wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

feat(iwooos): professionalize SOC operating model
Some checks failed
Code Review / ai-code-review (push) Successful in 14s
Details
CD Pipeline / tests (push) Successful in 1m41s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m34s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m43s
Details
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
Details

Browse Source
This commit is contained in:
ogt
2026-06-25 15:13:08 +08:00
parent d52583d9cd
commit 20c2c81f85
13 changed files with 731 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/security/iwooos-config-control-guard.py
View File

@@ -939,7 +939,11 @@ ARTIFACT_SPECS = [
"schema": "soc_siem_kali_wazuh_integration_control_v1",
"status": "soc_siem_kali_wazuh_integration_control_ready_no_runtime_action",
"list_counts": {
"standard_frameworks": 7,
"standard_frameworks": 14,
"operating_roles": 9,
"incident_lifecycle_stages": 8,
"maturity_stages": 7,
"validation_gates": 18,
"control_domains": 16,
"signal_sources": 12,
"control_candidates": 20,
@@ -949,7 +953,11 @@ ARTIFACT_SPECS = [
"required_owner_fields": 42,
},
"summary_counts": {
"standard_framework_count": 7,
"standard_framework_count": 14,
"operating_role_count": 9,
"incident_lifecycle_stage_count": 8,
"maturity_stage_count": 7,
"validation_gate_count": 18,
"control_domain_count": 16,
"c0_control_domain_count": 12,
"c1_control_domain_count": 4,

29
scripts/security/security-mirror-progress-guard.py
View File

@@ -3532,7 +3532,11 @@ def validate(root: Path) -> None:
"soc_siem_kali_wazuh_integration_control_ready_no_runtime_action",
)
for key, expected in {
"standard_frameworks": 7,
"standard_frameworks": 14,
"operating_roles": 9,
"incident_lifecycle_stages": 8,
"maturity_stages": 7,
"validation_gates": 18,
"control_domains": 16,
"signal_sources": 12,
"control_candidates": 20,
@@ -3546,7 +3550,11 @@ def validate(root: Path) -> None:
expected,
)
expected_soc_siem_kali_wazuh_integration_summary = {
"standard_framework_count": 7,
"standard_framework_count": 14,
"operating_role_count": 9,
"incident_lifecycle_stage_count": 8,
"maturity_stage_count": 7,
"validation_gate_count": 18,
"control_domain_count": 16,
"c0_control_domain_count": 12,
"c1_control_domain_count": 4,
@@ -8247,7 +8255,11 @@ def validate(root: Path) -> None:
"external_host_intrusion_prevention_control_reviewer_check_count": 34,
"external_host_intrusion_prevention_control_blocked_action_count": 82,
"external_host_intrusion_prevention_control_runtime_gate_count": 0,
"soc_siem_kali_wazuh_integration_control_standard_framework_count": 7,
"soc_siem_kali_wazuh_integration_control_standard_framework_count": 14,
"soc_siem_kali_wazuh_integration_control_operating_role_count": 9,
"soc_siem_kali_wazuh_integration_control_incident_lifecycle_stage_count": 8,
"soc_siem_kali_wazuh_integration_control_maturity_stage_count": 7,
"soc_siem_kali_wazuh_integration_control_validation_gate_count": 18,
"soc_siem_kali_wazuh_integration_control_domain_count": 16,
"soc_siem_kali_wazuh_integration_control_c0_domain_count": 12,
"soc_siem_kali_wazuh_integration_control_c1_domain_count": 4,
@@ -18584,7 +18596,7 @@ def validate(root: Path) -> None:
list(web_messages_en["iwooos"]["socSiemKaliWazuhIntegration"].keys()),
key,
)
for key in ["frameworks", "domains", "signals", "runtimeGate"]:
for key in ["frameworks", "roles", "lifecycle", "validation", "domains", "signals", "runtimeGate"]:
assert_contains(
"web_messages.zh-TW.iwooos.socSiemKaliWazuhIntegration.summary",
list(web_messages_zh["iwooos"]["socSiemKaliWazuhIntegration"]["summary"].keys()),
@@ -18604,6 +18616,9 @@ def validate(root: Path) -> None:
"supplyChain",
"soarBoundary",
"runtimeBoundary",
"operatingModel",
"incidentLifecycle",
"validationGates",
]:
assert_contains(
"web_messages.zh-TW.iwooos.socSiemKaliWazuhIntegration.items",
@@ -18639,7 +18654,11 @@ def validate(root: Path) -> None:
)
for text in [
"soc_siem_kali_wazuh_integration_control_visible=true",
"soc_siem_kali_wazuh_integration_control_standard_framework_count=7",
"soc_siem_kali_wazuh_integration_control_standard_framework_count=14",
"soc_siem_kali_wazuh_integration_control_operating_role_count=9",
"soc_siem_kali_wazuh_integration_control_incident_lifecycle_stage_count=8",
"soc_siem_kali_wazuh_integration_control_maturity_stage_count=7",
"soc_siem_kali_wazuh_integration_control_validation_gate_count=18",
"soc_siem_kali_wazuh_integration_control_domain_count=16",
"soc_siem_kali_wazuh_integration_control_c0_domain_count=12",
"soc_siem_kali_wazuh_integration_control_c1_domain_count=4",

