From 2f1c13ee054ea911b42dbe9b5fad6ad00092b284 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 13 May 2026 10:13:09 +0800 Subject: [PATCH] docs(security): record kali integration status [skip ci] --- docs/LOGBOOK.md | 39 +++++ .../kali_integration_status_v1.schema.json | 149 ++++++++++++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 3 + ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 7 +- docs/security/KALI-INTEGRATION-STATUS.md | 117 ++++++++++++++ docs/security/KALI-SECURITY-MESH-BLUEPRINT.md | 25 ++- .../KALI-SECURITY-MESH-EXECUTION-READINESS.md | 7 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 3 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 14 +- .../kali-integration-status.snapshot.json | 122 ++++++++++++++ ...pply-chain-contract-manifest.snapshot.json | 23 ++- 11 files changed, 498 insertions(+), 11 deletions(-) create mode 100644 docs/schemas/kali_integration_status_v1.schema.json create mode 100644 docs/security/KALI-INTEGRATION-STATUS.md create mode 100644 docs/security/kali-integration-status.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 6079a548..05446d86 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,42 @@ +## 2026-05-13 | Kali 112 live 整合狀態、低風險更新與調校 + +**背景**:統帥詢問 `192.168.0.112` Kali 主機是否已整合,並授權 SSH 登入與主機更新 / 調校。本輪只做 live 盤點、低風險 targeted update 與文件化;不啟動 active scan、不接 runtime execution。 + +**Live 狀態**: +- `192.168.0.112` 可 SSH 登入;未在文件或 commit 記錄密碼。 +- `kali-scanner.service` active / enabled,`/health` 回傳 healthy。 +- `node-exporter` 與 `wg-easy` container up,`wg-easy` healthy。 +- crontab 已有 hourly port monitor、daily code security scan、weekly Harbor image scan。 +- `192.168.0.120` / `192.168.0.121` 已持續打 Kali `/health`。 + +**已執行更新 / 調校**: +- 執行 `apt-get update`。 +- Targeted upgrade scanner/連線相關套件:`nmap`、`nmap-common`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件與必要相依。 +- 安裝 `jq` 作為 JSON evidence 處理工具。 +- 主機時區調整為 `Asia/Taipei`。 +- 更新後 `ssh` / `cron` / `docker` / `kali-scanner.service` 均 active。 +- `/var/run/reboot-required` 不存在,暫不需 reboot。 + +**刻意沒有做**: +- 未執行 active scan / credentialed scan。 +- 未呼叫 Kali `/execute` endpoint。 +- 未修改 firewall、NetworkPolicy、RBAC、route。 +- 未做 full-upgrade、autoremove、reboot;Kali rolling 仍有 1994 個 upgradable packages,需維護窗口。 +- 未保存任何 API key、SSH 密碼或 secret value。 + +**交付文件**: +- 新增 `docs/schemas/kali_integration_status_v1.schema.json`。 +- 新增 `docs/security/kali-integration-status.snapshot.json`。 +- 新增 `docs/security/KALI-INTEGRATION-STATUS.md`。 +- 更新 `KALI-SECURITY-MESH-BLUEPRINT.md`、AwoooP mirror checklist、contract manifest、整體進度與 handoff。 +- Contract manifest 從 16 增至 17 個 contract。 + +**主要缺口**: +- Kali finding 尚未正式寫入 AWOOI asset/compliance 表。 +- AwoooP 尚未 mirror Kali findings 成 Runtime State / Channel Event / Audit evidence。 +- Kali `/execute` endpoint 與 API key fallback 是高風險項,必須走 approval gate 或預設停用。 +- Harbor image scan 近期失敗,需後續修正 target/project/auth/cert chain。 + ## 2026-05-13 | Security Supply Chain refs 真相來源分類草案 **背景**:branch/tag 明細 diff 已能看出 refs 差異,但 AwoooP 與 repo owner 仍需要下一層「哪些要真相來源判定、哪些只是 deprecated 候選、哪些 tag 要保留」的審核隊列;本輪仍不做同步、不切主控。 diff --git a/docs/schemas/kali_integration_status_v1.schema.json b/docs/schemas/kali_integration_status_v1.schema.json new file mode 100644 index 00000000..c6f04be8 --- /dev/null +++ b/docs/schemas/kali_integration_status_v1.schema.json @@ -0,0 +1,149 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:kali-integration-status-v1", + "title": "AWOOOI Kali Integration Status (v1)", + "description": "記錄 192.168.0.112 Kali 主機與 AWOOOI/AwoooP 資安網的整合狀態、低風險更新、缺口與禁止動作。