wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

docs(security): record kali integration status [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-05-13 10:13:09 +08:00
parent a95ab08daa
commit 2f1c13ee05
11 changed files with 498 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/LOGBOOK.md
View File

@@ -1,3 +1,42 @@
## 2026-05-13 | Kali 112 live 整合狀態、低風險更新與調校
**背景**:統帥詢問 `192.168.0.112` Kali 主機是否已整合,並授權 SSH 登入與主機更新 / 調校。本輪只做 live 盤點、低風險 targeted update 與文件化;不啟動 active scan、不接 runtime execution。
**Live 狀態**
- `192.168.0.112` 可 SSH 登入;未在文件或 commit 記錄密碼。
- `kali-scanner.service` active / enabled`/health` 回傳 healthy。
- `node-exporter``wg-easy` container up`wg-easy` healthy。
- crontab 已有 hourly port monitor、daily code security scan、weekly Harbor image scan。
- `192.168.0.120` / `192.168.0.121` 已持續打 Kali `/health`
**已執行更新 / 調校**
- 執行 `apt-get update`
- Targeted upgrade scanner/連線相關套件:`nmap``nmap-common``nikto``nuclei``curl``openssl`、CA 套件與必要相依。
- 安裝 `jq` 作為 JSON evidence 處理工具。
- 主機時區調整為 `Asia/Taipei`
- 更新後 `ssh` / `cron` / `docker` / `kali-scanner.service` 均 active。
- `/var/run/reboot-required` 不存在,暫不需 reboot。
**刻意沒有做**
- 未執行 active scan / credentialed scan。
- 未呼叫 Kali `/execute` endpoint。
- 未修改 firewall、NetworkPolicy、RBAC、route。
- 未做 full-upgrade、autoremove、rebootKali rolling 仍有 1994 個 upgradable packages需維護窗口。
- 未保存任何 API key、SSH 密碼或 secret value。
**交付文件**
- 新增 `docs/schemas/kali_integration_status_v1.schema.json`
- 新增 `docs/security/kali-integration-status.snapshot.json`
- 新增 `docs/security/KALI-INTEGRATION-STATUS.md`
- 更新 `KALI-SECURITY-MESH-BLUEPRINT.md`、AwoooP mirror checklist、contract manifest、整體進度與 handoff。
- Contract manifest 從 16 增至 17 個 contract。
**主要缺口**
- Kali finding 尚未正式寫入 AWOOI asset/compliance 表。
- AwoooP 尚未 mirror Kali findings 成 Runtime State / Channel Event / Audit evidence。
- Kali `/execute` endpoint 與 API key fallback 是高風險項,必須走 approval gate 或預設停用。
- Harbor image scan 近期失敗,需後續修正 target/project/auth/cert chain。
## 2026-05-13 | Security Supply Chain refs 真相來源分類草案
**背景**branch/tag 明細 diff 已能看出 refs 差異,但 AwoooP 與 repo owner 仍需要下一層「哪些要真相來源判定、哪些只是 deprecated 候選、哪些 tag 要保留」的審核隊列;本輪仍不做同步、不切主控。

149
docs/schemas/kali_integration_status_v1.schema.json Normal file
View File

@@ -0,0 +1,149 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:kali-integration-status-v1",
"title": "AWOOOI Kali Integration Status (v1)",
"description": "記錄 192.168.0.112 Kali 主機與 AWOOOI/AwoooP 資安網的整合狀態、低風險更新、缺口與禁止動作。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"host",
"mode",
"live_checks",
"updates_applied",
"integration_state",
"risk_register",
"next_gates",
"still_forbidden"
],
"properties": {
"schema_version": {
"const": "kali_integration_status_v1"
},
"status": {
"type": "string",
"enum": ["partial_runtime_health_integrated"]
},
"date": {"type": "string"},
"host": {
"type": "object",
"required": ["ip", "asset_key", "hostname", "role", "timezone", "observe_only"],
"properties": {
"ip": {"type": "string"},
"asset_key": {"type": "string"},
"hostname": {"type": "string"},
"role": {"type": "string"},
"timezone": {"type": "string"},
"observe_only": {"type": "boolean"}
},
"additionalProperties": false
},
"mode": {
"type": "string",
"enum": ["observe_only"]
