diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 6a2b8c61..9bd5732c 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -19432,6 +19432,75 @@ } } }, + "securityOperatingSystem": { + "eyebrow": "IwoooS 資安作戰系統", + "title": "把資安監控、Wazuh、Kali、Nginx、主機與 AI Agent 串成同一套作戰體制", + "subtitle": "這張卡固定 20 個主流框架、24 條工作流、12 條 P0 優先工作、9 欄告警訊息合約與 12 個驗證節點;目前是 source / snapshot / guard / 前台可視化,不代表主機寫入、掃描、封鎖、reload、SOAR、Telegram 實發或正式環境寫入已授權。", + "checkLabel": "節點", + "stateLabel": "狀態", + "boundaryTitle": "作戰系統停止線", + "boundaryIntro": "以下鍵值固定:route 200、Dashboard 可見、agent active、CD success、UI 可見或一般批准都不是資安完成;沒有 owner、rollback、維護窗口、postcheck、alert receipt、Wazuh / SIEM / case evidence 與 human approval,不開 response、scan、reload、封鎖或正式寫入。", + "summary": { + "frameworks": { + "label": "框架", + "detail": "20 個主流框架用來校準治理、偵測、應變、AppSec、供應鏈與 AI 風險。" + }, + "workstreams": { + "label": "工作流", + "detail": "24 條工作流拆成 P0、P1、P2,避免只把風險寫成長文字。" + }, + "p0": { + "label": "P0", + "detail": "12 條 P0 先處理即時危害、Wazuh registry、Nginx、告警、鑑識與 AI 權限。" + }, + "alertContract": { + "label": "告警合約", + "detail": "9 欄訊息合約要求告警說清楚事件、影響、證據、AI 分流、候選動作與驗證。" + }, + "evidencePercent": { + "label": "完成度", + "detail": "56% 是 evidence-weighted 作戰體制完成度,不代表入侵已清除或 runtime 已授權。" + }, + "runtimeGate": { + "label": "執行期", + "detail": "runtime gate、host write、active response、scan、auto block 與 action button 都是 0。" + } + }, + "items": { + "assetGraph": { + "title": "資產與暴露面要先成圖", + "body": "主機、domain、route、service、port、package、repo、runner、secret metadata、backup 與 AI agent 都要進同一張資安作戰圖。" + }, + "wazuhRegistry": { + "title": "Wazuh registry 還是第一個硬 Gate", + "body": "需要 manager registry 的 agent total、active、disconnected、last seen 與 expected minimum;Dashboard 可見不能代替。" + }, + "incidentCase": { + "title": "入侵與漂移必須形成 case", + "body": "任何入侵、端口異常、Nginx drift、runner 變更或 Wazuh 退化都要有 case、timeline、owner、decision 與 postcheck。" + }, + "alertContract": { + "title": "告警訊息要能讓人行動", + "body": "告警需包含嚴重度、信心、資產 alias、白話說明、影響、脫敏證據、AI 分流、候選動作與 owner gate。" + }, + "configControl": { + "title": "高價值配置納入作戰線", + "body": "Nginx、DNS / TLS、firewall、K8s、workflow、runner、secret metadata、backup 與 AI provider 不能再被零散手改。" + }, + "kevExposure": { + "title": "已遭利用弱點優先於一般 CVSS", + "body": "CISA KEV、EPSS、公開入口、資產重要性與維護窗口一起決定套件、image 與服務修補順序。" + }, + "aiAgentGate": { + "title": "AI Agent 只能先產生候選", + "body": "AI 可以摘要、分流、產生 owner packet、dry-run 與驗證計畫;不能直接主機寫入、讀 secret、封鎖或部署。" + }, + "runtimeBoundary": { + "title": "執行邊界維持 0 / false", + "body": "Wazuh active response、Kali active scan、Kali /execute、Nginx reload、firewall change、SOAR 與 auto block 都未授權。" + } + } + }, "socSiemKaliWazuhIntegration": { "eyebrow": "SOC / SIEM / 資安觀測節點 整合控制", "title": "把 Wazuh、Kali、告警鏈與主流資安機制接成同一條證據線", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 6a2b8c61..9bd5732c 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -19432,6 +19432,75 @@ } } }, + "securityOperatingSystem": { + "eyebrow": "IwoooS 資安作戰系統", + "title": "把資安監控、Wazuh、Kali、Nginx、主機與 AI Agent 串成同一套作戰體制", + "subtitle": "這張卡固定 20 個主流框架、24 條工作流、12 條 P0 優先工作、9 欄告警訊息合約與 12 個驗證節點;目前是 source / snapshot / guard / 前台可視化,不代表主機寫入、掃描、封鎖、reload、SOAR、Telegram 實發或正式環境寫入已授權。", + "checkLabel": "節點", + "stateLabel": "狀態", + "boundaryTitle": "作戰系統停止線", + "boundaryIntro": "以下鍵值固定:route 200、Dashboard 可見、agent active、CD success、UI 可見或一般批准都不是資安完成;沒有 owner、rollback、維護窗口、postcheck、alert receipt、Wazuh / SIEM / case evidence 與 human approval,不開 response、scan、reload、封鎖或正式寫入。", + "summary": { + "frameworks": { + "label": "框架", + "detail": "20 個主流框架用來校準治理、偵測、應變、AppSec、供應鏈與 AI 風險。" + }, + "workstreams": { + "label": "工作流", + "detail": "24 條工作流拆成 P0、P1、P2,避免只把風險寫成長文字。" + }, + "p0": { + "label": "P0", + "detail": "12 條 P0 先處理即時危害、Wazuh registry、Nginx、告警、鑑識與 AI 權限。" + }, + "alertContract": { + "label": "告警合約", + "detail": "9 欄訊息合約要求告警說清楚事件、影響、證據、AI 分流、候選動作與驗證。" + }, + "evidencePercent": { + "label": "完成度", + "detail": "56% 是 evidence-weighted 作戰體制完成度,不代表入侵已清除或 runtime 已授權。" + }, + "runtimeGate": { + "label": "執行期", + "detail": "runtime gate、host write、active response、scan、auto block 與 action button 都是 0。" + } + }, + "items": { + "assetGraph": { + "title": "資產與暴露面要先成圖", + "body": "主機、domain、route、service、port、package、repo、runner、secret metadata、backup 與 AI agent 都要進同一張資安作戰圖。" + }, + "wazuhRegistry": { + "title": "Wazuh registry 還是第一個硬 Gate", + "body": "需要 manager registry 的 agent total、active、disconnected、last seen 與 expected minimum;Dashboard 可見不能代替。" + }, + "incidentCase": { + "title": "入侵與漂移必須形成 case", + "body": "任何入侵、端口異常、Nginx drift、runner 變更或 Wazuh 退化都要有 case、timeline、owner、decision 與 postcheck。" + }, + "alertContract": { + "title": "告警訊息要能讓人行動", + "body": "告警需包含嚴重度、信心、資產 alias、白話說明、影響、脫敏證據、AI 分流、候選動作與 owner gate。" + }, + "configControl": { + "title": "高價值配置納入作戰線", + "body": "Nginx、DNS / TLS、firewall、K8s、workflow、runner、secret metadata、backup 與 AI provider 不能再被零散手改。" + }, + "kevExposure": { + "title": "已遭利用弱點優先於一般 CVSS", + "body": "CISA KEV、EPSS、公開入口、資產重要性與維護窗口一起決定套件、image 與服務修補順序。" + }, + "aiAgentGate": { + "title": "AI Agent 只能先產生候選", + "body": "AI 可以摘要、分流、產生 owner packet、dry-run 與驗證計畫;不能直接主機寫入、讀 secret、封鎖或部署。" + }, + "runtimeBoundary": { + "title": "執行邊界維持 0 / false", + "body": "Wazuh active response、Kali active scan、Kali /execute、Nginx reload、firewall change、SOAR 與 auto block 都未授權。" + } + } + }, "socSiemKaliWazuhIntegration": { "eyebrow": "SOC / SIEM / 資安觀測節點 整合控制", "title": "把 Wazuh、Kali、告警鏈與主流資安機制接成同一條證據線", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index ea46703e..5038348a 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -327,6 +327,14 @@ type SocSiemKaliWazuhIntegrationItem = { tone: 'steady' | 'warn' | 'locked' } +type SecurityOperatingSystemItem = { + key: string + check: string + state: string + icon: typeof ShieldCheck + tone: 'steady' | 'warn' | 'locked' +} + type SecurityAssetControlLedgerItem = { key: string check: string @@ -2387,6 +2395,66 @@ const wazuhManagedHostCoverageBoundaries = [ 'not_authorization=true', ] as const +const securityOperatingSystemSummary = [ + { key: 'frameworks', value: '20', icon: ClipboardCheck, tone: 'steady' }, + { key: 'workstreams', value: '24', icon: ListChecks, tone: 'steady' }, + { key: 'p0', value: '12', icon: AlertTriangle, tone: 'warn' }, + { key: 'alertContract', value: '9', icon: Bell, tone: 'steady' }, + { key: 'evidencePercent', value: '56%', icon: Activity, tone: 'warn' }, + { key: 'runtimeGate', value: '0', icon: Lock, tone: 'locked' }, +] as const + +const securityOperatingSystemItems: SecurityOperatingSystemItem[] = [ + { key: 'assetGraph', check: 'SYS-1', state: 'P0', icon: Network, tone: 'warn' }, + { key: 'wazuhRegistry', check: 'SYS-2', state: '0%', icon: Radar, tone: 'locked' }, + { key: 'incidentCase', check: 'SYS-3', state: '待 case', icon: FileWarning, tone: 'warn' }, + { key: 'alertContract', check: 'SYS-4', state: '已固定', icon: Bell, tone: 'steady' }, + { key: 'configControl', check: 'SYS-5', state: 'P0', icon: Route, tone: 'warn' }, + { key: 'kevExposure', check: 'SYS-6', state: '待 owner', icon: SearchCheck, tone: 'warn' }, + { key: 'aiAgentGate', check: 'SYS-7', state: '0 / false', icon: Workflow, tone: 'locked' }, + { key: 'runtimeBoundary', check: 'SYS-8', state: '不授權', icon: Lock, tone: 'locked' }, +] as const + +const securityOperatingSystemBoundaries = [ + 'iwooos_security_operating_system_visible=true', + 