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "host", + "mode", + "live_checks", + "updates_applied", + "integration_state", + "risk_register", + "next_gates", + "still_forbidden" + ], + "properties": { + "schema_version": { + "const": "kali_integration_status_v1" + }, + "status": { + "type": "string", + "enum": ["partial_runtime_health_integrated"] + }, + "date": {"type": "string"}, + "host": { + "type": "object", + "required": ["ip", "asset_key", "hostname", "role", "timezone", "observe_only"], + "properties": { + "ip": {"type": "string"}, + "asset_key": {"type": "string"}, + "hostname": {"type": "string"}, + "role": {"type": "string"}, + "timezone": {"type": "string"}, + "observe_only": {"type": "boolean"} + }, + "additionalProperties": false + }, + "mode": { + "type": "string", + "enum": ["observe_only"] + }, + "live_checks": { + "type": "object", + "required": [ + "ssh_access", + "scanner_api_health", + "scanner_service", + "node_exporter", + "scheduled_jobs", + "docker_services", + "post_update_health" + ], + "properties": { + "ssh_access": {"type": "string"}, + "scanner_api_health": {"type": "string"}, + "scanner_service": {"type": "string"}, + "node_exporter": {"type": "string"}, + "scheduled_jobs": { + "type": "array", + "items": {"type": "string"} + }, + "docker_services": { + "type": "array", + "items": {"type": "string"} + }, + "post_update_health": {"type": "string"} + }, + "additionalProperties": false + }, + "updates_applied": { + "type": "object", + "required": [ + "apt_update", + "targeted_packages_upgraded", + "new_packages_installed", + "timezone_changed_to", + "reboot_required", + "remaining_upgradable_count", + "full_upgrade_status" + ], + "properties": { + "apt_update": {"type": "string"}, + "targeted_packages_upgraded": { + "type": "array", + "items": {"type": "string"} + }, + "new_packages_installed": { + "type": "array", + "items": {"type": "string"} + }, + "timezone_changed_to": {"type": "string"}, + "reboot_required": {"type": "boolean"}, + "remaining_upgradable_count": {"type": "integer", "minimum": 0}, + "full_upgrade_status": {"type": "string"} + }, + "additionalProperties": false + }, + "integration_state": { + "type": "object", + "required": [ + "already_integrated", + "not_yet_integrated", + "awooop_consumption" + ], + "properties": { + "already_integrated": { + "type": "array", + "items": {"type": "string"} + }, + "not_yet_integrated": { + "type": "array", + "items": {"type": "string"} + }, + "awooop_consumption": {"type": "string"} + }, + "additionalProperties": false + }, + "risk_register": { + "type": "array", + "items": { + "type": "object", + "required": ["risk", "severity", "status", "next_action"], + "properties": { + "risk": {"type": "string"}, + "severity": { + "type": "string", + "enum": ["LOW", "MEDIUM", "HIGH"] + }, + "status": {"type": "string"}, + "next_action": {"type": "string"} + }, + "additionalProperties": false + } + }, + "next_gates": { + "type": "array", + "items": {"type": "string"} + }, + "still_forbidden": { + "type": "array", + "items": {"type": "string"} + } + }, + "additionalProperties": false +} diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index 13741fc0..7e514b46 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -26,6 +26,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | 事件 | 來源 | AwoooP 目標 | 初期狀態 | 必要防護 | |------|------|-------------|----------|----------| | `security_finding_v1` | Kali / Trivy / ZAP / Semgrep / detect-secrets / kube posture | Runtime State、Channel Event、Audit | mirror-only | 不保存 raw secret、cookie、token、exploit payload | +| `kali_integration_status_v1` | 192.168.0.112 live health / update / gap evidence | Security posture、Operator Console、Approval