},
"live_checks": {
"type": "object",
"required": [
"ssh_access",
"scanner_api_health",
"scanner_service",
"node_exporter",
"scheduled_jobs",
"docker_services",
"post_update_health"
],
"properties": {
"ssh_access": {"type": "string"},
"scanner_api_health": {"type": "string"},
"scanner_service": {"type": "string"},
"node_exporter": {"type": "string"},
"scheduled_jobs": {
"type": "array",
"items": {"type": "string"}
},
"docker_services": {
"type": "array",
"items": {"type": "string"}
},
"post_update_health": {"type": "string"}
},
"additionalProperties": false
},
"updates_applied": {
"type": "object",
"required": [
"apt_update",
"targeted_packages_upgraded",
"new_packages_installed",
"timezone_changed_to",
"reboot_required",
"remaining_upgradable_count",
"full_upgrade_status"
],
"properties": {
"apt_update": {"type": "string"},
"targeted_packages_upgraded": {
"type": "array",
"items": {"type": "string"}
},
"new_packages_installed": {
"type": "array",
"items": {"type": "string"}
},
"timezone_changed_to": {"type": "string"},
"reboot_required": {"type": "boolean"},
"remaining_upgradable_count": {"type": "integer", "minimum": 0},
"full_upgrade_status": {"type": "string"}
},
"additionalProperties": false
},
"integration_state": {
"type": "object",
"required": [
"already_integrated",
"not_yet_integrated",
"awooop_consumption"
],
"properties": {
"already_integrated": {
"type": "array",
"items": {"type": "string"}
},
"not_yet_integrated": {
"type": "array",
"items": {"type": "string"}
},
"awooop_consumption": {"type": "string"}
},
"additionalProperties": false
},
"risk_register": {
"type": "array",
"items": {
"type": "object",
"required": ["risk", "severity", "status", "next_action"],
"properties": {
"risk": {"type": "string"},
"severity": {
"type": "string",
"enum": ["LOW", "MEDIUM", "HIGH"]
},
"status": {"type": "string"},
"next_action": {"type": "string"}
},
"additionalProperties": false
}
},
"next_gates": {
"type": "array",
"items": {"type": "string"}
},
"still_forbidden": {
"type": "array",
"items": {"type": "string"}
}
},
"additionalProperties": false
}

3
docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
View File

@@ -26,6 +26,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| 事件 | 來源 | AwoooP 目標 | 初期狀態 | 必要防護 |
|------|------|-------------|----------|----------|
| `security_finding_v1` | Kali / Trivy / ZAP / Semgrep / detect-secrets / kube posture | Runtime State、Channel Event、Audit | mirror-only | 不保存 raw secret、cookie、token、exploit payload |
| `kali_integration_status_v1` | 192.168.0.112 live health / update / gap evidence | Security posture、Operator Console、Approval candidate | mirror-only | 不保存 SSH 密碼或 API key、不直接啟動 scan 或 `/execute` |
| `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge |
| `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary |
| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 不保存 token value、不刪除或停用 Gitea repo |
@@ -73,6 +74,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|------|-------------------------|------|
| `security_finding_v1.severity=LOW|MEDIUM``confidence=LOW|MEDIUM` | `observe` | mirror + weekly review |
| `security_finding_v1.severity=HIGH|CRITICAL` | `approve_required` | 產生 `approval_required_event_v1` |