'iwooos_security_operating_system_reference_framework_count=20', + 'iwooos_security_operating_system_operating_role_count=10', + 'iwooos_security_operating_system_severity_lane_count=5', + 'iwooos_security_operating_system_workstream_count=24', + 'iwooos_security_operating_system_p0_workstream_count=12', + 'iwooos_security_operating_system_p1_workstream_count=8', + 'iwooos_security_operating_system_p2_workstream_count=4', + 'iwooos_security_operating_system_alert_contract_field_count=9', + 'iwooos_security_operating_system_automation_loop_stage_count=8', + 'iwooos_security_operating_system_verification_stage_count=12', + 'iwooos_security_operating_system_no_false_green_rule_count=12', + 'iwooos_security_operating_system_cross_session_sync_checkpoint_count=7', + 'iwooos_security_operating_system_blocked_action_count=18', + 'iwooos_security_operating_system_source_control_artifact_percent=100', + 'iwooos_security_operating_system_evidence_weighted_percent=56', + 'iwooos_security_operating_system_wazuh_registry_acceptance_percent=0', + 'iwooos_security_operating_system_runtime_response_percent=0', + 'iwooos_security_operating_system_owner_response_received_count=0', + 'iwooos_security_operating_system_owner_response_accepted_count=0', + 'iwooos_security_operating_system_alert_receipt_accepted_count=0', + 'iwooos_security_operating_system_incident_case_accepted_count=0', + 'iwooos_security_operating_system_runtime_gate_count=0', + 'iwooos_security_operating_system_action_button_count=0', + 'host_write_authorized=false', + 'wazuh_active_response_authorized=false', + 'kali_active_scan_authorized=false', + 'kali_execute_authorized=false', + 'nginx_reload_authorized=false', + 'firewall_change_authorized=false', + 'secret_value_collection_allowed=false', + 'telegram_live_send_authorized=false', + 'soar_action_authorized=false', + 'auto_block_authorized=false', + 'production_write_authorized=false', + 'active_runtime_gate_count=0', + 'not_authorization=true', +] as const + const socSiemKaliWazuhIntegrationSummary = [ { key: 'frameworks', value: '14', icon: ClipboardCheck, tone: 'steady' }, { key: 'roles', value: '9', icon: ShieldCheck, tone: 'steady' }, @@ -8587,6 +8655,137 @@ function IwoooSWazuhManagedHostCoverageBoard() { ) } +function IwoooSSecurityOperatingSystemBoard() { + const t = useTranslations('iwooos.securityOperatingSystem') + const textWrap = { overflowWrap: 'anywhere' as const, wordBreak: 'break-word' as const } + + return ( +
+
+
+
+
+ + {t('eyebrow')} +
+

{t('title')}

+

+ {t('subtitle')} +

+
+ +
+ {securityOperatingSystemSummary.map(item => { + const Icon = item.icon + return ( +
+
+ {t(`summary.${item.key}.label` as never)} + +
+
+ {item.value} +
+

+ {t(`summary.${item.key}.detail` as never)} +

+
+ ) + })} +
+
+ +
+ {securityOperatingSystemItems.map(item => { + const Icon = item.icon + return ( +
+
+ + {t('checkLabel')} {item.check} + + +
+
+
+ {t(`items.${item.key}.title` as never)} +
+
+ {t('stateLabel')}:{item.state} +
+
+

+ {t(`items.${item.key}.body` as never)} +

+
+ ) + })} +
+ +
+ + {t('boundaryTitle')} + +

+ {t('boundaryIntro')} +

+
+ {securityOperatingSystemBoundaries.map(item => ( + + {item} + + ))} +
+
+
+
+ ) +} + function IwoooSSocSiemKaliWazuhIntegrationBoard() { const t = useTranslations('iwooos.socSiemKaliWazuhIntegration') const textWrap = { overflowWrap: 'anywhere' as const, wordBreak: 'break-word' as const } @@ -21515,6 +21714,7 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) { + diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 6d6e1755..85023137 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,26 @@ +## 2026-06-25|IwoooS 資安作戰系統 source-side 補強 + +**背景**:IwoooS 已有資產總帳、外部入侵防堵矩陣、SOC / SIEM / Kali / Wazuh 整合矩陣與 Wazuh route / registry no-false-green gate,但仍需要一份更高層的作戰系統,把業界主流框架、即時危害分流、告警訊息合約、AI 自動化閉環、跨 session 同步與停止線固定成同一個可驗證 program。 + +**本輪新增**: +- 新增 `scripts/security/iwooos-security-operating-system.py`,只產生 repo snapshot,不連線主機、不呼叫 Wazuh / Kali、不 SSH、不讀 secret、不送 Telegram、不 reload Nginx / Alertmanager、不改 firewall / K8s / workflow。 +- 新增 `docs/security/iwooos-security-operating-system.snapshot.json` 與 `docs/security/IWOOOS-SECURITY-OPERATING-SYSTEM.md`。 +- `security-mirror-progress-guard.py` 已納入此作戰系統 guard。 +- `/zh-TW/iwooos` 新增「IwoooS 資安作戰系統」只讀卡片,顯示 20 個主流框架、24 條工作流、12 條 P0、9 欄告警合約、56% evidence-weighted 完成度與 runtime gate 0。 +- `apps/web/messages/en.json` 繼續與 `zh-TW.json` 維持繁中鏡像。 + +**完成度**: +- IwoooS 資安作戰系統 source artifact:`100%`。 +- evidence-weighted 資安作戰系統:`56%`。 +- SOC / SIEM 框架可視化成熟度:`92%`。 +- Wazuh manager registry 驗收:`0%`。 +- runtime response / host write / active response / active scan / auto block:`0%`。 + +**邊界**: +- 本輪沒有主機、Wazuh、Kali、Nginx、firewall、Docker、K8s、ArgoCD、workflow、secret 或 Telegram live send 操作。 +- route `200`、Dashboard 可見、agent active、CD success、UI 可見或一般「批准繼續」仍不得視為資安批准、入侵清除、Wazuh registry 恢復或 runtime 授權。 +- 前台內容只放作戰體制、優先序、合約欄位與停止線,不放工作視窗對話、個人 namespace、內部 IP、secret、raw log 或未脫敏輸出。 + ## 2026-06-25|Agent Market Runtime readback fixture 批准包正式驗證 **背景**:P2-111 已把 Telegram 報告實發批准包與 no-send route lock 顯示在 Agent Market;下一個安全步驟是 P2-112,把 runtime readback 推進到 fixture-only approval package,可供 OpenClaw / Hermes / NemoTron 審核,但仍不得讀 canonical runtime target、不得 live query、不得寫入 result capture / receipt / production。 diff --git a/docs/security/IWOOOS-SECURITY-OPERATING-SYSTEM.md b/docs/security/IWOOOS-SECURITY-OPERATING-SYSTEM.md new file mode 100644 index 00000000..ceabf080 --- /dev/null +++ b/docs/security/IWOOOS-SECURITY-OPERATING-SYSTEM.md @@ -0,0 +1,145 @@ +# IwoooS 資安作戰系統 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-06-25 | +| 狀態 | `iwooos_security_operating_system_ready_no_runtime_action` | +| 工具 | `scripts/security/iwooos-security-operating-system.py` | +| Snapshot | `docs/security/iwooos-security-operating-system.snapshot.json` | +| runtime gate | `0` | + +## 1. 目的 + +本文件把 IwoooS 從「資安頁面與只讀清冊」推進成可治理、可分工、可驗證、可逐步自動化的資安作戰系統。它不是宣告 Wazuh、Kali、Nginx、主機或告警鏈已完成修復,而是把業界主流做法落到 AWOOOI 的固定控制面: + +1. 有完整工作範圍:主機、服務、網站前後台、API、Nginx / gateway、DNS / TLS、Docker / systemd、K8s / ArgoCD、CI/CD、Gitea / GitHub、Harbor / registry、Wazuh、Kali 112、監控告警、備份還原、AI Agent 與供應鏈。 +2. 有清楚分工:資安作戰負責人、SOC 審查人、事故指揮、平台 owner、服務 owner、證據保管、變更管理、供應鏈 owner、AI 安全審查與風險 owner。 +3. 有即時危害優先序:已確認入侵、已遭利用弱點、credential exposure、Wazuh agent 消失、Nginx / firewall drift 先進 P0。 +4. 有告警訊息合約:告警不能只貼 raw log,必須說清楚發生什麼、影響什麼、證據 ref、AI 分流、候選動作、owner gate 與驗證方式。 +5. 有停止線:沒有 owner、rollback、維護窗口、postcheck、alert receipt、Wazuh / SIEM / case evidence 或 human approval,不得開 response、scan、reload、封鎖或正式寫入。 + +本階段仍維持只讀 source / snapshot / guard / 前台呈現。它不連主機、不呼叫 Wazuh / Kali、不 SSH、不讀 secret、不送 Telegram、不 reload Nginx / Alertmanager、不改 firewall / K8s / workflow,也不啟用 active response、active scan、SOAR 或 auto block。 + +## 2. 導入的主流框架 + +| 類別 | 框架 | IwoooS 用途 | +|------|------|-------------| +| 治理 | NIST CSF 2.0、NIST AI RMF | Govern / Identify / Protect / Detect / Respond / Recover 與 AI 風險治理 | +| 事件應變 | NIST SP 800-61 Rev. 3 | case gate、分流、回應、復原、事後學習 | +| 基礎控制 | CIS Controls v8.1 | 資產、帳號、弱點、audit log、malware defense、backup | +| 零信任 | CISA Zero Trust Maturity Model | identity、device、network、application、data、visibility / automation | +| 弱點優先序 | CISA KEV、FIRST EPSS | 以已遭利用、可利用機率、公開入口與資產重要性排序 | +| 攻防語言 | MITRE ATT&CK、MITRE D3FEND | detection coverage、data source、defense countermeasure、purple-team | +| AppSec | OWASP ASVS、OWASP SAMM | 前後台、API、auth、logging、secure SDLC | +| SIEM / XDR | Wazuh、OCSF、Sigma | endpoint / FIM / event schema / detection-as-code | +| 告警與觀測 | Prometheus Alertmanager、OpenTelemetry | grouping、dedupe、routing、receipt、trace / metric / log correlation | +| 供應鏈 | SLSA、SPDX / CycloneDX、Sigstore / Cosign | provenance、SBOM、artifact signing、verify | + +引用這些框架只代表控制模型與優先序校準,不代表採購、切換產品、啟用 active response 或自動處置。 + +## 3. 固定數字 + +| 指標 | 數值 | +|------|------| +| 主流參考框架 | `20` | +| 營運角色 | `10` | +| severity lane | `5` | +| 工作流 | `24` | +| P0 工作流 | `12` | +| P1 工作流 | `8` | +| P2 工作流 | `4` | +| 告警訊息合約欄位 | `9` | +| AI 自動化閉環階段 | `8` | +| 驗證階段 | `12` | +| no-false-green 規則 | `12` | +| 跨 session 同步檢查點 | `7` | +| blocked action | `18` | +| source artifact 完成度 | `100%` | +| evidence-weighted 資安作戰系統完成度 | `56%` | +| SOC / SIEM 框架可視化成熟度 | `92%` | +| Wazuh manager registry 驗收 | `0%` | +| runtime response | `0%` | +| owner response received / accepted | `0 / 0` | +| runtime gate / action button | `0 / 0` | + +`56%` 是保守 evidence-weighted 完成度:代表作戰制度、優先序、資料結構、前台邊界與 guard 已形成;不代表主機乾淨、Wazuh agent 全數恢復、入侵已清除、Nginx 已修好或 response 已授權。 + +## 4. P0 工作流優先順序 + +| 優先 | 工作流 | 第一階段目標 | +|------|--------|--------------| +| P0-01 | 資產 / 暴露面總圖 | host、domain、route、service、port、package、repo、runner、secret metadata、backup、AI agent | +| P0-02 | Wazuh manager registry truth | agent total、active、disconnected、last seen、expected minimum、Dashboard / API mismatch | +| P0-03 | 主機入侵與鑑識 | auth、sudo、process、network、FIM、persistence、package、service、Docker event | +| P0-04 | Nginx / Gateway config-control | source-to-live diff、rendered diff、nginx test ref、route smoke、rollback | +| P0-05 | SSH / firewall / WireGuard / NodePort baseline | before / after、actor、impact、operator notification、restoration evidence | +| P0-06 | 身分與 secret metadata | SSH、sudo、deploy key、runner token name、webhook secret name、OIDC、break-glass | +| P0-07 | 告警可讀性與 receipt | Telegram / Alertmanager / Wazuh alert card、dedupe、noise budget、receipt | +| P0-08 | Incident case gate | case id、timeline、owner、decision、containment、recovery、postcheck、lesson learned | +| P0-09 | KEV / exposure / package SLA | CISA KEV、EPSS、public exposure、asset criticality、maintenance window | +| P0-10 | 備份 / 還原 / 鑑識保存 | restore drill、offsite、escrow、chain of custody、retention、rollback proof | +| P0-11 | Runner / workflow / supply-chain | Gitea、workflow、runner、deploy key、Harbor、SBOM、Cosign、SLSA | +| P0-12 | AI Agent 權限閘 | tool allowlist、redaction、cost、privacy、approval、excessive agency | + +## 5. Severity 分流 + +| 等級 | 條件 | 目標 | +|------|------|------| +| SEV0 | 已確認入侵或 active exploitation | 15 分鐘內形成 case / freeze / containment 候選;不得無 owner 直接執行 | +| SEV1 | 公開入口高風險、KEV、credential exposure、Wazuh agent 消失 | 30 分鐘內形成 owner packet、證據缺口與維護窗口草案 | +| SEV2 | Nginx / firewall / runner / workflow / runtime drift | 4 小時內完成 diff、owner、rollback 與 postcheck 計畫 | +| SEV3 | 告警噪音、coverage gap、dashboard degradation | 1 個工作日內進入 backlog 與 no-false-green 修正 | +| SEV4 | 治理、文件、成熟度與低風險 hardening | 納入週期報告與例外期限,不得混成緊急事件 | + +## 6. 告警訊息合約 + +每一則會進入 Telegram、AwoooP Run、Work Item 或 IwoooS 前台的資安告警,都必須包含: + +1. `event_title`:短標題,讓人一眼知道事件。 +2. `severity_and_confidence`:嚴重度與信心,不用一串 raw 指標代替。 +3. `asset_alias_and_scope`:只用脫敏 alias 與受影響範圍,不顯示個人 namespace 或內部原始識別。 +4. `what_happened_plain_language`:用人能讀懂的語言說明發生什麼。 +5. `why_it_matters`:說明可能造成的資安或服務影響。 +6. `redacted_evidence_refs`:脫敏證據參照,不貼 raw log、secret、token、完整 process dump 或工作視窗對話。 +7. `ai_triage_lane`:入侵、配置漂移、供應鏈、runtime gate、owner review、告警鏈等 AI 分流。 +8. `next_candidate_action`:候選下一步,例如 owner request、dry-run、維護窗口草案、postcheck plan。 +9. `owner_gate_and_verification`:誰要決策、哪個 gate 擋住、驗證如何做。 + +## 7. AI 自動化閉環 + +IwoooS 不是單純看板。每一個資安訊號要算進 AI 自動化主線,必須能走完: + +`sensor_evidence -> normalizer_redaction -> ai_triage_lane -> candidate_generation -> owner_gate -> execution_boundary -> verifier_readback -> learning_writeback` + +目前前 4 段已在 source / snapshot / UI 層明確化;owner gate、runtime execution、verifier live readback 與 learning writeback 仍待 owner evidence 與獨立批准。 + +## 8. No-false-green 規則 + +以下情況一律不得宣告資安完成: + +- route `200` 不等於資安通過。 +- Dashboard up 不等於 Wazuh agent registry 已恢復。 +- agent active 不等於入侵事件結案。 +- alert quiet 不等於告警鏈健康。 +- backup fresh 不等於 restore drill。 +- CD success 不等於 runtime 授權。 +- UI 可見不等於 owner acceptance。 +- AwoooP approval 不等於資安批准。 +- 外部 Agent 宣稱不等於鑑識證明。 +- transport connection 不等於 registry acceptance。 +- source snapshot 不等於 live truth。 +- 一般「批准繼續」不等於維護窗口。 + +## 9. 驗證指令 + +```bash +python3 scripts/security/iwooos-security-operating-system.py --root . +python3 scripts/security/security-mirror-progress-guard.py --root . +python3 scripts/security/iwooos-config-control-guard.py --root . +``` + +## 10. 邊界 + +本文件不授權 SSH、主機寫入、Wazuh active response、Kali active scan、Kali `/execute`、Nginx reload、firewall change、Docker / systemd restart、ArgoCD sync、kubectl apply、workflow modification、secret rotation、Telegram 實發、SOAR action、auto block、production write 或 force push。 + +下一步是將 P0-02 Wazuh manager registry truth、P0-07 告警可讀性與 receipt、P0-04 Nginx / Gateway config-control 這三條合併成第一個可驗收 owner packet。驗收前,所有 runtime / host write / active response / scan / auto block 仍維持 `0 / false`。 diff --git a/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md b/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md index 6d86bbc1..cc631300 100644 --- a/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md +++ b/docs/security/MAINSTREAM-AISOC-SECURITY-CONTROL-ROADMAP.md @@ -65,6 +65,12 @@ IwoooS 的資安機制要符合業界主流做法,不能只停在「有 Wazuh 本體制引用主流框架只代表控制模型與優先序校準,不代表採購、切換平台、啟用 active response、執行 Kali active scan、修改 Nginx、reload Alertmanager、發 Telegram live send 或允許 AI agent 直接處置。 +### 2.2 2026-06-25 作戰系統入口 + +新增 `docs/security/IWOOOS-SECURITY-OPERATING-SYSTEM.md` 作為 IwoooS 資安作戰系統入口。它把主流框架、SOC / CSIRT / DevSecOps 分工、SEV0-SEV4 即時危害分流、24 條工作流、9 欄告警訊息合約、8 階 AI 自動化閉環、12 個驗證階段、12 條 no-false-green 規則與 7 個跨 session 同步檢查點統一到一份 snapshot。 + +目前作戰系統完成的是 source / snapshot / guard / frontstage 可驗證控制面:`source artifact=100%`、`evidence-weighted=56%`、`runtime response=0%`、`Wazuh manager registry acceptance=0%`。這個入口不會覆蓋既有資產總帳、外部入侵防堵矩陣或 SOC / SIEM / Kali / Wazuh 控制矩陣,而是把它們排進同一條作戰路線。 + | 優先 | 控制域 | 要做什麼 | 第一階段驗收 | |------|--------|----------|--------------| | P0 | 資產與暴露面 | 建立 host、domain、route、service、port、package、container、repo、workflow、secret metadata、backup、AI agent 完整 inventory | 每個資產有 owner、用途、風險、來源證據、最後觀測時間 | diff --git a/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md b/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md index 2f49c6f5..bbb377eb 100644 --- a/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md +++ b/docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md @@ -167,3 +167,16 @@ - IwoooS 資安體制完整度:`70% -> 76%` 來源端;owner evidence、Wazuh manager registry truth、Kali active scan、SOAR / active response 與 runtime gate 仍維持 `0%`。 - 前台可視化:需完成 production desktop / mobile smoke 後才可宣告 production visible。 - runtime / host write / active response / active scan / auto block:全部維持 `0 / false`。 + +## 12. 2026-06-25 作戰系統上層整合 + +SOC / SIEM / Kali / Wazuh 控制矩陣已被納入 `docs/security/IWOOOS-SECURITY-OPERATING-SYSTEM.md`。該作戰系統是上層營運體制,用來固定: + +- `20` 個主流框架參照。 +- `24` 條資安工作流,其中 `12` 條為 P0。 +- `5` 條 severity lane,將已確認入侵、已遭利用弱點、credential exposure、Wazuh agent 消失與 Nginx / firewall drift 排到前面。 +- `9` 欄告警訊息合約,要求告警必須白話、可行動、可驗證,不得只貼 raw log。 +- `8` 階 AI 自動化閉環與 `12` 個驗證階段。 +- `12` 條 no-false-green 規則,避免 route 200、Dashboard up、agent active、CD success 或 UI 可見被誤判成資安完成。 + +新作戰系統已由 `scripts/security/iwooos-security-operating-system.py` 產生 snapshot,並接入 `security-mirror-progress-guard.py`。目前只代表 source / snapshot / guard / 前台控制面收斂;Wazuh manager registry、Kali scope、alert receipt、incident case、host forensic 與 runtime response 仍維持 `0%` 或 `0 / false`。 diff --git a/docs/security/iwooos-security-operating-system.snapshot.json b/docs/security/iwooos-security-operating-system.snapshot.json new file mode 100644 index 00000000..af9d14ab --- /dev/null +++ b/docs/security/iwooos-security-operating-system.snapshot.json @@ -0,0 +1,696 @@ +{ + "alert_message_contract": [ + { + "field_id": "event_title", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "severity_and_confidence", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "asset_alias_and_scope", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "what_happened_plain_language", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "why_it_matters", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "redacted_evidence_refs", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "ai_triage_lane", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "next_candidate_action", + "raw_payload_allowed": false, + "required": true + }, + { + "field_id": "owner_gate_and_verification", + "raw_payload_allowed": false, + "required": true + } + ], + "automation_loop_stages": [ + { + "runtime_gate_open": false, + "stage_id": "sensor_evidence" + }, + { + "runtime_gate_open": false, + "stage_id": "normalizer_redaction" + }, + { + "runtime_gate_open": false, + "stage_id": "ai_triage_lane" + }, + { + "runtime_gate_open": false, + "stage_id": "candidate_generation" + }, + { + "runtime_gate_open": false, + "stage_id": "owner_gate" + }, + { + "runtime_gate_open": false, + "stage_id": "execution_boundary" + }, + { + "runtime_gate_open": false, + "stage_id": "verifier_readback" + }, + { + "runtime_gate_open": false, + "stage_id": "learning_writeback" + } + ], + "blocked_actions": [ + "ssh_write", + "host_live_secret_read", + "wazuh_active_response_enable", + "kali_active_scan", + "kali_execute", + "nginx_reload", + "firewall_change", + "docker_restart", + "systemd_restart", + "argocd_sync", + "kubectl_apply", + "workflow_modification", + "secret_rotation", + "telegram_live_send", + "soar_action", + "auto_block", + "production_write", + "force_push" + ], + "cross_session_sync_checkpoints": [ + { + "checkpoint_id": "fetch_gitea_main_before_work", + "required": true + }, + { + "checkpoint_id": "share_commit_and_run_ids", + "required": true + }, + { + "checkpoint_id": "share_production_readback", + "required": true + }, + { + "checkpoint_id": "declare_runtime_boundaries", + "required": true + }, + { + "checkpoint_id": "freeze_same_host_or_same_gateway_edits", + "required": true + }, + { + "checkpoint_id": "record_owner_gate_state", + "required": true + }, + { + "checkpoint_id": "update_logbook_after_stage", + "required": true + } + ], + "execution_boundaries": { + "auto_block_authorized": false, + "firewall_change_authorized": false, + "host_write_authorized": false, + "kali_active_scan_authorized": false, + "kali_execute_authorized": false, + "nginx_reload_authorized": false, + "not_authorization": true, + "production_write_authorized": false, + "runtime_execution_authorized": false, + "secret_value_collection_allowed": false, + "soar_action_authorized": false, + "telegram_live_send_authorized": false, + "wazuh_active_response_authorized": false + }, + "generated_at": "2026-06-25T17:20:00+08:00", + "git_commit": "092bd376", + "mode": "repo_snapshot_guard_frontstage_only", + "no_false_green_rules": [ + { + "enforced": true, + "rule_id": "route_200_is_not_security_clearance" + }, + { + "enforced": true, + "rule_id": "dashboard_up_is_not_agent_registry" + }, + { + "enforced": true, + "rule_id": "agent_active_is_not_intrusion_closed" + }, + { + "enforced": true, + "rule_id": "alert_quiet_is_not_alert_chain_healthy" + }, + { + "enforced": true, + "rule_id": "backup_fresh_is_not_restore_drill" + }, + { + "enforced": true, + "rule_id": "cd_success_is_not_runtime_authorization" + }, + { + "enforced": true, + "rule_id": "ui_visible_is_not_owner_acceptance" + }, + { + "enforced": true, + "rule_id": "awooop_approval_is_not_security_approval" + }, + { + "enforced": true, + "rule_id": "external_agent_claim_is_not_forensic_proof" + }, + { + "enforced": true, + "rule_id": "transport_connection_is_not_registry_acceptance" + }, + { + "enforced": true, + "rule_id": "source_snapshot_is_not_live_truth" + }, + { + "enforced": true, + "rule_id": "general_continue_is_not_maintenance_window" + } + ], + "operating_roles": [ + { + "label": "資安作戰負責人", + "responsibility": "維護控制面、優先序、完成度與停止線。", + "role_id": "security_program_owner", + "runtime_gate_open": false + }, + { + "label": "SOC 審查人", + "responsibility": "審查告警、SIEM、Wazuh、Kali 與 no-false-green evidence。", + "role_id": "soc_reviewer", + "runtime_gate_open": false + }, + { + "label": "事故指揮", + "responsibility": "統一 severity、scope、containment 候選與跨專案同步。", + "role_id": "incident_commander", + "runtime_gate_open": false + }, + { + "label": "平台負責人", + "responsibility": "負責 host、Docker、systemd、Nginx、K8s、ArgoCD 與 public gateway 影響判讀。", + "role_id": "platform_owner", + "runtime_gate_open": false + }, + { + "label": "服務負責人", + "responsibility": "負責產品、API、網站、admin、webhook 與 AI provider route 的驗證。", + "role_id": "service_owner", + "runtime_gate_open": false + }, + { + "label": "證據保管人", + "responsibility": "維護脫敏 refs、chain of custody、retention 與 raw absence attestation。", + "role_id": "evidence_custodian", + "runtime_gate_open": false + }, + { + "label": "變更管理人", + "responsibility": "確認維護窗口、rollback owner、postcheck、operator notification 與 freeze。", + "role_id": "change_manager", + "runtime_gate_open": false + }, + { + "label": "供應鏈負責人", + "responsibility": "負責 workflow、runner、Harbor、SBOM、SLSA、Cosign、KEV / package SLA。", + "role_id": "supply_chain_owner", + "runtime_gate_open": false + }, + { + "label": "AI 安全審查人", + "responsibility": "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。", + "role_id": "ai_security_reviewer", + "runtime_gate_open": false + }, + { + "label": "風險負責人", + "responsibility": "接受風險、例外期限、資源優先序與治理報告。", + "role_id": "executive_risk_owner", + "runtime_gate_open": false + } + ], + "reference_frameworks": [ + { + "framework_id": "nist_csf_2_0", + "label": "NIST CSF 2.0", + "source_url": "https://www.nist.gov/cyberframework" + }, + { + "framework_id": "nist_sp_800_61_r3", + "label": "NIST SP 800-61 Rev. 3", + "source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final" + }, + { + "framework_id": "cis_controls_v8_1", + "label": "CIS Controls v8.1", + "source_url": "https://www.cisecurity.org/controls/v8-1" + }, + { + "framework_id": "cisa_zero_trust", + "label": "CISA Zero Trust Maturity Model", + "source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model" + }, + { + "framework_id": "cisa_kev", + "label": "CISA Known Exploited Vulnerabilities", + "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" + }, + { + "framework_id": "first_epss", + "label": "FIRST EPSS", + "source_url": "https://www.first.org/epss/" + }, + { + "framework_id": "mitre_attack", + "label": "MITRE ATT&CK