166
scripts/security/soc-siem-kali-wazuh-integration-control.py
View File

@@ -28,47 +28,157 @@ STANDARD_FRAMEWORKS = [
{
"framework_id": "nist_csf_2_0",
"label": "NIST CSF 2.0",
"source_url": "https://www.nist.gov/cyberframework",
"mapped_functions": ["Govern", "Identify", "Protect", "Detect", "Respond", "Recover"],
"integration_intent": "將資安監控與回應放進治理、辨識、防護、偵測、回應與復原閉環。",
},
{
"framework_id": "nist_sp_800_61_r3",
"label": "NIST SP 800-61 Rev. 3",
"source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final",
"mapped_functions": ["Prepare", "Detect", "Analyze", "Respond", "Recover", "Improve"],
"integration_intent": "將事件處理生命週期轉成 IwoooS case gate、postcheck 與 lesson learned 回寫。",
},
{
"framework_id": "cis_controls_v8_1",
"label": "CIS Controls v8.1",
"source_url": "https://www.cisecurity.org/controls/v8",
"mapped_functions": ["Inventory", "Vulnerability", "Audit Log", "Malware", "Recovery", "Access"],
"integration_intent": "把資產、弱點、稽核日誌、惡意程式防護、復原與權限審查納入 IwoooS。",
},
{
"framework_id": "cisa_zero_trust_maturity_model",
"label": "CISA Zero Trust Maturity Model",
"source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model",
"mapped_functions": ["Identity", "Devices", "Networks", "Applications", "Data", "Visibility"],
"integration_intent": "以 identity、device、network、application、data 與 visibility / automation 作為零信任成熟度對照。",
},
{
"framework_id": "cisa_kev_prioritization",
"label": "CISA KEV 優先化",
"source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"mapped_functions": ["Known exploited vulnerability", "Patch priority", "Owner SLA"],
"integration_intent": "以已知遭利用漏洞作為漏洞修補與維護窗口排序依據。",
},
{
"framework_id": "owasp_asvs_logging",
"label": "OWASP ASVS / Logging",
"mapped_functions": ["Auth log", "Access-control log", "No secret in log", "Verification"],
"integration_intent": "把應用層安全事件、拒絕存取、驗證失敗與敏感資料不落 log 納入前後台驗證。",
"framework_id": "mitre_attack_d3fend",
"label": "MITRE ATT&CK / D3FEND",
"source_url": "https://attack.mitre.org/",
"mapped_functions": ["Tactic", "Technique", "Data source", "Detection", "Mitigation", "Countermeasure"],
"integration_intent": "以 ATT&CK 描述攻擊行為與資料源,再用 D3FEND 對應防禦與驗證缺口。",
},
{
"framework_id": "owasp_asvs_samm",
"label": "OWASP ASVS / SAMM",
"source_url": "https://owasp.org/www-project-application-security-verification-standard/",
"mapped_functions": ["Security requirement", "Verification", "Secure SDLC", "Logging", "Access control"],
"integration_intent": "把應用層安全驗證、secure SDLC 與 API / auth / logging 控制納入 IwoooS。",
},
{
"framework_id": "wazuh_xdr_siem",
"label": "Wazuh XDR / SIEM",
"source_url": "https://documentation.wazuh.com/current/index.html",
"mapped_functions": ["Agent telemetry", "FIM", "Rule", "Decoder", "Alert", "Active response dry-run"],
"integration_intent": "將 endpoint / host 訊號、檔案完整性、事件規則與 response 邊界納入 IwoooS。",
},
{
"framework_id": "suricata_ndr_ids",
"label": "Suricata NDR / IDS",
"mapped_functions": ["Network detection", "Passive telemetry", "Rule hit", "Future IPS gate"],
"framework_id": "wazuh_active_response_model",
"label": "Wazuh Active Response",
"source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html",
"mapped_functions": ["Trigger", "Command", "Scope", "Timeout", "Rollback", "Dry-run gate"],