| `kali_integration_status_v1.status=partial_runtime_health_integrated` | `observe` | 顯示 Kali 112 health、更新紀錄、缺口與 approval gates不得直接掃描 |
| `coding_task_v1.risk=LOW|MEDIUM` | `warn` | 可排入 Codex patch-only backlog |
| `coding_task_v1.risk=HIGH|CRITICAL` | `approve_required` | 必須指定 `critic``vuln-verifier` |
| `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason不允許切 primary |
@@ -133,6 +135,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| Source Control draft reconcile plan | `docs/security/source-control-reconcile-plan.snapshot.json` / `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` |
| Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` |
| Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
| Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` |
| 本機 repo canonical lineage snapshot | `docs/security/local-repo-canonical-ewoooc-momo.snapshot.json` / `docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md` |
| Internal 110 refs snapshot | `docs/security/git-remote-refs-bitan-tsenyang.snapshot.json` / `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md` |
| wooo-infra-config refs snapshot | `docs/security/git-remote-refs-wooo-infra-config.snapshot.json` / `docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md` |

7
docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
View File

@@ -145,7 +145,7 @@ Schema`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 16
"contract_count": 17
}
```
@@ -559,6 +559,8 @@ Console 初期不提供高風險 action button。
2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json``docs/security/security-supply-chain-contract-manifest.snapshot.json``docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry不把 manifest 當 execution router。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:
- runtime DB migration。
@@ -573,6 +575,8 @@ Console 初期不提供高風險 action button。
- [Kali 資訊安全網藍圖](/Users/ogt/awoooi/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md)
- [Kali 資訊安全網開工準備](/Users/ogt/awoooi/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md)
- [Kali 112 整合狀態與更新紀錄](/Users/ogt/awoooi/docs/security/KALI-INTEGRATION-STATUS.md)
- [kali_integration_status_v1 snapshot](/Users/ogt/awoooi/docs/security/kali-integration-status.snapshot.json)
- [Code Review 接 Codex 與 Gitea 推版優化藍圖](/Users/ogt/awoooi/docs/operations/CODE-REVIEW-CODEX-GITEA-OPTIMIZATION.md)
- [Gitea 到 GitHub 全量版本轉移 Inventory](/Users/ogt/awoooi/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md)
- [Gitea / GitHub migration snapshot](/Users/ogt/awoooi/docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md)
@@ -623,6 +627,7 @@ Console 初期不提供高風險 action button。
- [AwoooP x Monitoring / Alerting Convergence Map](/Users/ogt/awoooi/docs/awooop/AWOOOP-MONITORING-ALERTING-CONVERGENCE.md)
- [AwoooP Master Workplan](/Users/ogt/awoooi/docs/awooop/MASTER-WORKPLAN.md)
- [security_finding_v1 schema](/Users/ogt/awoooi/docs/schemas/security_finding_v1.schema.json)
- [kali_integration_status_v1 schema](/Users/ogt/awoooi/docs/schemas/kali_integration_status_v1.schema.json)
- [coding_task_v1 schema](/Users/ogt/awoooi/docs/schemas/coding_task_v1.schema.json)
- [source_control_migration_event_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_migration_event_v1.schema.json)