Enterprise", + "source_url": "https://attack.mitre.org/matrices/enterprise/" + }, + { + "framework_id": "mitre_d3fend", + "label": "MITRE D3FEND", + "source_url": "https://d3fend.mitre.org/" + }, + { + "framework_id": "owasp_asvs", + "label": "OWASP ASVS", + "source_url": "https://owasp.org/www-project-application-security-verification-standard/" + }, + { + "framework_id": "owasp_samm", + "label": "OWASP SAMM", + "source_url": "https://owaspsamm.org/" + }, + { + "framework_id": "wazuh_xdr_siem", + "label": "Wazuh XDR / SIEM", + "source_url": "https://documentation.wazuh.com/current/index.html" + }, + { + "framework_id": "wazuh_active_response", + "label": "Wazuh Active Response", + "source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html" + }, + { + "framework_id": "prometheus_alertmanager", + "label": "Prometheus Alertmanager", + "source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/" + }, + { + "framework_id": "opentelemetry", + "label": "OpenTelemetry", + "source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/" + }, + { + "framework_id": "ocsf", + "label": "Open Cybersecurity Schema Framework", + "source_url": "https://ocsf.io/" + }, + { + "framework_id": "sigma", + "label": "Sigma detection rules", + "source_url": "https://sigmahq.io/sigma/" + }, + { + "framework_id": "slsa", + "label": "SLSA", + "source_url": "https://slsa.dev/" + }, + { + "framework_id": "spdx_cyclonedx", + "label": "SPDX / CycloneDX", + "source_url": "https://spdx.dev/" + }, + { + "framework_id": "sigstore_cosign", + "label": "Sigstore / Cosign", + "source_url": "https://docs.sigstore.dev/cosign/signing/signing_with_containers/" + }, + { + "framework_id": "nist_ai_rmf", + "label": "NIST AI RMF", + "source_url": "https://www.nist.gov/itl/ai-risk-management-framework" + } + ], + "schema_version": "iwooos_security_operating_system_v1", + "severity_lanes": [ + { + "label": "已確認入侵或 active exploitation", + "runtime_gate_open": false, + "severity": "SEV0", + "triage_target": "15 分鐘內形成 case / freeze / containment 候選;不得無 owner 直接執行。" + }, + { + "label": "公開入口高風險、KEV、credential exposure、Wazuh agent 消失", + "runtime_gate_open": false, + "severity": "SEV1", + "triage_target": "30 分鐘內形成 owner packet、證據缺口與維護窗口草案。" + }, + { + "label": "Nginx / firewall / runner / workflow / runtime drift", + "runtime_gate_open": false, + "severity": "SEV2", + "triage_target": "4 小時內完成 diff、owner、rollback 與 postcheck 計畫。" + }, + { + "label": "告警噪音、coverage gap、dashboard degradation", + "runtime_gate_open": false, + "severity": "SEV3", + "triage_target": "1 個工作日內進入 backlog 與 no-false-green 修正。" + }, + { + "label": "治理、文件、成熟度與低風險 hardening", + "runtime_gate_open": false, + "severity": "SEV4", + "triage_target": "納入週期報告與例外期限,不得混成緊急事件。" + } + ], + "status": "iwooos_security_operating_system_ready_no_runtime_action", + "summary": { + "action_button_count": 0, + "alert_contract_field_count": 9, + "alert_receipt_accepted_count": 0, + "automation_loop_stage_count": 8, + "blocked_action_count": 18, + "cross_session_sync_checkpoint_count": 7, + "evidence_weighted_security_operating_system_percent": 56, + "host_forensics_accepted_count": 0, + "incident_case_accepted_count": 0, + "kali_scope_accepted_count": 0, + "no_false_green_rule_count": 12, + "operating_role_count": 10, + "owner_response_accepted_count": 0, + "owner_response_received_count": 0, + "p0_workstream_count": 12, + "p1_workstream_count": 8, + "p2_workstream_count": 4, + "reference_framework_count": 20, + "runtime_gate_count": 0, + "runtime_response_percent": 0, + "severity_lane_count": 5, + "soc_siem_framework_percent": 92, + "source_control_artifact_percent": 100, + "verification_stage_count": 12, + "wazuh_manager_registry_acceptance_percent": 0, + "wazuh_registry_accepted_count": 0, + "workstream_count": 24 + }, + "verification_stages": [ + { + "accepted": false, + "stage_id": "source_guard" + }, + { + "accepted": false, + "stage_id": "snapshot_schema" + }, + { + "accepted": false, + "stage_id": "redaction_guard" + }, + { + "accepted": false, + "stage_id": "owner_packet_preflight" + }, + { + "accepted": false, + "stage_id": "wazuh_registry_readback" + }, + { + "accepted": false, + "stage_id": "kali_scope_readback" + }, + { + "accepted": false, + "stage_id": "alert_receipt_readback" + }, + { + "accepted": false, + "stage_id": "route_desktop_mobile_smoke" + }, + { + "accepted": false, + "stage_id": "postcheck_metrics" + }, + { + "accepted": false, + "stage_id": "cross_session_sync" + }, + { + "accepted": false, + "stage_id": "logbook_update" + }, + { + "accepted": false, + "stage_id": "no_false_green_review" + } + ], + "workstreams": [ + { + "lane_id": "asset_exposure_graph", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "host、domain、route、service、port、package、repo、runner、secret metadata、backup、AI agent", + "title": "資產 / 暴露面總圖", + "workstream_id": "P0-01" + }, + { + "lane_id": "wazuh_registry_truth", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "agent total、active、disconnected、last seen、expected minimum、dashboard / API mismatch", + "title": "Wazuh manager registry truth", + "workstream_id": "P0-02" + }, + { + "lane_id": "host_intrusion_forensics", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "auth、sudo、process、network、FIM、persistence、package、service、Docker event", + "title": "主機入侵與鑑識", + "workstream_id": "P0-03" + }, + { + "lane_id": "gateway_config_control", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "source-to-live diff、rendered diff、nginx test ref、route smoke、rollback", + "title": "Nginx / Gateway config-control", + "workstream_id": "P0-04" + }, + { + "lane_id": "network_access_baseline", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "before / after、actor、impact、operator notification、restoration evidence", + "title": "SSH / firewall / WireGuard / NodePort baseline", + "workstream_id": "P0-05" + }, + { + "lane_id": "secret_identity_hygiene", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "SSH、sudo、deploy key、runner token name、webhook secret name、OIDC、break-glass", + "title": "身分與 secret metadata", + "workstream_id": "P0-06" + }, + { + "lane_id": "alert_readability_receipt", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "Telegram / Alertmanager / Wazuh alert card、dedupe、noise budget、receipt", + "title": "告警可讀性與 receipt", + "workstream_id": "P0-07" + }, + { + "lane_id": "incident_case_gate", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "case id、timeline、owner、decision、containment、recovery、postcheck、lesson learned", + "title": "Incident case gate", + "workstream_id": "P0-08" + }, + { + "lane_id": "kev_exposure_patch_priority", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "CISA KEV、EPSS、public exposure、asset criticality、maintenance window", + "title": "KEV / exposure / package SLA", + "workstream_id": "P0-09" + }, + { + "lane_id": "backup_restore_forensic_retention", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "restore drill、offsite、escrow、chain of custody、retention、rollback proof", + "title": "備份 / 還原 / 鑑識保存", + "workstream_id": "P0-10" + }, + { + "lane_id": "runner_workflow_supply_chain", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "Gitea、workflow、runner、deploy key、Harbor、SBOM、Cosign、SLSA", + "title": "Runner / workflow / supply-chain", + "workstream_id": "P0-11" + }, + { + "lane_id": "ai_agent_permission_gate", + "owner_packet_required": true, + "priority": "P0", + "runtime_gate_open": false, + "scope": "tool allowlist、redaction、cost、privacy、approval、excessive agency", + "title": "AI Agent 權限閘", + "workstream_id": "P0-12" + }, + { + "lane_id": "kali_evidence_envelope", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "health、tool version、scope、normalized finding、active scan approval packet", + "title": "Kali 112 evidence envelope", + "workstream_id": "P1-01" + }, + { + "lane_id": "detection_as_code", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "ATT&CK、D3FEND、Sigma、測試資料、false-positive budget、rule owner", + "title": "Detection-as-code", + "workstream_id": "P1-02" + }, + { + "lane_id": "ndr_passive_sensor", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "Suricata、Zeek、DNS / TLS / HTTP / flow logs;不開 IPS", + "title": "NDR passive sensor", + "workstream_id": "P1-03" + }, + { + "lane_id": "k8s_docker_hardening", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "CIS / NSA-CISA 對照、Pod Security、RBAC、NetworkPolicy、audit log", + "title": "K8s / Docker hardening", + "workstream_id": "P1-04" + }, + { + "lane_id": "appsec_api_asvs", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "auth、authorization、session、rate limit、CORS、security headers、webhook abuse case", + "title": "AppSec / API ASVS", + "workstream_id": "P1-05" + }, + { + "lane_id": "sbom_slsa_cosign", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "SPDX、CycloneDX、VEX、provenance、artifact signing、verify", + "title": "SBOM / SLSA / Cosign", + "workstream_id": "P1-06" + }, + { + "lane_id": "soar_dry_run_case_enrichment", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "TheHive / Cortex 類 case draft、enrichment、blast radius、rollback", + "title": "SOAR dry-run / case enrichment", + "workstream_id": "P1-07" + }, + { + "lane_id": "grc_exception_register", + "owner_packet_required": true, + "priority": "P1", + "runtime_gate_open": false, + "scope": "risk register、accepted risk、expiry、audit evidence、control owner", + "title": "GRC / exception register", + "workstream_id": "P1-08" + }, + { + "lane_id": "ueba_behavior_baseline", + "owner_packet_required": true, + "priority": "P2", + "runtime_gate_open": false, + "scope": "使用者、service account、runner、AI agent、host process、egress baseline", + "title": "UEBA / 行為基線", + "workstream_id": "P2-01" + }, + { + "lane_id": "purple_team_validation", + "owner_packet_required": true, + "priority": "P2", + "runtime_gate_open": false, + "scope": "ATT&CK emulation、BAS / canary、偵測回歸;需授權 scope", + "title": "Purple-team / tabletop", + "workstream_id": "P2-02" + }, + { + "lane_id": "mdr_247_process", + "owner_packet_required": true, + "priority": "P2", + "runtime_gate_open": false, + "scope": "on-call、升級、SLA、交接、值班報表、演練", + "title": "MDR / 24x7 流程", + "workstream_id": "P2-03" + }, + { + "lane_id": "exposure_management_graph", + "owner_packet_required": true, + "priority": "P2", + "runtime_gate_open": false, + "scope": "外部攻擊面、弱點、身份、雲端、repo、AI agent、資料流", + "title": "Exposure management graph", + "workstream_id": "P2-04" + } + ] +} diff --git a/scripts/security/iwooos-security-operating-system.py b/scripts/security/iwooos-security-operating-system.py new file mode 100644 index 00000000..d621b3ee --- /dev/null +++ b/scripts/security/iwooos-security-operating-system.py @@ -0,0 +1,427 @@ +#!/usr/bin/env python3 +"""IwoooS 資安作戰系統產生器。 + +本工具只產生 repo 內 snapshot,將主流資安框架、SOC / CSIRT / DevSecOps +分工、即時危害分流、告警訊息合約、Wazuh / Kali / Nginx / host / CI/CD +驗證節點與 AI 自動化閉環,收斂成一份可重跑的作戰系統。 + +它不連線主機、不呼叫 Wazuh / Kali、不 SSH、不讀 secret、不送 Telegram、 +不 reload Nginx / Alertmanager、不改 firewall / K8s / workflow,也不啟用 +active response、active scan、SOAR 或 auto block。 +""" + +from __future__ import annotations + +import argparse +import json +import re +import subprocess +import sys +from datetime import datetime, timedelta, timezone +from pathlib import Path +from typing import Any + + +TAIPEI = timezone(timedelta(hours=8)) +SNAPSHOT_PATH = Path("docs/security/iwooos-security-operating-system.snapshot.json") +SCHEMA_VERSION = "iwooos_security_operating_system_v1" + +REFERENCE_FRAMEWORKS = [ + ("nist_csf_2_0", "NIST CSF 2.0", "https://www.nist.gov/cyberframework"), + ("nist_sp_800_61_r3", "NIST SP 800-61 Rev. 3", "https://csrc.nist.gov/pubs/sp/800/61/r3/final"), + ("cis_controls_v8_1", "CIS Controls v8.1", "https://www.cisecurity.org/controls/v8-1"), + ("cisa_zero_trust", "CISA Zero Trust Maturity Model", "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model"), + ("cisa_kev", "CISA Known Exploited Vulnerabilities", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"), + ("first_epss", "FIRST EPSS", "https://www.first.org/epss/"), + ("mitre_attack", "MITRE ATT&CK Enterprise", "https://attack.mitre.org/matrices/enterprise/"), + ("mitre_d3fend", "MITRE D3FEND", "https://d3fend.mitre.org/"), + ("owasp_asvs", "OWASP ASVS", "https://owasp.org/www-project-application-security-verification-standard/"), + ("owasp_samm", "OWASP SAMM", "https://owaspsamm.org/"), + ("wazuh_xdr_siem", "Wazuh XDR / SIEM", "https://documentation.wazuh.com/current/index.html"), + ("wazuh_active_response", "Wazuh Active Response", "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html"), + ("prometheus_alertmanager", "Prometheus Alertmanager", "https://prometheus.io/docs/alerting/latest/alertmanager/"), + ("opentelemetry", "OpenTelemetry", "https://opentelemetry.io/docs/what-is-opentelemetry/"), + ("ocsf", "Open Cybersecurity Schema Framework", "https://ocsf.io/"), + ("sigma", "Sigma detection rules", "https://sigmahq.io/sigma/"), + ("slsa", "SLSA", "https://slsa.dev/"), + ("spdx_cyclonedx", "SPDX / CycloneDX", "https://spdx.dev/"), + ("sigstore_cosign", "Sigstore / Cosign", "https://docs.sigstore.dev/cosign/signing/signing_with_containers/"), + ("nist_ai_rmf", "NIST AI RMF", "https://www.nist.gov/itl/ai-risk-management-framework"), +] + +OPERATING_ROLES = [ + ("security_program_owner", "資安作戰負責人", "維護控制面、優先序、完成度與停止線。"), + ("soc_reviewer", "SOC 審查人", "審查告警、SIEM、Wazuh、Kali 與 no-false-green evidence。"), + ("incident_commander", "事故指揮", "統一 severity、scope、containment 候選與跨專案同步。"), + ("platform_owner", "平台負責人", "負責 host、Docker、systemd、Nginx、K8s、ArgoCD 與 public gateway 影響判讀。"), + ("service_owner", "服務負責人", "負責產品、API、網站、admin、webhook 與 AI provider route 的驗證。"), + ("evidence_custodian", "證據保管人", "維護脫敏 refs、chain of custody、retention 與 raw absence attestation。"), + ("change_manager", "變更管理人", "確認維護窗口、rollback owner、postcheck、operator notification 與 freeze。"), + ("supply_chain_owner", "供應鏈負責人", "負責 workflow、runner、Harbor、SBOM、SLSA、Cosign、KEV / package SLA。"), + ("ai_security_reviewer", "AI 安全審查人", "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。"), + ("executive_risk_owner", "風險負責人", "接受風險、例外期限、資源優先序與治理報告。"), +] + +SEVERITY_LANES = [ + ("SEV0", "已確認入侵或 active exploitation", "15 分鐘內形成 case / freeze / containment 候選;不得無 owner 直接執行。"), + ("SEV1", "公開入口高風險、KEV、credential exposure、Wazuh agent 消失", "30 分鐘內形成 owner packet、證據缺口與維護窗口草案。"), + ("SEV2", "Nginx / firewall / runner / workflow / runtime drift", "4 小時內完成 diff、owner、rollback 與 postcheck 計畫。"), + ("SEV3", "告警噪音、coverage gap、dashboard degradation", "1 個工作日內進入 backlog 與 no-false-green 修正。"), + ("SEV4", "治理、文件、成熟度與低風險 hardening", "納入週期報告與例外期限,不得混成緊急事件。"), +] + +WORKSTREAMS = [ + ("P0-01", "asset_exposure_graph", "P0", "資產 / 暴露面總圖", "host、domain、route、service、port、package、repo、runner、secret metadata、backup、AI agent"), + ("P0-02", "wazuh_registry_truth", "P0", "Wazuh manager registry truth", "agent total、active、disconnected、last seen、expected minimum、dashboard / API mismatch"), + ("P0-03", "host_intrusion_forensics", "P0", "主機入侵與鑑識", "auth、sudo、process、network、FIM、persistence、package、service、Docker event"), + ("P0-04", "gateway_config_control", "P0", "Nginx / Gateway config-control", "source-to-live diff、rendered diff、nginx test ref、route smoke、rollback"), + ("P0-05", "network_access_baseline", "P0", "SSH / firewall / WireGuard / NodePort baseline", "before / after、actor、impact、operator notification、restoration evidence"), + ("P0-06", "secret_identity_hygiene", "P0", "身分與 secret metadata", "SSH、sudo、deploy key、runner token name、webhook secret name、OIDC、break-glass"), + ("P0-07", "alert_readability_receipt", "P0", "告警可讀性與 receipt", "Telegram / Alertmanager / Wazuh alert card、dedupe、noise budget、receipt"), + ("P0-08", "incident_case_gate", "P0", "Incident case gate", "case id、timeline、owner、decision、containment、recovery、postcheck、lesson learned"), + ("P0-09", "kev_exposure_patch_priority", "P0", "KEV / exposure / package SLA", "CISA KEV、EPSS、public exposure、asset criticality、maintenance window"), + ("P0-10", "backup_restore_forensic_retention", "P0", "備份 / 還原 / 鑑識保存", "restore drill、offsite、escrow、chain of custody、retention、rollback proof"), + ("P0-11", "runner_workflow_supply_chain", "P0", "Runner / workflow / supply-chain", "Gitea、workflow、runner、deploy key、Harbor、SBOM、Cosign、SLSA"), + ("P0-12", "ai_agent_permission_gate", "P0", "AI Agent 權限閘", "tool allowlist、redaction、cost、privacy、approval、excessive agency"), + ("P1-01", "kali_evidence_envelope", "P1", "Kali 112 evidence envelope", "health、tool version、scope、normalized finding、active scan approval packet"), + ("P1-02", "detection_as_code", "P1", "Detection-as-code", "ATT&CK、D3FEND、Sigma、測試資料、false-positive budget、rule owner"), + ("P1-03", "ndr_passive_sensor", "P1", "NDR passive sensor", "Suricata、Zeek、DNS / TLS / HTTP / flow logs;不開 IPS"), + ("P1-04", "k8s_docker_hardening", "P1", "K8s / Docker hardening", "CIS / NSA-CISA 對照、Pod Security、RBAC、NetworkPolicy、audit log"), + ("P1-05", "appsec_api_asvs", "P1", "AppSec / API ASVS", "auth、authorization、session、rate limit、CORS、security headers、webhook abuse case"), + ("P1-06", "sbom_slsa_cosign", "P1", "SBOM / SLSA / Cosign", "SPDX、CycloneDX、VEX、provenance、artifact signing、verify"), + ("P1-07", "soar_dry_run_case_enrichment", "P1", "SOAR dry-run / case enrichment", "TheHive / Cortex 類 case draft、enrichment、blast radius、rollback"), + ("P1-08", "grc_exception_register", "P1", "GRC / exception register", "risk register、accepted risk、expiry、audit evidence、control owner"), + ("P2-01", "ueba_behavior_baseline", "P2", "UEBA / 行為基線", "使用者、service account、runner、AI agent、host process、egress baseline"), + ("P2-02", "purple_team_validation", "P2", "Purple-team / tabletop", "ATT&CK emulation、BAS / canary、偵測回歸;需授權 scope"), + ("P2-03", "mdr_247_process", "P2", "MDR / 24x7 流程", "on-call、升級、SLA、交接、值班報表、演練"), + ("P2-04", "exposure_management_graph", "P2", "Exposure management graph", "外部攻擊面、弱點、身份、雲端、repo、AI agent、資料流"), +] + +ALERT_CONTRACT_FIELDS = [ + "event_title", + "severity_and_confidence", + "asset_alias_and_scope", + "what_happened_plain_language", + "why_it_matters", + "redacted_evidence_refs", + "ai_triage_lane", + "next_candidate_action", + "owner_gate_and_verification", +] + +AUTOMATION_LOOP_STAGES = [ + "sensor_evidence", + "normalizer_redaction", + "ai_triage_lane", + "candidate_generation", + "owner_gate", + "execution_boundary", + "verifier_readback", + "learning_writeback", +] + +VERIFICATION_STAGES = [ + "source_guard", + "snapshot_schema", + "redaction_guard", + "owner_packet_preflight", + "wazuh_registry_readback", + "kali_scope_readback", + "alert_receipt_readback", + "route_desktop_mobile_smoke", + "postcheck_metrics", + "cross_session_sync", + "logbook_update", + "no_false_green_review", +] + +NO_FALSE_GREEN_RULES = [ + "route_200_is_not_security_clearance", + "dashboard_up_is_not_agent_registry", + "agent_active_is_not_intrusion_closed", + "alert_quiet_is_not_alert_chain_healthy", + "backup_fresh_is_not_restore_drill", + "cd_success_is_not_runtime_authorization", + "ui_visible_is_not_owner_acceptance", + "awooop_approval_is_not_security_approval", + "external_agent_claim_is_not_forensic_proof", + "transport_connection_is_not_registry_acceptance", + "source_snapshot_is_not_live_truth", + "general_continue_is_not_maintenance_window", +] + +CROSS_SESSION_SYNC_CHECKPOINTS = [ + "fetch_gitea_main_before_work", + "share_commit_and_run_ids", + "share_production_readback", + "declare_runtime_boundaries", + "freeze_same_host_or_same_gateway_edits", + "record_owner_gate_state", + "update_logbook_after_stage", +] + +BLOCKED_ACTIONS = [ + "ssh_write", + "host_live_secret_read", + "wazuh_active_response_enable", + "kali_active_scan", + "kali_execute", + "nginx_reload", + "firewall_change", + "docker_restart", + "systemd_restart", + "argocd_sync", + "kubectl_apply", + "workflow_modification", + "secret_rotation", + "telegram_live_send", + "soar_action", + "auto_block", + "production_write", + "force_push", +] + +FORBIDDEN_TEXT_PATTERNS = [ + re.compile(r"\b(?:10|127|172\.(?:1[6-9]|2\d|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b"), + re.compile(r"Authorization\s*:", re.IGNORECASE), + re.compile(r"Bearer\s+[A-Za-z0-9._-]{10,}", re.IGNORECASE), + re.compile(r"Basic\s+[A-Za-z0-9+/=]{10,}", re.IGNORECASE), + re.compile(r"password\s*[:=]\s*['\"][^'\"]+['\"]", re.IGNORECASE), + re.compile(r"token\s*[:=]\s*['\"][^'\"]+['\"]", re.IGNORECASE), + re.compile(r"cookie\s*[:=]\s*['\"][^'\"]+['\"]", re.IGNORECASE), + re.compile(r"", re.IGNORECASE), +] + + +def git_short_sha(root: Path) -> str: + try: + result = subprocess.run( + ["git", "rev-parse", "--short", "HEAD"], + cwd=root, + check=True, + capture_output=True, + text=True, + ) + return result.stdout.strip() + except Exception: + return "unknown" + + +def build_snapshot(root: Path, generated_at: str) -> dict[str, Any]: + p0 = [item for item in WORKSTREAMS if item[2] == "P0"] + p1 = [item for item in WORKSTREAMS if item[2] == "P1"] + p2 = [item for item in WORKSTREAMS if item[2] == "P2"] + return { + "schema_version": SCHEMA_VERSION, + "generated_at": generated_at, + "git_commit": git_short_sha(root), + "status": "iwooos_security_operating_system_ready_no_runtime_action", + "mode": "repo_snapshot_guard_frontstage_only", + "reference_frameworks": [ + {"framework_id": framework_id, "label": label, "source_url": source_url} + for framework_id, label, source_url in REFERENCE_FRAMEWORKS + ], + "operating_roles": [ + {"role_id": role_id, "label": label, "responsibility": responsibility, "runtime_gate_open": False} + for role_id, label, responsibility in OPERATING_ROLES + ], + "severity_lanes": [ + {"severity": severity, "label": label, "triage_target": target, "runtime_gate_open": False} + for severity, label, target in SEVERITY_LANES + ], + "workstreams": [ + { + "workstream_id": workstream_id, + "lane_id": lane_id, + "priority": priority, + "title": title, + "scope": scope, + "owner_packet_required": True, + "runtime_gate_open": False, + } + for