candidate | mirror-only | 不保存 SSH 密碼或 API key、不直接啟動 scan 或 `/execute` | | `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge | | `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary | | `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 不保存 token value、不刪除或停用 Gitea repo | @@ -73,6 +74,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 |------|-------------------------|------| | `security_finding_v1.severity=LOW|MEDIUM` 且 `confidence=LOW|MEDIUM` | `observe` | mirror + weekly review | | `security_finding_v1.severity=HIGH|CRITICAL` | `approve_required` | 產生 `approval_required_event_v1` | +| `kali_integration_status_v1.status=partial_runtime_health_integrated` | `observe` | 顯示 Kali 112 health、更新紀錄、缺口與 approval gates;不得直接掃描 | | `coding_task_v1.risk=LOW|MEDIUM` | `warn` | 可排入 Codex patch-only backlog | | `coding_task_v1.risk=HIGH|CRITICAL` | `approve_required` | 必須指定 `critic`、`vuln-verifier` | | `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason,不允許切 primary | @@ -133,6 +135,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | Source Control draft reconcile plan | `docs/security/source-control-reconcile-plan.snapshot.json` / `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` | | Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` | | Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` | +| Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` | | 本機 repo canonical lineage snapshot | `docs/security/local-repo-canonical-ewoooc-momo.snapshot.json` / `docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md` | | Internal 110 refs snapshot | `docs/security/git-remote-refs-bitan-tsenyang.snapshot.json` / `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md` | | wooo-infra-config refs snapshot | `docs/security/git-remote-refs-wooo-infra-config.snapshot.json` / `docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md` | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index 7f017e6e..dedee924 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -145,7 +145,7 @@ Schema:`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json` "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 16 + "contract_count": 17 } ``` @@ -559,6 +559,8 @@ Console 初期不提供高風險 action button。 2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`、`docs/security/security-supply-chain-contract-manifest.snapshot.json` 與 `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry,不把 manifest 當 execution router。 +2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 + 本波仍不做: - runtime DB migration。 @@ -573,6 +575,8 @@ Console 初期不提供高風險 action button。 - [Kali 資訊安全網藍圖](/Users/ogt/awoooi/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md) - [Kali 資訊安全網開工準備](/Users/ogt/awoooi/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md) +- [Kali 112 整合狀態與更新紀錄](/Users/ogt/awoooi/docs/security/KALI-INTEGRATION-STATUS.md) +- [kali_integration_status_v1 snapshot](/Users/ogt/awoooi/docs/security/kali-integration-status.snapshot.json) - [Code Review 接 Codex 與 Gitea 推版優化藍圖](/Users/ogt/awoooi/docs/operations/CODE-REVIEW-CODEX-GITEA-OPTIMIZATION.md) - [Gitea 到 GitHub 全量版本轉移 Inventory](/Users/ogt/awoooi/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md) - [Gitea / GitHub migration snapshot](/Users/ogt/awoooi/docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md) @@ -623,6 +627,7 @@ Console 初期不提供高風險 action button。 - [AwoooP x Monitoring / Alerting Convergence Map](/Users/ogt/awoooi/docs/awooop/AWOOOP-MONITORING-ALERTING-CONVERGENCE.md) - [AwoooP Master Workplan](/Users/ogt/awoooi/docs/awooop/MASTER-WORKPLAN.md) - [security_finding_v1 schema](/Users/ogt/awoooi/docs/schemas/security_finding_v1.schema.json) +- [kali_integration_status_v1 schema](/Users/ogt/awoooi/docs/schemas/kali_integration_status_v1.schema.json) - [coding_task_v1 schema](/Users/ogt/awoooi/docs/schemas/coding_task_v1.schema.json) - [source_control_migration_event_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_migration_event_v1.schema.json) - [gitea_repo_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_repo_inventory_v1.schema.json) diff --git a/docs/security/KALI-INTEGRATION-STATUS.md b/docs/security/KALI-INTEGRATION-STATUS.md new file mode 100644 index 00000000..47dec790 --- /dev/null +++ b/docs/security/KALI-INTEGRATION-STATUS.md @@ -0,0 +1,117 @@ +# Kali 112 整合狀態與更新紀錄 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-13 | +| Host | `192.168.0.112` | +| Asset key | `host:kali-112` | +| 狀態 | `partial_runtime_health_integrated` | +| 模式 | `observe_only` | +| Snapshot | `docs/security/kali-integration-status.snapshot.json` | +| Schema | `docs/schemas/kali_integration_status_v1.schema.json` | + +## 0. 核心結論 + +Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runtime: + +- `kali-scanner.service` 已啟用並正在執行。 +- `http://192.168.0.112:8080/health` 回傳 healthy。 +- `node-exporter` container 正在運作。 +- `192.168.0.120` 與 `192.168.0.121` 正持續打 `/health`。 +- Kali crontab 已有 port monitor、code security scan、Harbor image scan。 + +但它還沒有完成「資安網閉環」整合:Kali scan result 尚未正式寫入 AWOOOI asset / compliance 表,也尚未 mirror 成 AwoooP Runtime State、Channel Event 或 Audit evidence。因此目前判定是「健康與基礎掃描已存在,治理閉環尚未接通」。 + +## 1. 已確認的 live 狀態 + +| 項目 | 結果 | +|------|------| +| SSH 授權登入 | 成功 | +| OS | Kali GNU/Linux Rolling | +| Hostname | `kali` | +| IP | `192.168.0.112/24` | +| Uptime | 約 6 天 | +| Disk | `/` 79G,使用約 26% | +| Memory | 7.8GiB,available 約 7.1GiB | +| Scanner API | `0.0.0.0:8080` | +| Scanner API health | `{"status":"healthy","version":"1.0.0","hostname":"kali"}` | +| Scanner service | `kali-scanner.service` active / enabled | +| Docker services | `node-exporter`、`wg-easy` active | +| Node exporter | container up,port `9100` | +| WireGuard UI | `wg-easy` healthy,ports `51820/udp`、`51821/tcp` | +| Reboot required | 否 | + +## 2. 已存在的 scanner 能力 + +Kali Scanner API 目前提供: + +| Endpoint | 用途 | 初期處理 | +|----------|------|----------| +| `/health` | health check | 可由 Prometheus / blackbox / AwoooP mirror | +| `/scan` | 啟動 scan | 必須先有 scope approval | +| `/scan/{scan_id}` | 讀取 scan result | 只能讀 redacted finding | +| `/scans` | 列出 in-memory scans | 只能 read-only | +| `/execute` | 直接執行 shell command | 高風險,AwoooP 不得直接呼叫 | + +支援工具包含 `nmap`、`nikto`、`nuclei`、`trivy`、`sslyze`、`lynis`。本輪沒有啟動任何 scan。 + +## 3. 本輪已做的更新與調校 + +| 類型 | 動作 | +|------|------| +| apt metadata | 已執行 `apt-get update` | +| scanner 套件 | 更新 `nmap`、`nmap-common`、`nikto`、`nuclei` | +| 基礎連線套件 | 更新 `ca-certificates`、`curl`、`openssl` | +| 解析工具 | 安裝 `jq` | +| 時區 | 從 `America/New_York` 調整為 `Asia/Taipei` | +| 驗證 | 更新後 `/health` healthy,`ssh` / `cron` / `docker` / `kali-scanner` active | + +更新後版本: + +| 工具 | 版本 | +|------|------| +| Nmap | `7.99` | +| Nikto | `2.6.0` | +| Nuclei | `v3.8.0` | +| curl | `8.19.0` | +| OpenSSL | `3.6.2` | +| jq | `1.8.1` | + +## 4. 仍未完成的整合 + +| 缺口 | 影響 | 下一步 | +|------|------|--------| +| 尚未確認 AWOOOI API 有正式 Kali result ingestion endpoint | scan result 不能成為資安飛輪 evidence | 建立 redacted `security_finding_v1` ingestion contract | +| scan result 仍在 API in-memory 或本機 log | 重啟後可能失去 scan 查詢狀態 | 將 scan run metadata / finding summary 寫入 AWOOOI | +| AwoooP runtime 尚未 mirror Kali findings | Operator Console 看不到完整資安 posture | 先 mirror health / gap evidence,再接 findings | +| `/execute` endpoint 存在 | 若 runtime 直接接入會變成高風險 remote command path | 預設禁用或拆成 approval-only path | +| API key fallback 存在於原始碼 | secret hygiene 風險 | 移除 fallback、確認 `.env` secret source、輪替;不得寫出 secret value | +| `kali-scanner.service` 尚未套 systemd hardening | service blast radius 較大 | 先設計 dry-run hardening override,不直接套用 | +| Harbor image scan 近期失敗 | 容器漏洞掃描 evidence 不可靠 | 修正 Harbor target/project/auth/cert chain | +| full rolling upgrade 尚未執行 | 仍有大量套件可升級 | 需維護窗口、rollback、reboot gate | + +## 5. 