"integration_intent": "只採用 active response 的能力模型IwoooS 目前只做 dry-run 與 rollback gate不啟用 response。",
},
{
"framework_id": "prometheus_alertmanager",
"label": "Prometheus Alertmanager",
"source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/",
"mapped_functions": ["Grouping", "Deduplication", "Routing", "Silencing", "Inhibition", "Receipt"],
"integration_intent": "把告警分組、去重、路由、抑制與 receipt 驗收納入 no-false-green 告警鏈。",
},
{
"framework_id": "opentelemetry_observability",
"label": "OpenTelemetry observability",
"source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/",
"mapped_functions": ["Trace", "Metric", "Log", "Resource", "Correlation", "Semantic convention"],
"integration_intent": "以 vendor-neutral telemetry 口徑把 traces、metrics、logs 與 resource 關聯到事件證據。",
},
{
"framework_id": "slsa_sigstore_sbom",
"label": "SLSA / Sigstore / SBOM",
"source_url": "https://slsa.dev/",
"mapped_functions": ["Provenance", "Build integrity", "Artifact signing", "SBOM", "Verification"],
"integration_intent": "把 build provenance、artifact integrity、SBOM 與簽章驗證轉成供應鏈 evidence lane。",
},
{
"framework_id": "ndr_ids_suricata_zeek",
"label": "Suricata / Zeek NDR",
"source_url": "https://suricata.io/",
"mapped_functions": ["Network detection", "Passive telemetry", "Rule hit", "Flow", "Future IPS gate"],
"integration_intent": "將網路偵測與封包層線索納入未來 NDR laneIPS 仍需獨立批准。",
},
{
"framework_id": "kali_assessment_tooling",
"label": "Kali assessment tooling",
"source_url": "https://www.kali.org/docs/",
"mapped_functions": ["Health", "Scope", "Safe crawl", "Tool version", "Finding normalization"],
"integration_intent": "Kali 112 作為安全驗證與工具節點,先接只讀 health / scope / finding contract。",
},
]
OPERATING_ROLES = [
("iwooos_control_owner", "IwoooS 控制負責人", "維護控制域、例外、進度口徑與 LOGBOOK不能直接開 runtime。"),
("soc_reviewer", "SOC 審查人", "審查 Wazuh / Kali / alert / forensic refs 是否脫敏、可交叉驗證。"),
("incident_commander", "事故指揮", "在 incident case 中確認 severity、scope、containment 候選與升級路線。"),
("platform_owner", "平台負責人", "負責 Nginx、K8s、Docker、systemd、runner 與 release impact 判讀。"),
("service_owner", "服務負責人", "負責產品 / API / website / webhook 的影響範圍、驗證與回復責任。"),
("evidence_custodian", "證據保管人", "維護 redacted evidence refs、chain of custody、retention 與 raw absence 證明。"),
("change_manager", "變更管理人", "確認維護窗口、rollback owner、postcheck 與跨專案同步。"),
("ai_security_reviewer", "AI 安全審查人", "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。"),
("executive_risk_owner", "風險負責人", "接受風險、例外期限、治理報告與資源優先序。"),
]
INCIDENT_LIFECYCLE_STAGES = [
("prepare_govern", "準備與治理", "資產、owner、控制域、例外、權限與證據模板先就緒。"),
("detect_normalize", "偵測與正規化", "Wazuh、Alertmanager、SigNoz、Sentry、Nginx、K8s、Gitea 訊號統一成脫敏事件。"),
("triage_prioritize", "分流與排序", "用 severity、confidence、KEV、ATT&CK、asset criticality 與 noise budget 排序。"),
("investigate_correlate", "調查與關聯", "串 Wazuh event、Kali scope、host forensic、gateway diff、supply-chain 與 timeline refs。"),
("containment_decision", "圍堵決策", "只產生 containment 候選;無 owner、rollback、maintenance window 不得執行。"),
("eradicate_recover", "清除與復原", "清除、修補、還原與服務恢復都必須有 postcheck 與 no-false-green 證據。"),
("post_incident_learning", "事後學習", "回寫 detection gap、false positive、playbook、owner SLA、LOGBOOK 與風險例外。"),
("continuous_improvement", "持續改善", "用 KPI、演練、tabletop、purple-team 與 evidence aging 收斂下一輪優先序。"),
]
MATURITY_STAGES = [
("L0", "分散觀測", "工具與文件分散,不能宣稱 SOC 形成。"),
