wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity

fix(web): refresh IwoooS Kali live evidence
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
Details
CD Pipeline / post-deploy-checks (push) Has been cancelled
Details
CD Pipeline / tests (push) Has been cancelled
Details
Code Review / ai-code-review (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Your Name
2026-06-03 11:00:08 +08:00
parent 8c1bdcdf70
commit cc5dc2f62c
10 changed files with 314 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
apps/web/messages/en.json
View File

@@ -7478,13 +7478,13 @@
},
"kaliScanScope": {
"title": "Kali 掃描範圍",
"body": "Kali 112、111、168 目前仍是 僅觀察;active scan 與 /execute 仍需獨立批准。",
"body": "Kali 112、111、168 目前仍是僅觀察;主動掃描與 /execute 仍需獨立批准。",
"unlock": "掃描範圍批准 + 後續追蹤 閘門"
},
"followupRuntimeGate": {
"title": "Follow-up 執行期閘門",
"title": "後續追蹤執行期閘門",
"body": "所有實際執行都要等人工 決策紀錄 後,另開 後續追蹤 執行期閘門。",
"unlock": "決策紀錄 已接受active 閘門 仍為 0"
"unlock": "決策紀錄已接受後才可評估;啟用中閘門仍為 0"
}
}
},
@@ -7495,47 +7495,55 @@
"items": {
"kali112": {
"title": "Kali 資安主機",
"body": "192.168.0.112 是資安網的 Kali 節點,已在 posture 與 evidence refs 中作為 僅觀察 整合面。",
"state": "已納入視野;active scan、/execute、主機更新仍需獨立批准"
"body": "192.168.0.112 是資安網的 Kali 節點,已在姿態與證據參照中作為僅觀察整合面。",
"state": "已納入視野;主動掃描、/execute、主機更新仍需獨立批准"
},
"dev168": {
"title": "開發主機 168",
"body": "192.168.0.168 納入 IwoooS 的 僅觀察 開發主機覆蓋,用於後續 scope approval 與 發現 關聯。",
"state": "範圍已宣告;尚未批准 憑證掃描 或 runtime 控制"
"body": "192.168.0.168 納入 IwoooS 的僅觀察開發主機覆蓋,用於後續掃描範圍批准與發現關聯。",
"state": "範圍已宣告;尚未批准憑證掃描或執行期控制"
},
"dev111": {
"title": "開發主機 111",
"body": "192.168.0.111 納入 IwoooS 的 僅觀察 開發主機覆蓋,與 168 一起維持低摩擦分階段收斂。",
"state": "範圍已宣告;尚未批准 憑證掃描 或 runtime 控制"
"body": "192.168.0.111 納入 IwoooS 的僅觀察開發主機覆蓋,與 168 一起維持低摩擦分階段收斂。",
"state": "範圍已宣告;尚未批准憑證掃描或執行期控制"
}
}
},
"kaliMaintenanceReadiness": {
"eyebrow": "Kali 112 維護就緒度",
"title": "Kali 112 已納管,但更新與重啟仍在維護 閘門",
"subtitle": "這個看板把 2026-05-31 17:22 的只讀快照轉成操作可讀狀態:目前能確認主機存在、健康資訊可見、風險缺口明確;但 full-upgrade、autoremove、reboot、掃描/execute 都還沒有批准。",
"title": "Kali 112 今天已重新只讀驗證,更新與重啟仍在維護閘門",
"subtitle": "這個看板把 2026-06-03 10:23 的只讀 SSH 快照轉成操作可讀狀態:掃描服務與健康檢查正常node-exporter 與 wg-easy 仍在運作;但完整套件升級、自動移除、重啟、掃描/execute 與服務硬化套用都還沒有批准。",
"maintenanceGateLabel": "維護 閘門",
"maintenanceGate": "Kali rolling full-upgrade / autoremove / reboot 仍是 security approval queue 的 pending approval。必須先有維護窗口、snapshot、rollback、post-health 複驗與人工批准,才能往主機更新前進。",