本輪刻意沒有做 + +1. 沒有啟動任何 active scan。 +2. 沒有做 credentialed scan。 +3. 沒有呼叫 `/execute`。 +4. 沒有修改 firewall、NetworkPolicy、RBAC、route。 +5. 沒有做 full-upgrade、autoremove 或 reboot。 +6. 沒有記錄任何 API key、密碼或 secret value。 + +## 6. AwoooP 消費方式 + +AwoooP 現階段只能 mirror `kali_integration_status_v1`: + +1. 顯示 Kali health 與整合缺口。 +2. 將 `/execute`、API key fallback、Harbor scan failure 標成 review item。 +3. 針對 active scan、credentialed scan、full-upgrade、reboot 建立 approval candidate。 +4. 不新增任何直接執行掃描或 command 的按鈕。 + +## 7. 下一個 gate + +1. 建立 `security_finding_v1` ingestion endpoint 或 adapter,先只接 redacted finding。 +2. 建立 scan scope approval package,定義允許目標、掃描深度、排程與維護窗口。 +3. 把 `/execute` endpoint 降級為預設停用或單獨 high-risk approval path。 +4. 修正 Harbor image scan 的 target / project / auth / certificate chain。 +5. 排 Kali rolling full-upgrade 維護窗口;先 snapshot,再 upgrade,最後 reboot 與健康複驗。 diff --git a/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md b/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md index 70ec7cc2..b9ab1626 100644 --- a/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md +++ b/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md @@ -26,7 +26,7 @@ | 面向 | 目前證據 | 缺口 | |---|---|---| -| Kali 主機 | `192.168.0.112:8080` 已出現在 `docs/reference/SERVICE-ENDPOINTS.md`、`KALI_SCANNER_URL`、NetworkPolicy egress、blackbox probe、`KaliScannerDown` 告警 | 目前只監控存活,尚未形成完整掃描結果治理閉環 | +| Kali 主機 | `192.168.0.112:8080` 已出現在 `docs/reference/SERVICE-ENDPOINTS.md`、`KALI_SCANNER_URL`、NetworkPolicy egress、blackbox probe、`KaliScannerDown` 告警;2026-05-13 已確認 live `/health` healthy 並完成第一波 targeted scanner package update | 目前只監控存活,尚未形成完整掃描結果治理閉環 | | 資產資料庫地基 | ADR-090 migration 已定義 `asset_inventory`、`asset_discovery_run`、`asset_coverage_snapshot`、`asset_compliance_snapshot` | 目前 scanner 以 K8s 為主;Docker、Gitea repos、網站、主機套件、Kali findings 還不完整 | | AIOps KPI | `/api/v1/aiops/kpi` 會彙整資產、覆蓋率、規則品質、容量與自動化流量 | 資安姿態尚未成為 KPI 的一級區塊 | | 合規掃描 | 已寫入 7 個 compliance 維度,SSL 與 Secret 年齡有部分檢查 | `cve_scan`、`audit_log_enabled`、`access_reviewed`、`encryption_at_rest` 多數仍是 `unknown` | @@ -193,7 +193,7 @@ Kali 112 掃描 / 驗證 | 整合 | 目前 anchor | 需要工作 | |---|---|---| -| Kali API health | `KALI_SCANNER_URL`、`KaliScannerDown` | 新增 scan run/result endpoint 或 adapter | +| Kali API health | `KALI_SCANNER_URL`、`KaliScannerDown`、`docs/security/KALI-INTEGRATION-STATUS.md` | 新增 scan run/result endpoint 或 adapter | | 資產盤點 | `asset_scanner_job.py` | 從 K8s 擴展到 hosts、Docker、Gitea/GitHub、websites、dev hosts | | 合規 | `compliance_scanner_job.py` | 補上 `cve_scan`、`audit_log_enabled`、`access_reviewed`、`encryption_at_rest` | | KPI | `AiopsKpiService` | 新增 `security_posture` 區塊 | @@ -215,6 +215,27 @@ Kali 112 掃描 / 驗證 9. Blocking gate 必須有可量測 false-positive rate 與 override workflow。 10. 長期授權由 AwoooP policy 負責;scanner 只提供 evidence。 +## 7.1 2026-05-13 Live 整合狀態 + +`192.168.0.112` 已經完成第一波 live 盤點與低風險更新,正式記錄於 `docs/security/KALI-INTEGRATION-STATUS.md`。 + +已確認: + +1. `kali-scanner.service` active / enabled。 +2. `/health` healthy。 +3. `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件已做 targeted update。 +4. 已安裝 `jq`。 +5. 主機時區已調整為 `Asia/Taipei`。 +6. 更新後 SSH / cron / docker / scanner service 都 active,且不需 reboot。 + +仍然不能做: + +1. 不直接啟動 active scan。 +2. 不做 credentialed scan。 +3. 不讓 AwoooP 直接呼叫 Kali `/execute` endpoint。 +4. 不保存 API key、SSH 密碼或任何 secret value。 +5. 不做 full-upgrade、autoremove 或 reboot,除非先排維護窗口。 + ## 8. 第一波實作建議 建議下一波程式實作: diff --git a/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md b/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md index 3881e872..bd1ba432 100644 --- a/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md +++ b/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md @@ -1,7 +1,7 @@ # Kali 資訊安全網開工準備 > 日期:2026-05-06(台北時間) -> 狀態:僅規劃,尚未開始實作 +> 狀態:原始規劃;2026-05-13 已完成 Kali 112 live 盤點與低風險主機更新,尚未開始 AWOOOI runtime ingestion 實作 > 上游藍圖:`docs/security/KALI-SECURITY-MESH-BLUEPRINT.md` > AwoooP 同步:`docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md` @@ -15,6 +15,8 @@ 2026-05-06 追加同步:統帥批准本支線開始推進,並要求立即同步給 AwoooP 工作 Session。本支線已建立 `docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md`,作為雙 Session 共享契約與邊界文件。 +2026-05-13 追加 live 狀態:統帥授權登入 `192.168.0.112` 後,已完成 Kali Scanner API health、service、crontab、Docker service 與更新狀態盤點,並完成 targeted scanner package update 與 `Asia/Taipei` 時區調校。完整紀錄見 `docs/security/KALI-INTEGRATION-STATUS.md`。本追加不代表已批准 active scan、credentialed scan、AWOOOI runtime ingestion、`/execute` 接入、full-upgrade 或 reboot。 + ## 1. 非實作邊界 目前允許: @@ -41,6 +43,8 @@ | 自動 rotate secrets 或自動關閉 ports | 屬於破壞性或 access-changing 行為 | | 直接把 GitHub 切成唯一主控 | 必須先完成 Gitea 全量版本盤點、同步、runner 驗證與 rollback plan | +2026-05-13 例外說明:本輪只對既有 Kali 主機做授權登入、狀態盤點、targeted scanner package update、`jq` 安裝與時區調校;沒有新增 scanner job、沒有啟動 scan、沒有修改 AWOOOI runtime endpoint。 + ## 2. 開工準備閘門 | 閘門 | 問題 | 實作前必備 | @@ -159,6 +163,7 @@ | GitHub primary / Gitea mirror rollback plan 已接受 | 待確認 | | AwoooP mirror-only handoff 已同步 | 已完成 | | 共享事件 JSON Schema 已建立 | 已完成 | +| Kali 112 live health / update status 已記錄 | 已完成 | ## 9. 未來批准後的第一波實作順序 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index f9867317..e7e0fe1b 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -11,7 +11,7 @@ ## 0. 核心結論 -目前 Security Supply Chain 已有 16 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 +目前 Security Supply Chain 已有 17 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。 @@ -21,6 +21,7 @@ |----------|-------------|----------|----------| | `security_rollout_policy_v1` | read-only policy | 低摩擦 observe-first policy | `docs/security/security-rollout-policy.snapshot.json` | | `security_finding_v1` | mirror-only | Kali / code / infra finding | 無正式 snapshot | +| `kali_integration_status_v1` | mirror-only | Kali 112 live health / update / gap evidence | `kali-integration-status.snapshot.json` | | `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot | | `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi`、`clawbot-v5`、`wooo-aiops` | | `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory | public-only / blocked endpoint snapshots | diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 97cdec28..84687410 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-13 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | Security Supply Chain contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification | +| 本階段完成 | Security Supply Chain contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -20,7 +20,8 @@ | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | | S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 | | S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 | -| S1.4 Contract manifest | 完成草案 | 16 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | +| S1.4 Contract manifest | 完成草案 | 17 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | +| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate | | S2 AwoooP mirror-only | 可交接 | `AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md` 已列出可消費事件與禁止動作 | AwoooP 主線建立只讀入口 | | S3 approval gate | 未開始 | 已定義哪些動作要進 approval | 不得繞過人工批准 | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR | @@ -51,6 +52,8 @@ | Source Control branch/tag detail diff JSON | `docs/security/source-control-ref-detail-diff.snapshot.json` | | Source Control ref truth classification | `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` | | Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` | +| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` | +| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` | | 低摩擦 rollout policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` | | 低摩擦 rollout policy JSON | `docs/security/security-rollout-policy.snapshot.json` | | Security Supply Chain contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` | @@ -79,6 +82,7 @@ 2. 依 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 -5. AwoooP 主線只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 -6. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -7. AwoooP 主線先讀 `security_supply_chain_contract_manifest_v1` 作為 contract registry,不新增 execution router。 +5. 依 `KALI-INTEGRATION-STATUS.md` 建立 Kali finding ingestion / scan scope approval package;不得直接接 `/execute`。 +6. AwoooP 主線只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 +7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 +8. AwoooP 主線先讀 `security_supply_chain_contract_manifest_v1` 作為 contract registry,不新增 execution router。 diff --git a/docs/security/kali-integration-status.snapshot.json b/docs/security/kali-integration-status.snapshot.json new file mode 100644 index 00000000..156d1679 --- /dev/null +++ b/docs/security/kali-integration-status.snapshot.json @@ -0,0 +1,122 @@ +{ + "schema_version": "kali_integration_status_v1", + "status": "partial_runtime_health_integrated", + "date": "2026-05-13", + "host": { + "ip": "192.168.0.112", + "asset_key": "host:kali-112", + "hostname": "kali", + "role": "Kali 資安感測與掃描 API 主機", + "timezone": "Asia/Taipei", + "observe_only": true + }, + "mode": "observe_only", + "live_checks": { + "ssh_access": "ok_authorized_read_and_low_risk_update", + "scanner_api_health": "ok_http_200_health_status_healthy", + "scanner_service": "active_enabled_kali_scanner_service", + "node_exporter": "docker_container_up_on_9100", + "scheduled_jobs": [ + "hourly_port_monitor", + "daily_code_security_scan", + "weekly_harbor_image_scan" + ], + "docker_services": [ + "node-exporter_up", + "wg-easy_up_healthy" + ], + "post_update_health": "ok_ssh_cron_docker_kali_scanner_active_no_reboot_required" + }, + "updates_applied": { + "apt_update": "completed", + "targeted_packages_upgraded": [ + "ca-certificates", + "ca-certificates-java", + "curl", + "openssl", + "nmap", + "nmap-common", + "nikto", + "nuclei", + "libssl3t64", + "libcurl4t64", + "libc6", + "perl" + ], + "new_packages_installed": [ + "jq", + "nikto_perl_xml_dependencies" + ], + "timezone_changed_to": "Asia/Taipei", + "reboot_required": false, + "remaining_upgradable_count": 1994, + "full_upgrade_status": "not_run_requires_maintenance_window" + }, + "integration_state": { + "already_integrated": [ + "Kali Scanner API 在 192.168.0.112:8080 運作且 /health healthy", + "kali-scanner.service active 且 enabled", + "Prometheus / blackbox 類 health probe 正在從 192.168.0.120 / 192.168.0.121 命中 /health", + "node-exporter container 運作中", + "crontab 已有 port monitor、code security scan、Harbor image scan", + "docs 與 security_finding_v1 已把 Kali 納入資安網契約" + ], + "not_yet_integrated": [ + "尚未確認 AWOOOI API 有正式 Kali scan result ingestion endpoint", + "Kali scan result 仍停留在 API in-memory results 