feat(iwooos): tighten Wazuh owner evidence preflight
This commit is contained in:
ogt
@@ -38,6 +38,11 @@ REQUIRED_FIELDS = [
|
||||
"registry_export_summary_ref",
|
||||
"manager_health_ref",
|
||||
"dashboard_api_status_ref",
|
||||
"dashboard_api_connection_check_status",
|
||||
"dashboard_api_version_check_status",
|
||||
"dashboard_index_pattern_statuses",
|
||||
"dashboard_api_degradation_root_cause",
|
||||
"dashboard_api_repair_postcheck_ref",
|
||||
"redacted_evidence_refs",
|
||||
"followup_owner",
|
||||
"rollback_owner",
|
||||
@@ -52,6 +57,11 @@ REVIEWER_CHECKS = [
|
||||
"per_host_registry_matrix 每列只能使用公開別名,不得包含內網位址、agent 原名或 raw payload。",
|
||||
"last_seen 時間窗需能覆蓋事故觀察區間。",
|
||||
"manager health ref 與 dashboard API status ref 不可互相替代。",
|
||||
"Dashboard API connection 若仍是 pending / spinning,不得接受為 Wazuh 可用。",
|
||||
"Dashboard API version 必須獨立驗證;index pattern 三綠勾不可替代 API version。",
|
||||
"index pattern 已通過只能代表索引 pattern 可讀,不可替代 manager registry counts。",
|
||||
"Dashboard API 退化根因必須至少分類為 stored API、RBAC / run_as、rate-limit、TLS trust 或 readonly account scope 其中之一。",
|
||||
"dashboard API repair postcheck 必須包含 API connection、API version、manager registry counts 與 IwoooS readback。",
|
||||
"redacted evidence refs 不得包含 raw payload、截圖原文或主機完整輸出。",
|
||||
"owner decision 不可直接授權 active response、host write 或 secret rotation。",
|
||||
"rollback owner 與 postcheck plan 必須存在。",
|
||||
@@ -62,6 +72,9 @@ OUTCOME_LANES = [
|
||||
"request_missing_fields",
|
||||
"quarantine_sensitive_payload",
|
||||
"reject_runtime_action_request",
|
||||
"request_dashboard_api_status_supplement",
|
||||
"request_dashboard_api_repair_postcheck",
|
||||
"reject_index_pattern_only_green",
|
||||
"ready_for_reviewer_validation",
|
||||
]
|
||||
|
||||
@@ -80,6 +93,10 @@ FORBIDDEN_PAYLOADS = [
|
||||
"cookie",
|
||||
"private_key",
|
||||
"client_keys",
|
||||
"raw_dashboard_request",
|
||||
"dashboard_api_secret",
|
||||
"stored_api_password",
|
||||
"api_token",
|
||||
"active_response_enable",
|
||||
"host_write",
|
||||
"firewall_change",
|
||||
@@ -128,6 +145,8 @@ REGISTRY_EXPORT_REDACTION_REQUIREMENTS = [
|
||||
"只允許公開節點別名,不允許內網位址、主機原名或 agent 原名。",
|
||||
"agent id 僅能用不可逆 evidence ref,不得放完整值、雜湊、前後綴或 client key。",
|
||||
"每個缺口必須有 gap reason,不得以 Dashboard 空白或口頭說明補成綠燈。",
|
||||
"Dashboard API connection / version / index pattern 必須分欄呈現,不得合併成單一 healthy。",
|
||||
"Dashboard API 修復證明只能收脫敏 ref,不得收 stored API secret、token、密碼或完整 request。",
|
||||
"只收計數、狀態桶、時間窗與證據 ref,不收 raw API payload、完整 CLI output 或截圖原文。",
|
||||
]
|
||||
|
||||
@@ -227,6 +246,7 @@ def build_snapshot() -> dict[str, Any]:
|
||||
"agent service active、TCP 連線存在、Dashboard 可見或口頭宣稱都不可替代 manager registry counts。",
|
||||
"逐主機 registry export 必須使用固定公開節點別名與狀態桶,不能把 agent 原名或內網識別資訊帶到前台。",
|
||||
"若 evidence 夾帶 raw log、未脫敏截圖、內網位址、agent 原名或 secret,必須隔離,不得渲染到前台。",
|
||||
"Dashboard index pattern 三綠勾不可替代 API connection、API version 或 manager registry 驗收。",
|
||||
"任何 active response、host write、firewall、Nginx、Docker、K8s 或 secret 變更都要切獨立人工批准。",
|
||||
],
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user