"nextEvidenceLabel": "下一份要補的 evidence",
"nextEvidence": "將 `kali-full-upgrade-reboot-approval-20260513` 的窗口、回復 owner、服務驗證清單與失敗處理 lane 補齊。補齊前 IwoooS 只顯示就緒度,不提供任何更新或重啟入口。",
"maintenanceGate": "Kali 完整套件升級、自動移除與重啟仍在資安審批佇列等待批准。必須先有維護窗口、快照、回復方案、事後健康複驗與人工批准,才能往主機更新前進。",
"nextEvidenceLabel": "下一份要補的證據",
"nextEvidence": "將 Kali 112 維護窗口批准案的維護窗口、回復負責人、服務驗證清單與失敗處理路徑補齊。補齊前 IwoooS 只顯示就緒度,不提供任何更新或重啟入口。",
"boundaryTitle": "只讀邊界",
"boundaryIntro": "以下邊界由 `kali-integration-status.snapshot.json` 與 approval queue 投影而來,用來避免把可見狀態誤讀成執行授權。",
"boundaryIntro": "以下邊界由 `kali-integration-status.snapshot.json` 與審批佇列投影而來,用來避免把可見狀態誤讀成執行授權。",
"items": {
"readOnlySnapshot": {
"label": "最新只讀快照",
"detail": "既有 SSH key 只讀收集,沒有改主機。"
"detail": "既有 SSH key 只讀收集,沒有掃描、更新、調校或重啟。"
},
"scannerHealth": {
"label": "掃描服務健康",
"detail": "kali-scanner.service 目前運行且開機啟用,/health 回健康。"
},
"upgradablePackages": {
"label": "待更新套件",
"detail": "代表需要排維護窗口,不代表現在可直接更新。"
},
"failedSystemdUnits": {
"label": "failed systemd unit",
"detail": "需要維護前檢查與事後健康複驗。"
"label": "失敗服務單元",
"detail": "目前為 networking.service需在維護前檢查原因。"
},
"serviceHardening": {
"label": "服務硬化",
"detail": "NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。"
},
"runtimeGate": {
"label": "執行期閘門",
"detail": "active runtime gate 仍為 0。"
"detail": "啟用中的執行期閘門仍為 0。"
}
}
},
@@ -7551,8 +7559,8 @@
},
"credentialedScan": {
"title": "憑證掃描",
"body": "任何帶憑證的掃描都必須先有 scope、credential handling 與脫敏 evidence 規範。",
"gate": "需要 S1.6 scope approval;目前 憑證掃描=false"
"body": "任何帶憑證的掃描都必須先有掃描範圍、憑證處理與脫敏證據規範。",
"gate": "需要 S1.6 掃描範圍批准;目前 憑證掃描=false"
},
"kaliExecute": {
"title": "Kali /execute",
@@ -7562,7 +7570,7 @@
"sshChange": {
"title": "SSH / 主機變更",
"body": "登入主機、改設定、套用調校、重啟服務或變更 SSH 設定都不屬於目前前端權限。",
"gate": "需要明確人工批准、變更計畫與 回復 evidence"
"gate": "需要明確人工批准、變更計畫與回復證據"
},
"kaliUpdate": {
"title": "Kali 主機更新",
@@ -7570,19 +7578,19 @@
"gate": "需要維護窗口、更新清單、驗證指標與 回復 計畫"
},
"runtimeBlocking": {
"title": "Runtime 阻擋控制",
"body": "將 發現 變成產品阻擋或 runtime enforcement 仍要等 owner evidence 與人工決策。",
"title": "執行期阻擋控制",
"body": "將發現變成產品阻擋或執行期強制控制,仍要等負責人證據與人工決策。",
"gate": "需要 已接受 決策紀錄;啟用中的執行期閘門 仍為 0"
}
}
},
"hostEvidenceReadiness": {
"title": "主機 證據就緒度",
"subtitle": "列出主機掃描、更新、SSH 變更或 runtime blocking 前必須補齊的 evidence。這些項目目前都只是待收件,不代表已批准。",