或本機 log,尚未正規化寫入 asset_inventory / asset_compliance_snapshot", + "尚未把 Kali finding mirror 成 AwoooP Runtime State / Channel Event / Audit evidence", + "尚未建立 scan scope approval package 或 credentialed scan gate", + "尚未移除 scanner API 原始碼中的 API key fallback", + "尚未套用 kali-scanner.service systemd hardening override" + ], + "awooop_consumption": "mirror_only_status_and_gap_evidence" + }, + "risk_register": [ + { + "risk": "scanner_execute_endpoint_can_run_shell_commands", + "severity": "HIGH", + "status": "confirmed_endpoint_exists_api_key_protected", + "next_action": "AwoooP 不得直接接 execution action;需另建 approval_required_event_v1 與 allowlist / disable gate" + }, + { + "risk": "default_api_key_fallback_present_in_source", + "severity": "HIGH", + "status": "confirmed_source_pattern_present_value_not_recorded", + "next_action": "移除 fallback、確認 .env secret 來源、輪替 API key;不得把 secret value 寫入文件" + }, + { + "risk": "kali_scanner_service_lacks_systemd_hardening", + "severity": "MEDIUM", + "status": "NoNewPrivileges/PrivateTmp/ProtectSystem/ProtectHome 目前未啟用", + "next_action": "先設計 dry-run hardening override,驗證 scan tools 不被破壞後再套用" + }, + { + "risk": "harbor_image_scan_currently_failing", + "severity": "MEDIUM", + "status": "recent logs show image/project/auth/certificate mismatch", + "next_action": "修正 Harbor target、project/credential 或憑證鏈;先納入 evidence,不阻擋其他資安框架" + }, + { + "risk": "kali_rolling_full_upgrade_pending", + "severity": "MEDIUM", + "status": "1994 packages remain upgradable after targeted update", + "next_action": "安排維護窗口,先 snapshot / rollback / service verification,再做 full-upgrade 與 reboot" + } + ], + "next_gates": [ + "建立 Kali scan result ingestion contract,先只接收 redacted findings", + "建立 Kali scan scope approval package,禁止未批准 active/credentialed scan", + "把 /execute endpoint 改成預設停用或單獨 high-risk approval path", + "把 Harbor scan failure 轉成 security finding / ops finding,不直接自動修復", + "安排 Kali rolling full-upgrade 維護窗口與 reboot gate" + ], + "still_forbidden": [ + "run_active_scan_without_scope_approval", + "run_credentialed_scan_without_approval", + "call_execute_endpoint_from_awooop_runtime", + "store_api_key_or_password_value", + "change_firewall_or_networkpolicy", + "autoremove_packages_without_maintenance_window", + "full_upgrade_or_reboot_without_maintenance_window" + ] +} diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 028abf1e..5151bbb2 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -2,7 +2,7 @@ "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 16, + "contract_count": 17, "contracts": [ { "contract": "security_rollout_policy_v1", @@ -26,6 +26,27 @@ "forbidden_actions": ["active_scan", "store_raw_secret", "store_exploit_payload"], "notes": "承接 Kali / Trivy / ZAP / Semgrep / detect-secrets 類 findings。" }, + { + "contract": "kali_integration_status_v1", + "schema_path": "docs/schemas/kali_integration_status_v1.schema.json", + "snapshot_paths": ["docs/security/kali-integration-status.snapshot.json"], + "human_docs": ["docs/security/KALI-INTEGRATION-STATUS.md"], + "consumer": "AwoooP security posture / Operator Console", + "consumption_mode": "mirror_only", + "allowed_actions": [ + "mirror_kali_health", + "display_update_status", + "display_integration_gaps", + "create_approval_candidate_for_active_scan_or_full_upgrade" + ], + "forbidden_actions": [ + "run_active_scan", + "run_execute_endpoint", + "store_api_key_or_password", + "full_upgrade_or_reboot_without_window" + ], + "notes": "112 已有 live scanner health 與低風險更新;finding ingestion / AwoooP runtime mirror 尚未接通。" + }, { "contract": "coding_task_v1", "schema_path": "docs/schemas/coding_task_v1.schema.json",