- [gitea_repo_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_repo_inventory_v1.schema.json)

117
docs/security/KALI-INTEGRATION-STATUS.md Normal file
View File

@@ -0,0 +1,117 @@
# Kali 112 整合狀態與更新紀錄
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| Host | `192.168.0.112` |
| Asset key | `host:kali-112` |
| 狀態 | `partial_runtime_health_integrated` |
| 模式 | `observe_only` |
| Snapshot | `docs/security/kali-integration-status.snapshot.json` |
| Schema | `docs/schemas/kali_integration_status_v1.schema.json` |
## 0. 核心結論
Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runtime
- `kali-scanner.service` 已啟用並正在執行。
- `http://192.168.0.112:8080/health` 回傳 healthy。
- `node-exporter` container 正在運作。
- `192.168.0.120``192.168.0.121` 正持續打 `/health`
- Kali crontab 已有 port monitor、code security scan、Harbor image scan。
但它還沒有完成「資安網閉環」整合Kali scan result 尚未正式寫入 AWOOOI asset / compliance 表,也尚未 mirror 成 AwoooP Runtime State、Channel Event 或 Audit evidence。因此目前判定是「健康與基礎掃描已存在治理閉環尚未接通」。
## 1. 已確認的 live 狀態
| 項目 | 結果 |
|------|------|
| SSH 授權登入 | 成功 |
| OS | Kali GNU/Linux Rolling |
| Hostname | `kali` |
| IP | `192.168.0.112/24` |
| Uptime | 約 6 天 |
| Disk | `/` 79G使用約 26% |
| Memory | 7.8GiBavailable 約 7.1GiB |
| Scanner API | `0.0.0.0:8080` |
| Scanner API health | `{"status":"healthy","version":"1.0.0","hostname":"kali"}` |
| Scanner service | `kali-scanner.service` active / enabled |
| Docker services | `node-exporter``wg-easy` active |
| Node exporter | container upport `9100` |
| WireGuard UI | `wg-easy` healthyports `51820/udp``51821/tcp` |
| Reboot required | 否 |
## 2. 已存在的 scanner 能力
Kali Scanner API 目前提供:
| Endpoint | 用途 | 初期處理 |
|----------|------|----------|
| `/health` | health check | 可由 Prometheus / blackbox / AwoooP mirror |
| `/scan` | 啟動 scan | 必須先有 scope approval |
| `/scan/{scan_id}` | 讀取 scan result | 只能讀 redacted finding |
| `/scans` | 列出 in-memory scans | 只能 read-only |
| `/execute` | 直接執行 shell command | 高風險AwoooP 不得直接呼叫 |
支援工具包含 `nmap``nikto``nuclei``trivy``sslyze``lynis`。本輪沒有啟動任何 scan。
## 3. 本輪已做的更新與調校
| 類型 | 動作 |
|------|------|
| apt metadata | 已執行 `apt-get update` |
| scanner 套件 | 更新 `nmap``nmap-common``nikto``nuclei` |
| 基礎連線套件 | 更新 `ca-certificates``curl``openssl` |
| 解析工具 | 安裝 `jq` |
| 時區 | 從 `America/New_York` 調整為 `Asia/Taipei` |
| 驗證 | 更新後 `/health` healthy`ssh` / `cron` / `docker` / `kali-scanner` active |
更新後版本:
| 工具 | 版本 |
|------|------|
| Nmap | `7.99` |
| Nikto | `2.6.0` |
| Nuclei | `v3.8.0` |
| curl | `8.19.0` |
| OpenSSL | `3.6.2` |
| jq | `1.8.1` |
## 4. 仍未完成的整合
| 缺口 | 影響 | 下一步 |
|------|------|--------|
| 尚未確認 AWOOOI API 有正式 Kali result ingestion endpoint | scan result 不能成為資安飛輪 evidence | 建立 redacted `security_finding_v1` ingestion contract |
| scan result 仍在 API in-memory 或本機 log | 重啟後可能失去 scan 查詢狀態 | 將 scan run metadata / finding summary 寫入 AWOOOI |
| AwoooP runtime 尚未 mirror Kali findings | Operator Console 看不到完整資安 posture | 先 mirror health / gap evidence再接 findings |
| `/execute` endpoint 存在 | 若 runtime 直接接入會變成高風險 remote command path | 預設禁用或拆成 approval-only path |
| API key fallback 存在於原始碼 | secret hygiene 風險 | 移除 fallback、確認 `.env` secret source、輪替不得寫出 secret value |