"subtitle": "列出主機掃描、更新、SSH 變更或執行期阻擋前必須補齊的證據。這些項目目前都只是待收件,不代表已批准。",
"evidenceLabel": "需要 證據",
"items": {
"scopeBoundary": {
"title": "範圍 boundary",
"title": "範圍邊界",
"body": "確認 112、168、111 的允許目標、排除範圍、掃描深度與速率限制。",
"evidence": "需要脫敏 掃描範圍批准;已收到=0、已接受=0"
},
@@ -7592,7 +7600,7 @@
"evidence": "需要 已接受 決策紀錄;目前 啟用中的執行期閘門=0"
},
"credentialHandling": {
"title": "憑證 handling",
"title": "憑證處理",
"body": "帶憑證掃描前要先定義憑證來源、保存邊界、遮蔽方式與拒收規則。",
"evidence": "禁止收集憑證明文;目前 憑證掃描=false"
},
@@ -7609,12 +7617,12 @@
"validationMetrics": {
"title": "驗證指標",
"body": "主機動作後要有驗證指標,確認掃描器、監控、服務與前台流程沒有退化。",
"evidence": "需要 事後檢查 指標與失敗處理 lane"
"evidence": "需要事後檢查指標與失敗處理路徑"
},
"redactedIngestion": {
"title": "脫敏收件",
"body": "主機 發現 或掃描結果只能以脫敏摘要進入 鏡像,不能直接把原始載荷當 runtime input。",
"evidence": "需要 脫敏載荷 驗收;載荷s_ingested=false"
"body": "主機發現或掃描結果只能以脫敏摘要進入鏡像,不能直接把原始載荷當執行期輸入。",
"evidence": "需要脫敏載荷驗收;目前脫敏載荷已匯入=false"
}
}
},
@@ -13219,7 +13227,7 @@
},
"kali112": {
"title": "Kali 112 已納入資安網",
"body": "2026-05-31 17:22 已用既有 SSH key 完成只讀快照Kali Rolling、kernel 6.16.8、root disk 26%、待更新套件 1994、失敗 systemd unit 1。沒有啟動掃描、/execute、主機更新或重啟。"
"body": "2026-06-03 10:23 已用既有 SSH key 完成只讀快照:系統 Kali Rolling、核心 6.16.8、根目錄磁碟使用 26%、掃描服務健康、待更新套件 1994、失敗服務單元 networking.service、服務硬化 0/4。沒有啟動掃描、/execute、主機更新、調校或重啟。"
},
"allProducts": {
"title": "所有產品先套只讀框架",

70
apps/web/messages/zh-TW.json
View File

@@ -7478,13 +7478,13 @@
},
"kaliScanScope": {
"title": "Kali 掃描範圍",
"body": "Kali 112、111、168 目前仍是 僅觀察;active scan 與 /execute 仍需獨立批准。",
"body": "Kali 112、111、168 目前仍是僅觀察;主動掃描與 /execute 仍需獨立批准。",
"unlock": "掃描範圍批准 + 後續追蹤 閘門"
},
"followupRuntimeGate": {
"title": "Follow-up 執行期閘門",
"title": "後續追蹤執行期閘門",
"body": "所有實際執行都要等人工 決策紀錄 後,另開 後續追蹤 執行期閘門。",
"unlock": "決策紀錄 已接受active 閘門 仍為 0"
"unlock": "決策紀錄已接受後才可評估;啟用中閘門仍為 0"
}
}
},
@@ -7495,47 +7495,55 @@
"items": {
"kali112": {
"title": "Kali 資安主機",
"body": "192.168.0.112 是資安網的 Kali 節點,已在 posture 與 evidence refs 中作為 僅觀察 整合面。",
"state": "已納入視野;active scan、/execute、主機更新仍需獨立批准"
"body": "192.168.0.112 是資安網的 Kali 節點,已在姿態與證據參照中作為僅觀察整合面。",
"state": "已納入視野;主動掃描、/execute、主機更新仍需獨立批准"
},
"dev168": {
"title": "開發主機 168",
"body": "192.168.0.168 納入 IwoooS 的 僅觀察 開發主機覆蓋,用於後續 scope approval 與 發現 關聯。",
"state": "範圍已宣告;尚未批准 憑證掃描 或 runtime 控制"
"body": "192.168.0.168 納入 IwoooS 的僅觀察開發主機覆蓋,用於後續掃描範圍批准與發現關聯。",
"state": "範圍已宣告;尚未批准憑證掃描或執行期控制"
