事故指揮", "在 incident case 中確認 severity、scope、containment 候選與升級路線。"), + ("platform_owner", "平台負責人", "負責 Nginx、K8s、Docker、systemd、runner 與 release impact 判讀。"), + ("service_owner", "服務負責人", "負責產品 / API / website / webhook 的影響範圍、驗證與回復責任。"), + ("evidence_custodian", "證據保管人", "維護 redacted evidence refs、chain of custody、retention 與 raw absence 證明。"), + ("change_manager", "變更管理人", "確認維護窗口、rollback owner、postcheck 與跨專案同步。"), + ("ai_security_reviewer", "AI 安全審查人", "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。"), + ("executive_risk_owner", "風險負責人", "接受風險、例外期限、治理報告與資源優先序。"), +] + +INCIDENT_LIFECYCLE_STAGES = [ + ("prepare_govern", "準備與治理", "資產、owner、控制域、例外、權限與證據模板先就緒。"), + ("detect_normalize", "偵測與正規化", "Wazuh、Alertmanager、SigNoz、Sentry、Nginx、K8s、Gitea 訊號統一成脫敏事件。"), + ("triage_prioritize", "分流與排序", "用 severity、confidence、KEV、ATT&CK、asset criticality 與 noise budget 排序。"), + ("investigate_correlate", "調查與關聯", "串 Wazuh event、Kali scope、host forensic、gateway diff、supply-chain 與 timeline refs。"), + ("containment_decision", "圍堵決策", "只產生 containment 候選;無 owner、rollback、maintenance window 不得執行。"), + ("eradicate_recover", "清除與復原", "清除、修補、還原與服務恢復都必須有 postcheck 與 no-false-green 證據。"), + ("post_incident_learning", "事後學習", "回寫 detection gap、false positive、playbook、owner SLA、LOGBOOK 與風險例外。"), + ("continuous_improvement", "持續改善", "用 KPI、演練、tabletop、purple-team 與 evidence aging 收斂下一輪優先序。"), +] + +MATURITY_STAGES = [ + ("L0", "分散觀測", "工具與文件分散,不能宣稱 SOC 形成。"), + ("L1", "只讀證據", "repo / snapshot / guard / frontstage marker 可重跑,runtime 維持 0。"), + ("L2", "Owner Packet", "owner、scope、evidence refs、rollback、postcheck 與 redaction 證明可驗收。"), + ("L3", "Live Metadata 只讀", "在獨立批准後接只讀 live metadata,仍不執行 response。"), + ("L4", "Dry-run Automation", "SOAR / active response / scan 只跑 dry-run、blast radius 與 rollback 演練。"), + ("L5", "Human-approved Response", "人工批准、維護窗口與 postcheck 完成後,才允許可回滾 response。"), + ("L6", "Governed Low-risk Autonomy", "僅低風險、可回滾、已演練、有 receipt 的動作可逐步自動化。"), +] + +VALIDATION_GATES = [ + "asset_owner_mapping_verified", + "source_to_live_diff_available", + "redacted_evidence_refs_present", + "raw_payload_absence_attested", + "secret_value_absence_attested", + "wazuh_manager_registry_truth_received", + "kali_scope_and_finding_envelope_accepted", + "alert_route_receipt_available", + "incident_case_id_present", + "severity_confidence_mapping_reviewed", + "forensic_time_window_present", + "chain_of_custody_present", + "kev_or_cve_prioritization_done", + "rollback_owner_present", + "maintenance_window_present", + "postcheck_metrics_present", + "cross_project_sync_recorded", + "production_desktop_mobile_smoke_passed", +] + CONTROL_DOMAINS = [ ("asset_inventory_owner", "資產 / owner / attack surface inventory", "C0"), ("endpoint_log_collection", "Endpoint / host / auth / process log collection", "C0"), @@ -388,6 +498,41 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]: "standard_frameworks": [ {"framework_id": item["framework_id"], **item} for item in STANDARD_FRAMEWORKS ], + "operating_roles": [ + { + "role_id": role_id, + "label": label, + "responsibility": responsibility, + "runtime_gate_open": False, + } + for role_id, label, responsibility in OPERATING_ROLES + ], + "incident_lifecycle_stages": [ + { + "stage_id": stage_id, + "label": label, + "control_intent": control_intent, + "runtime_gate_open": False, + } + for stage_id, label, control_intent in INCIDENT_LIFECYCLE_STAGES + ], + "maturity_stages": [ + { + "stage_id": stage_id, + "label": label, + "entry_criteria": entry_criteria, + "runtime_gate_open": False, + } + for stage_id, label, entry_criteria in MATURITY_STAGES + ], + "validation_gates": [ + { + "gate_id": gate_id, + "accepted": False, + "runtime_gate_open": False, + } + for gate_id in VALIDATION_GATES + ], "control_domains": [ { "domain_id": domain_id, @@ -429,6 +574,10 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]: "blocked_actions": BLOCKED_ACTIONS, "summary": { "standard_framework_count": len(STANDARD_FRAMEWORKS), + "operating_role_count": len(OPERATING_ROLES), + "incident_lifecycle_stage_count": len(INCIDENT_LIFECYCLE_STAGES), + "maturity_stage_count": len(MATURITY_STAGES), + "validation_gate_count": len(VALIDATION_GATES), "control_domain_count": len(CONTROL_DOMAINS), "c0_control_domain_count": sum(1 for _, _, tier in CONTROL_DOMAINS if tier == "C0"), "c1_control_domain_count": sum(1 for _, _, tier in CONTROL_DOMAINS if tier == "C1"), @@ -491,6 +640,9 @@ def main() -> int: print( "SOC_SIEM_KALI_WAZUH_INTEGRATION_CONTROL_OK " f"frameworks={summary['standard_framework_count']} " + f"roles={summary['operating_role_count']} " + f"lifecycle={summary['incident_lifecycle_stage_count']} " + f"gates={summary['validation_gate_count']} " f"domains={summary['control_domain_count']} " f"signals={summary['signal_source_count']} " f"candidates={summary['control_candidate_count']} "