| `kali-scanner.service` 尚未套 systemd hardening | service blast radius 較大 | 先設計 dry-run hardening override不直接套用 |
| Harbor image scan 近期失敗 | 容器漏洞掃描 evidence 不可靠 | 修正 Harbor target/project/auth/cert chain |
| full rolling upgrade 尚未執行 | 仍有大量套件可升級 | 需維護窗口、rollback、reboot gate |
## 5. 本輪刻意沒有做
1. 沒有啟動任何 active scan。
2. 沒有做 credentialed scan。
3. 沒有呼叫 `/execute`
4. 沒有修改 firewall、NetworkPolicy、RBAC、route。
5. 沒有做 full-upgrade、autoremove 或 reboot。
6. 沒有記錄任何 API key、密碼或 secret value。
## 6. AwoooP 消費方式
AwoooP 現階段只能 mirror `kali_integration_status_v1`
1. 顯示 Kali health 與整合缺口。
2.`/execute`、API key fallback、Harbor scan failure 標成 review item。
3. 針對 active scan、credentialed scan、full-upgrade、reboot 建立 approval candidate。
4. 不新增任何直接執行掃描或 command 的按鈕。
## 7. 下一個 gate
1. 建立 `security_finding_v1` ingestion endpoint 或 adapter先只接 redacted finding。
2. 建立 scan scope approval package定義允許目標、掃描深度、排程與維護窗口。
3.`/execute` endpoint 降級為預設停用或單獨 high-risk approval path。
4. 修正 Harbor image scan 的 target / project / auth / certificate chain。
5. 排 Kali rolling full-upgrade 維護窗口;先 snapshot再 upgrade最後 reboot 與健康複驗。

25
docs/security/KALI-SECURITY-MESH-BLUEPRINT.md
View File

@@ -26,7 +26,7 @@
| 面向 | 目前證據 | 缺口 |
|---|---|---|
| Kali 主機 | `192.168.0.112:8080` 已出現在 `docs/reference/SERVICE-ENDPOINTS.md``KALI_SCANNER_URL`、NetworkPolicy egress、blackbox probe、`KaliScannerDown` 告警 | 目前只監控存活,尚未形成完整掃描結果治理閉環 |
| Kali 主機 | `192.168.0.112:8080` 已出現在 `docs/reference/SERVICE-ENDPOINTS.md``KALI_SCANNER_URL`、NetworkPolicy egress、blackbox probe、`KaliScannerDown` 告警2026-05-13 已確認 live `/health` healthy 並完成第一波 targeted scanner package update | 目前只監控存活,尚未形成完整掃描結果治理閉環 |
| 資產資料庫地基 | ADR-090 migration 已定義 `asset_inventory``asset_discovery_run``asset_coverage_snapshot``asset_compliance_snapshot` | 目前 scanner 以 K8s 為主Docker、Gitea repos、網站、主機套件、Kali findings 還不完整 |
| AIOps KPI | `/api/v1/aiops/kpi` 會彙整資產、覆蓋率、規則品質、容量與自動化流量 | 資安姿態尚未成為 KPI 的一級區塊 |
| 合規掃描 | 已寫入 7 個 compliance 維度SSL 與 Secret 年齡有部分檢查 | `cve_scan``audit_log_enabled``access_reviewed``encryption_at_rest` 多數仍是 `unknown` |
@@ -193,7 +193,7 @@ Kali 112 掃描 / 驗證
| 整合 | 目前 anchor | 需要工作 |
|---|---|---|
| Kali API health | `KALI_SCANNER_URL``KaliScannerDown` | 新增 scan run/result endpoint 或 adapter |
| Kali API health | `KALI_SCANNER_URL``KaliScannerDown``docs/security/KALI-INTEGRATION-STATUS.md` | 新增 scan run/result endpoint 或 adapter |
| 資產盤點 | `asset_scanner_job.py` | 從 K8s 擴展到 hosts、Docker、Gitea/GitHub、websites、dev hosts |
| 合規 | `compliance_scanner_job.py` | 補上 `cve_scan``audit_log_enabled``access_reviewed``encryption_at_rest` |
| KPI | `AiopsKpiService` | 新增 `security_posture` 區塊 |
@@ -215,6 +215,27 @@ Kali 112 掃描 / 驗證
9. Blocking gate 必須有可量測 false-positive rate 與 override workflow。
10. 長期授權由 AwoooP policy 負責scanner 只提供 evidence。
## 7.1 2026-05-13 Live 整合狀態
`192.168.0.112` 已經完成第一波 live 盤點與低風險更新,正式記錄於 `docs/security/KALI-INTEGRATION-STATUS.md`
已確認:
1. `kali-scanner.service` active / enabled。
2. `/health` healthy。
3. `nmap``nikto``nuclei``curl``openssl`、CA 套件已做 targeted update。
4. 已安裝 `jq`
5. 主機時區已調整為 `Asia/Taipei`
6. 更新後 SSH / cron / docker / scanner service 都 active且不需 reboot。
仍然不能做:
1. 不直接啟動 active scan。
2. 不做 credentialed scan。
3. 不讓 AwoooP 直接呼叫 Kali `/execute` endpoint。
4. 不保存 API key、SSH 密碼或任何 secret value。