},
"dev111": {
"title": "開發主機 111",
"body": "192.168.0.111 納入 IwoooS 的 僅觀察 開發主機覆蓋,與 168 一起維持低摩擦分階段收斂。",
"state": "範圍已宣告;尚未批准 憑證掃描 或 runtime 控制"
"body": "192.168.0.111 納入 IwoooS 的僅觀察開發主機覆蓋,與 168 一起維持低摩擦分階段收斂。",
"state": "範圍已宣告;尚未批准憑證掃描或執行期控制"
}
}
},
"kaliMaintenanceReadiness": {
"eyebrow": "Kali 112 維護就緒度",
"title": "Kali 112 已納管,但更新與重啟仍在維護 閘門",
"subtitle": "這個看板把 2026-05-31 17:22 的只讀快照轉成操作可讀狀態:目前能確認主機存在、健康資訊可見、風險缺口明確;但 full-upgrade、autoremove、reboot、掃描/execute 都還沒有批准。",
"title": "Kali 112 今天已重新只讀驗證,更新與重啟仍在維護閘門",
"subtitle": "這個看板把 2026-06-03 10:23 的只讀 SSH 快照轉成操作可讀狀態:掃描服務與健康檢查正常node-exporter 與 wg-easy 仍在運作;但完整套件升級、自動移除、重啟、掃描/execute 與服務硬化套用都還沒有批准。",
"maintenanceGateLabel": "維護 閘門",
"maintenanceGate": "Kali rolling full-upgrade / autoremove / reboot 仍是 security approval queue 的 pending approval。必須先有維護窗口、snapshot、rollback、post-health 複驗與人工批准,才能往主機更新前進。",
"nextEvidenceLabel": "下一份要補的 evidence",
"nextEvidence": "將 `kali-full-upgrade-reboot-approval-20260513` 的窗口、回復 owner、服務驗證清單與失敗處理 lane 補齊。補齊前 IwoooS 只顯示就緒度,不提供任何更新或重啟入口。",
"maintenanceGate": "Kali 完整套件升級、自動移除與重啟仍在資安審批佇列等待批准。必須先有維護窗口、快照、回復方案、事後健康複驗與人工批准,才能往主機更新前進。",
"nextEvidenceLabel": "下一份要補的證據",
"nextEvidence": "將 Kali 112 維護窗口批准案的維護窗口、回復負責人、服務驗證清單與失敗處理路徑補齊。補齊前 IwoooS 只顯示就緒度,不提供任何更新或重啟入口。",
"boundaryTitle": "只讀邊界",
"boundaryIntro": "以下邊界由 `kali-integration-status.snapshot.json` 與 approval queue 投影而來,用來避免把可見狀態誤讀成執行授權。",
"boundaryIntro": "以下邊界由 `kali-integration-status.snapshot.json` 與審批佇列投影而來,用來避免把可見狀態誤讀成執行授權。",
"items": {
"readOnlySnapshot": {
"label": "最新只讀快照",
"detail": "既有 SSH key 只讀收集,沒有改主機。"
"detail": "既有 SSH key 只讀收集,沒有掃描、更新、調校或重啟。"
},
"scannerHealth": {
"label": "掃描服務健康",
"detail": "kali-scanner.service 目前運行且開機啟用,/health 回健康。"
},
"upgradablePackages": {
"label": "待更新套件",
"detail": "代表需要排維護窗口,不代表現在可直接更新。"
},
"failedSystemdUnits": {
"label": "failed systemd unit",
"detail": "需要維護前檢查與事後健康複驗。"
"label": "失敗服務單元",
"detail": "目前為 networking.service需在維護前檢查原因。"
},
"serviceHardening": {
"label": "服務硬化",
"detail": "NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。"
},
"runtimeGate": {
"label": "執行期閘門",
"detail": "active runtime gate 仍為 0。"
"detail": "啟用中的執行期閘門仍為 0。"
}
}
},
@@ -7551,8 +7559,8 @@
},
"credentialedScan": {
"title": "憑證掃描",
"body": "任何帶憑證的掃描都必須先有 scope、credential handling 與脫敏 evidence 規範。",
"gate": "需要 S1.6 scope approval;目前 憑證掃描=false"