("L1", "只讀證據", "repo / snapshot / guard / frontstage marker 可重跑runtime 維持 0。"),
("L2", "Owner Packet", "owner、scope、evidence refs、rollback、postcheck 與 redaction 證明可驗收。"),
("L3", "Live Metadata 只讀", "在獨立批准後接只讀 live metadata仍不執行 response。"),
("L4", "Dry-run Automation", "SOAR / active response / scan 只跑 dry-run、blast radius 與 rollback 演練。"),
("L5", "Human-approved Response", "人工批准、維護窗口與 postcheck 完成後,才允許可回滾 response。"),
("L6", "Governed Low-risk Autonomy", "僅低風險、可回滾、已演練、有 receipt 的動作可逐步自動化。"),
]
VALIDATION_GATES = [
"asset_owner_mapping_verified",
"source_to_live_diff_available",
"redacted_evidence_refs_present",
"raw_payload_absence_attested",
"secret_value_absence_attested",
"wazuh_manager_registry_truth_received",
"kali_scope_and_finding_envelope_accepted",
"alert_route_receipt_available",
"incident_case_id_present",
"severity_confidence_mapping_reviewed",
"forensic_time_window_present",
"chain_of_custody_present",
"kev_or_cve_prioritization_done",
"rollback_owner_present",
"maintenance_window_present",
"postcheck_metrics_present",
"cross_project_sync_recorded",
"production_desktop_mobile_smoke_passed",
]
CONTROL_DOMAINS = [
("asset_inventory_owner", "資產 / owner / attack surface inventory", "C0"),
("endpoint_log_collection", "Endpoint / host / auth / process log collection", "C0"),
@@ -388,6 +498,41 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
"standard_frameworks": [
{"framework_id": item["framework_id"], **item} for item in STANDARD_FRAMEWORKS
],
"operating_roles": [
{
"role_id": role_id,
"label": label,
"responsibility": responsibility,
"runtime_gate_open": False,
}
for role_id, label, responsibility in OPERATING_ROLES
],
"incident_lifecycle_stages": [
{
"stage_id": stage_id,
"label": label,
"control_intent": control_intent,
"runtime_gate_open": False,
}
for stage_id, label, control_intent in INCIDENT_LIFECYCLE_STAGES
],
"maturity_stages": [
{
"stage_id": stage_id,
"label": label,
"entry_criteria": entry_criteria,
"runtime_gate_open": False,
}
for stage_id, label, entry_criteria in MATURITY_STAGES
],
"validation_gates": [
{
"gate_id": gate_id,
"accepted": False,
"runtime_gate_open": False,
}
for gate_id in VALIDATION_GATES
],
"control_domains": [
{
"domain_id": domain_id,
@@ -429,6 +574,10 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
"blocked_actions": BLOCKED_ACTIONS,
"summary": {
"standard_framework_count": len(STANDARD_FRAMEWORKS),
"operating_role_count": len(OPERATING_ROLES),
"incident_lifecycle_stage_count": len(INCIDENT_LIFECYCLE_STAGES),
"maturity_stage_count": len(MATURITY_STAGES),
"validation_gate_count": len(VALIDATION_GATES),
"control_domain_count": len(CONTROL_DOMAINS),
"c0_control_domain_count": sum(1 for _, _, tier in CONTROL_DOMAINS if tier == "C0"),
"c1_control_domain_count": sum(1 for _, _, tier in CONTROL_DOMAINS if tier == "C1"),
@@ -491,6 +640,9 @@ def main() -> int:
print(
"SOC_SIEM_KALI_WAZUH_INTEGRATION_CONTROL_OK "
f"frameworks={summary['standard_framework_count']} "
f"roles={summary['operating_role_count']} "
f"lifecycle={summary['incident_lifecycle_stage_count']} "
f"gates={summary['validation_gate_count']} "
f"domains={summary['control_domain_count']} "
f"signals={summary['signal_source_count']} "
f"candidates={summary['control_candidate_count']} "