5. 不做 full-upgrade、autoremove 或 reboot除非先排維護窗口。
## 8. 第一波實作建議
建議下一波程式實作:

7
docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md
View File

@@ -1,7 +1,7 @@
# Kali 資訊安全網開工準備
> 日期2026-05-06台北時間
> 狀態:僅規劃,尚未開始實作
> 狀態:原始規劃2026-05-13 已完成 Kali 112 live 盤點與低風險主機更新,尚未開始 AWOOOI runtime ingestion 實作
> 上游藍圖:`docs/security/KALI-SECURITY-MESH-BLUEPRINT.md`
> AwoooP 同步:`docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md`
@@ -15,6 +15,8 @@
2026-05-06 追加同步:統帥批准本支線開始推進,並要求立即同步給 AwoooP 工作 Session。本支線已建立 `docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md`,作為雙 Session 共享契約與邊界文件。
2026-05-13 追加 live 狀態:統帥授權登入 `192.168.0.112` 後,已完成 Kali Scanner API health、service、crontab、Docker service 與更新狀態盤點,並完成 targeted scanner package update 與 `Asia/Taipei` 時區調校。完整紀錄見 `docs/security/KALI-INTEGRATION-STATUS.md`。本追加不代表已批准 active scan、credentialed scan、AWOOOI runtime ingestion、`/execute` 接入、full-upgrade 或 reboot。
## 1. 非實作邊界
目前允許:
@@ -41,6 +43,8 @@
| 自動 rotate secrets 或自動關閉 ports | 屬於破壞性或 access-changing 行為 |
| 直接把 GitHub 切成唯一主控 | 必須先完成 Gitea 全量版本盤點、同步、runner 驗證與 rollback plan |
2026-05-13 例外說明:本輪只對既有 Kali 主機做授權登入、狀態盤點、targeted scanner package update、`jq` 安裝與時區調校;沒有新增 scanner job、沒有啟動 scan、沒有修改 AWOOOI runtime endpoint。
## 2. 開工準備閘門
| 閘門 | 問題 | 實作前必備 |
@@ -159,6 +163,7 @@
| GitHub primary / Gitea mirror rollback plan 已接受 | 待確認 |
| AwoooP mirror-only handoff 已同步 | 已完成 |
| 共享事件 JSON Schema 已建立 | 已完成 |
| Kali 112 live health / update status 已記錄 | 已完成 |
## 9. 未來批准後的第一波實作順序

3
docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
View File

@@ -11,7 +11,7 @@
## 0. 核心結論
目前 Security Supply Chain 已有 16 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
目前 Security Supply Chain 已有 17 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。
@@ -21,6 +21,7 @@
|----------|-------------|----------|----------|
| `security_rollout_policy_v1` | read-only policy | 低摩擦 observe-first policy | `docs/security/security-rollout-policy.snapshot.json` |
| `security_finding_v1` | mirror-only | Kali / code / infra finding | 無正式 snapshot |
| `kali_integration_status_v1` | mirror-only | Kali 112 live health / update / gap evidence | `kali-integration-status.snapshot.json` |
| `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot |
| `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi``clawbot-v5``wooo-aiops` |
| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory | public-only / blocked endpoint snapshots |

14
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | Security Supply Chain contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification |
| 本階段完成 | Security Supply Chain contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -20,7 +20,8 @@
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
| S1.4 Contract manifest | 完成草案 | 16 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.4 Contract manifest | 完成草案 | 17 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
| S2 AwoooP mirror-only | 可交接 | `AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md` 已列出可消費事件與禁止動作 | AwoooP 主線建立只讀入口 |
| S3 approval gate | 未開始 | 已定義哪些動作要進 approval | 不得繞過人工批准 |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
@@ -51,6 +52,8 @@
| Source Control branch/tag detail diff JSON | `docs/security/source-control-ref-detail-diff.snapshot.json` |
