feat(iwooos): harden Wazuh visibility runtime gate

2026-06-25 10:51:17 +08:00
parent e529bdbae2
commit 78284dbdcc
7 changed files with 380 additions and 14 deletions
--- a/scripts/security/wazuh-agent-visibility-runtime-gate.py
+++ b/scripts/security/wazuh-agent-visibility-runtime-gate.py
@@ -50,6 +50,11 @@ def assert_zero(label: str, actual: Any) -> None:
    assert_equal(label, actual, 0)


+def assert_at_least(label: str, actual: Any, minimum: int) -> None:
+    if not isinstance(actual, int) or actual < minimum:
+        raise SystemExit(f"BLOCKED {label}: expected >= {minimum!r}, got {actual!r}")
+
+
 def collect_string_values(value: Any) -> list[str]:
    if isinstance(value, str):
        return [value]
@@ -139,15 +144,35 @@ def validate(root: Path) -> None:
        "wazuh_agent_visibility_runtime_gate.agent_transport_connected_observed",
        snapshot.get("agent_transport_connected_observed"),
    )
+    assert_at_least(
+        "wazuh_agent_visibility_runtime_gate.manager_transport_established_connection_count",
+        snapshot.get("manager_transport_established_connection_count"),
+        1,
+    )
    assert_true(
        "wazuh_agent_visibility_runtime_gate.dashboard_api_degraded_observed",
        snapshot.get("dashboard_api_degraded_observed"),
    )
+    for key in [
+        "dashboard_stored_api_unreachable_observed",
+        "dashboard_api_login_500_observed",
+        "dashboard_api_rate_limited_observed",
+        "dashboard_api_run_as_permission_error_observed",
+        "dashboard_api_tls_client_cert_unknown_observed",
+        "manager_registry_cli_permission_blocked",
+        "manager_registry_cli_requires_privilege",
+    ]:
+        assert_true(f"wazuh_agent_visibility_runtime_gate.{key}", snapshot.get(key))
    assert_equal(
        "wazuh_agent_visibility_runtime_gate.production_route_http_status",
        snapshot.get("production_route_http_status"),
        404,
    )
+    expected_error_codes = {400, 429, 500}
+    actual_error_codes = set(snapshot.get("dashboard_error_codes_observed", []))
+    missing_error_codes = sorted(expected_error_codes - actual_error_codes)
+    if missing_error_codes:
+        raise SystemExit(f"BLOCKED wazuh_agent_visibility_runtime_gate.dashboard_error_codes_observed: missing {missing_error_codes!r}")
    validate_required_evidence(snapshot)
    validate_no_secret_values(snapshot)

@@ -166,6 +191,7 @@ def main() -> None:
    print(
        "WAZUH_AGENT_VISIBILITY_RUNTIME_GATE_OK "
        f"registry=0 route={snapshot['production_route_http_status']} "
+        f"transport={snapshot['manager_transport_established_connection_count']} "
        f"dashboard_degraded={int(snapshot['dashboard_api_degraded_observed'])} "
        f"runtime_gate={snapshot['runtime_gate_count']}"
    )