workstream_id, lane_id, priority, title, scope in WORKSTREAMS + ], + "alert_message_contract": [ + {"field_id": field_id, "required": True, "raw_payload_allowed": False} + for field_id in ALERT_CONTRACT_FIELDS + ], + "automation_loop_stages": [ + {"stage_id": stage_id, "runtime_gate_open": False} for stage_id in AUTOMATION_LOOP_STAGES + ], + "verification_stages": [ + {"stage_id": stage_id, "accepted": False} for stage_id in VERIFICATION_STAGES + ], + "no_false_green_rules": [ + {"rule_id": rule_id, "enforced": True} for rule_id in NO_FALSE_GREEN_RULES + ], + "cross_session_sync_checkpoints": [ + {"checkpoint_id": checkpoint_id, "required": True} for checkpoint_id in CROSS_SESSION_SYNC_CHECKPOINTS + ], + "blocked_actions": BLOCKED_ACTIONS, + "summary": { + "reference_framework_count": len(REFERENCE_FRAMEWORKS), + "operating_role_count": len(OPERATING_ROLES), + "severity_lane_count": len(SEVERITY_LANES), + "workstream_count": len(WORKSTREAMS), + "p0_workstream_count": len(p0), + "p1_workstream_count": len(p1), + "p2_workstream_count": len(p2), + "alert_contract_field_count": len(ALERT_CONTRACT_FIELDS), + "automation_loop_stage_count": len(AUTOMATION_LOOP_STAGES), + "verification_stage_count": len(VERIFICATION_STAGES), + "no_false_green_rule_count": len(NO_FALSE_GREEN_RULES), + "cross_session_sync_checkpoint_count": len(CROSS_SESSION_SYNC_CHECKPOINTS), + "blocked_action_count": len(BLOCKED_ACTIONS), + "source_control_artifact_percent": 100, + "evidence_weighted_security_operating_system_percent": 56, + "soc_siem_framework_percent": 92, + "wazuh_manager_registry_acceptance_percent": 0, + "runtime_response_percent": 0, + "owner_response_received_count": 0, + "owner_response_accepted_count": 0, + "wazuh_registry_accepted_count": 0, + "kali_scope_accepted_count": 0, + "alert_receipt_accepted_count": 0, + "incident_case_accepted_count": 0, + "host_forensics_accepted_count": 0, + "runtime_gate_count": 0, + "action_button_count": 0, + }, + "execution_boundaries": { + "runtime_execution_authorized": False, + "host_write_authorized": False, + "wazuh_active_response_authorized": False, + "kali_active_scan_authorized": False, + "kali_execute_authorized": False, + "nginx_reload_authorized": False, + "firewall_change_authorized": False, + "secret_value_collection_allowed": False, + "telegram_live_send_authorized": False, + "soar_action_authorized": False, + "auto_block_authorized": False, + "production_write_authorized": False, + "not_authorization": True, + }, + } + + +def load_json(path: Path) -> dict[str, Any]: + return json.loads(path.read_text(encoding="utf-8")) + + +def assert_equal(label: str, actual: Any, expected: Any) -> None: + if actual != expected: + raise SystemExit(f"BLOCKED {label}: expected {expected!r}, got {actual!r}") + + +def assert_false(label: str, actual: Any) -> None: + assert_equal(label, actual, False) + + +def collect_string_values(value: Any) -> list[str]: + if isinstance(value, str): + return [value] + if isinstance(value, list): + values: list[str] = [] + for item in value: + values.extend(collect_string_values(item)) + return values + if isinstance(value, dict): + values = [] + for item in value.values(): + values.extend(collect_string_values(item)) + return values + return [] + + +def validate_no_forbidden_text(snapshot: dict[str, Any]) -> None: + for text in collect_string_values(snapshot): + for pattern in FORBIDDEN_TEXT_PATTERNS: + if pattern.search(text): + raise SystemExit("BLOCKED iwooos_security_operating_system: snapshot contains forbidden sensitive text") + + +def validate(root: Path) -> None: + snapshot = load_json(root / SNAPSHOT_PATH) + assert_equal("schema_version", snapshot.get("schema_version"), SCHEMA_VERSION) + assert_equal("status", snapshot.get("status"), "iwooos_security_operating_system_ready_no_runtime_action") + assert_equal("mode", snapshot.get("mode"), "repo_snapshot_guard_frontstage_only") + summary = snapshot.get("summary", {}) + expected_counts = { + "reference_framework_count": 20, + "operating_role_count": 10, + "severity_lane_count": 5, + "workstream_count": 24, + "p0_workstream_count": 12, + "p1_workstream_count": 8, + "p2_workstream_count": 4, + "alert_contract_field_count": 9, + "automation_loop_stage_count": 8, + "verification_stage_count": 12, + "no_false_green_rule_count": 12, + "cross_session_sync_checkpoint_count": 7, + "blocked_action_count": 18, + "source_control_artifact_percent": 100, + "evidence_weighted_security_operating_system_percent": 56, + "soc_siem_framework_percent": 92, + "wazuh_manager_registry_acceptance_percent": 0, + "runtime_response_percent": 0, + "owner_response_received_count": 0, + "owner_response_accepted_count": 0, + "wazuh_registry_accepted_count": 0, + "kali_scope_accepted_count": 0, + "alert_receipt_accepted_count": 0, + "incident_case_accepted_count": 0, + "host_forensics_accepted_count": 0, + "runtime_gate_count": 0, + "action_button_count": 0, + } + for key, expected in expected_counts.items(): + assert_equal(f"summary.{key}", summary.get(key), expected) + boundaries = snapshot.get("execution_boundaries", {}) + for key, value in boundaries.items(): + if key == "not_authorization": + assert_equal(f"execution_boundaries.{key}", value, True) + else: + assert_false(f"execution_boundaries.{key}", value) + validate_no_forbidden_text(snapshot) + + +def main() -> int: + parser = argparse.ArgumentParser(description="IwoooS 資安作戰系統") + parser.add_argument("--root", default=".", help="repo root") + parser.add_argument("--output", help="寫出 JSON snapshot") + parser.add_argument("--generated-at", help="固定報告時間,供 committed snapshot 使用") + parser.add_argument("--json", action="store_true") + args = parser.parse_args() + + root = Path(args.root).resolve() + generated_at = args.generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds") + if args.output: + output = Path(args.output) + if not output.is_absolute(): + output = root / output + snapshot = build_snapshot(root, generated_at) + output.parent.mkdir(parents=True, exist_ok=True) + output.write_text(json.dumps(snapshot, ensure_ascii=False, indent=2, sort_keys=True) + "\n", encoding="utf-8") + + validate(root) + snapshot = load_json(root / SNAPSHOT_PATH) + if args.json: + print(json.dumps(snapshot, ensure_ascii=False, sort_keys=True)) + return 0 + summary = snapshot["summary"] + print( + "IWOOOS_SECURITY_OPERATING_SYSTEM_OK " + f"frameworks={summary['reference_framework_count']} " + f"workstreams={summary['workstream_count']} " + f"p0={summary['p0_workstream_count']} " + f"alert_contract={summary['alert_contract_field_count']} " + f"evidence_percent={summary['evidence_weighted_security_operating_system_percent']} " + f"runtime_gate={summary['runtime_gate_count']}" + ) + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 9aa41b0f..f06e306f 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -131,6 +131,10 @@ def validate(root: Path) -> None: str(root / "scripts" / "security" / "telegram-alert-readability-guard.py") ) telegram_alert_readability_guard["validate"](root) + iwooos_security_operating_system = runpy.run_path( + str(root / "scripts" / "security" / "iwooos-security-operating-system.py") + ) + iwooos_security_operating_system["validate"](root) public_frontend_sensitive_surface = load_json( security_dir / "public-frontend-sensitive-surface-guard.snapshot.json" )