| Source Control ref truth classification | `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
| Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` |
| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` |
| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` |
| 低摩擦 rollout policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` |
| 低摩擦 rollout policy JSON | `docs/security/security-rollout-policy.snapshot.json` |
| Security Supply Chain contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` |
@@ -79,6 +82,7 @@
2.`SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5. AwoooP 主線只建立 mirror-only / read-only policy 入口,不新增執行按鈕
6. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking
7. AwoooP 主線先讀 `security_supply_chain_contract_manifest_v1` 作為 contract registry不新增 execution router。
5. `KALI-INTEGRATION-STATUS.md` 建立 Kali finding ingestion / scan scope approval package不得直接接 `/execute`
6. AwoooP 主線只建立 mirror-only / read-only policy 入口,不新增執行按鈕
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線先讀 `security_supply_chain_contract_manifest_v1` 作為 contract registry不新增 execution router。

122
docs/security/kali-integration-status.snapshot.json Normal file
View File

@@ -0,0 +1,122 @@
{
"schema_version": "kali_integration_status_v1",
"status": "partial_runtime_health_integrated",
"date": "2026-05-13",
"host": {
"ip": "192.168.0.112",
"asset_key": "host:kali-112",
"hostname": "kali",
"role": "Kali 資安感測與掃描 API 主機",
"timezone": "Asia/Taipei",
"observe_only": true
},
"mode": "observe_only",
"live_checks": {
"ssh_access": "ok_authorized_read_and_low_risk_update",
"scanner_api_health": "ok_http_200_health_status_healthy",
"scanner_service": "active_enabled_kali_scanner_service",
"node_exporter": "docker_container_up_on_9100",
"scheduled_jobs": [
"hourly_port_monitor",
"daily_code_security_scan",
"weekly_harbor_image_scan"
],
"docker_services": [
"node-exporter_up",
"wg-easy_up_healthy"
],
"post_update_health": "ok_ssh_cron_docker_kali_scanner_active_no_reboot_required"
},
"updates_applied": {
"apt_update": "completed",
"targeted_packages_upgraded": [
"ca-certificates",
"ca-certificates-java",
"curl",
"openssl",
"nmap",
"nmap-common",
"nikto",
"nuclei",
"libssl3t64",
"libcurl4t64",
"libc6",
"perl"
],
"new_packages_installed": [
"jq",
"nikto_perl_xml_dependencies"
],
"timezone_changed_to": "Asia/Taipei",
"reboot_required": false,
"remaining_upgradable_count": 1994,
"full_upgrade_status": "not_run_requires_maintenance_window"
},
"integration_state": {
"already_integrated": [
"Kali Scanner API 在 192.168.0.112:8080 運作且 /health healthy",
"kali-scanner.service active 且 enabled",
"Prometheus / blackbox 類 health probe 正在從 192.168.0.120 / 192.168.0.121 命中 /health",
"node-exporter container 運作中",
"crontab 已有 port monitor、code security scan、Harbor image scan",
"docs 與 security_finding_v1 已把 Kali 納入資安網契約"
],
"not_yet_integrated": [
"尚未確認 AWOOOI API 有正式 Kali scan result ingestion endpoint",
"Kali scan result 仍停留在 API in-memory results 或本機 log尚未正規化寫入 asset_inventory / asset_compliance_snapshot",
"尚未把 Kali finding mirror 成 AwoooP Runtime State / Channel Event / Audit evidence",
"尚未建立 scan scope approval package 或 credentialed scan gate",
"尚未移除 scanner API 原始碼中的 API key fallback",
"尚未套用 kali-scanner.service systemd hardening override"
],
"awooop_consumption": "mirror_only_status_and_gap_evidence"
},
"risk_register": [
{
"risk": "scanner_execute_endpoint_can_run_shell_commands",
"severity": "HIGH",
"status": "confirmed_endpoint_exists_api_key_protected",
"next_action": "AwoooP 不得直接接 execution action需另建 approval_required_event_v1 與 allowlist / disable gate"
},
{
"risk": "default_api_key_fallback_present_in_source",
"severity": "HIGH",
"status": "confirmed_source_pattern_present_value_not_recorded",
"next_action": "移除 fallback、確認 .env secret 來源、輪替 API key不得把 secret value 寫入文件"
},
{
"risk": "kali_scanner_service_lacks_systemd_hardening",
"severity": "MEDIUM",
"status": "NoNewPrivileges/PrivateTmp/ProtectSystem/ProtectHome 目前未啟用",
"next_action": "先設計 dry-run hardening override驗證 scan tools 不被破壞後再套用"
},
{
"risk": "harbor_image_scan_currently_failing",
"severity": "MEDIUM",
"status": "recent logs show image/project/auth/certificate mismatch",
"next_action": "修正 Harbor target、project/credential 或憑證鏈;先納入 evidence不阻擋其他資安框架"
},
{
"risk": "kali_rolling_full_upgrade_pending",
"severity": "MEDIUM",
"status": "1994 packages remain upgradable after targeted update",
"next_action": "安排維護窗口,先 snapshot / rollback / service verification再做 full-upgrade 與 reboot"
}
],
"next_gates": [
"建立 Kali scan result ingestion contract先只接收 redacted findings",
"建立 Kali scan scope approval package禁止未批准 active/credentialed scan",
"把 /execute endpoint 改成預設停用或單獨 high-risk approval path",
"把 Harbor scan failure 轉成 security finding / ops finding不直接自動修復",
"安排 Kali rolling full-upgrade 維護窗口與 reboot gate"
],
"still_forbidden": [
"run_active_scan_without_scope_approval",
"run_credentialed_scan_without_approval",
"call_execute_endpoint_from_awooop_runtime",
"store_api_key_or_password_value",
"change_firewall_or_networkpolicy",
"autoremove_packages_without_maintenance_window",
"full_upgrade_or_reboot_without_maintenance_window"
]
}

23
docs/security/security-supply-chain-contract-manifest.snapshot.json
View File

@@ -2,7 +2,7 @@
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 16,
"contract_count": 17,
"contracts": [
{
"contract": "security_rollout_policy_v1",
@@ -26,6 +26,27 @@
"forbidden_actions": ["active_scan", "store_raw_secret", "store_exploit_payload"],
"notes": "承接 Kali / Trivy / ZAP / Semgrep / detect-secrets 類 findings。"
},
{
"contract": "kali_integration_status_v1",
"schema_path": "docs/schemas/kali_integration_status_v1.schema.json",
"snapshot_paths": ["docs/security/kali-integration-status.snapshot.json"],
"human_docs": ["docs/security/KALI-INTEGRATION-STATUS.md"],
"consumer": "AwoooP security posture / Operator Console",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_kali_health",
"display_update_status",
"display_integration_gaps",
"create_approval_candidate_for_active_scan_or_full_upgrade"
],
"forbidden_actions": [
"run_active_scan",
"run_execute_endpoint",
"store_api_key_or_password",
"full_upgrade_or_reboot_without_window"
],
"notes": "112 已有 live scanner health 與低風險更新finding ingestion / AwoooP runtime mirror 尚未接通。"
},
{
"contract": "coding_task_v1",
"schema_path": "docs/schemas/coding_task_v1.schema.json",