"body": "任何帶憑證的掃描都必須先有掃描範圍、憑證處理與脫敏證據規範。",
"gate": "需要 S1.6 掃描範圍批准;目前 憑證掃描=false"
},
"kaliExecute": {
"title": "Kali /execute",
@@ -7562,7 +7570,7 @@
"sshChange": {
"title": "SSH / 主機變更",
"body": "登入主機、改設定、套用調校、重啟服務或變更 SSH 設定都不屬於目前前端權限。",
"gate": "需要明確人工批准、變更計畫與 回復 evidence"
"gate": "需要明確人工批准、變更計畫與回復證據"
},
"kaliUpdate": {
"title": "Kali 主機更新",
@@ -7570,19 +7578,19 @@
"gate": "需要維護窗口、更新清單、驗證指標與 回復 計畫"
},
"runtimeBlocking": {
"title": "Runtime 阻擋控制",
"body": "將 發現 變成產品阻擋或 runtime enforcement 仍要等 owner evidence 與人工決策。",
"title": "執行期阻擋控制",
"body": "將發現變成產品阻擋或執行期強制控制,仍要等負責人證據與人工決策。",
"gate": "需要 已接受 決策紀錄;啟用中的執行期閘門 仍為 0"
}
}
},
"hostEvidenceReadiness": {
"title": "主機 證據就緒度",
"subtitle": "列出主機掃描、更新、SSH 變更或 runtime blocking 前必須補齊的 evidence。這些項目目前都只是待收件,不代表已批准。",
"subtitle": "列出主機掃描、更新、SSH 變更或執行期阻擋前必須補齊的證據。這些項目目前都只是待收件,不代表已批准。",
"evidenceLabel": "需要 證據",
"items": {
"scopeBoundary": {
"title": "範圍 boundary",
"title": "範圍邊界",
"body": "確認 112、168、111 的允許目標、排除範圍、掃描深度與速率限制。",
"evidence": "需要脫敏 掃描範圍批准;已收到=0、已接受=0"
},
@@ -7592,7 +7600,7 @@
"evidence": "需要 已接受 決策紀錄;目前 啟用中的執行期閘門=0"
},
"credentialHandling": {
"title": "憑證 handling",
"title": "憑證處理",
"body": "帶憑證掃描前要先定義憑證來源、保存邊界、遮蔽方式與拒收規則。",
"evidence": "禁止收集憑證明文;目前 憑證掃描=false"
},
@@ -7609,12 +7617,12 @@
"validationMetrics": {
"title": "驗證指標",
"body": "主機動作後要有驗證指標,確認掃描器、監控、服務與前台流程沒有退化。",
"evidence": "需要 事後檢查 指標與失敗處理 lane"
"evidence": "需要事後檢查指標與失敗處理路徑"
},
"redactedIngestion": {
"title": "脫敏收件",
"body": "主機 發現 或掃描結果只能以脫敏摘要進入 鏡像,不能直接把原始載荷當 runtime input。",
"evidence": "需要 脫敏載荷 驗收;載荷s_ingested=false"
"body": "主機發現或掃描結果只能以脫敏摘要進入鏡像,不能直接把原始載荷當執行期輸入。",
"evidence": "需要脫敏載荷驗收;目前脫敏載荷已匯入=false"
}
}
},
@@ -13219,7 +13227,7 @@
},
"kali112": {
"title": "Kali 112 已納入資安網",
"body": "2026-05-31 17:22 已用既有 SSH key 完成只讀快照Kali Rolling、kernel 6.16.8、root disk 26%、待更新套件 1994、失敗 systemd unit 1。沒有啟動掃描、/execute、主機更新或重啟。"
"body": "2026-06-03 10:23 已用既有 SSH key 完成只讀快照:系統 Kali Rolling、核心 6.16.8、根目錄磁碟使用 26%、掃描服務健康、待更新套件 1994、失敗服務單元 networking.service、服務硬化 0/4。沒有啟動掃描、/execute、主機更新、調校或重啟。"
},
"allProducts": {
"title": "所有產品先套只讀框架",

10
apps/web/src/app/[locale]/iwooos/page.tsx
View File

@@ -4116,16 +4116,24 @@ const hostCoverageItems: HostCoverageItem[] = [
]
const kaliMaintenanceReadinessItems: KaliMaintenanceReadinessItem[] = [
{ key: 'readOnlySnapshot', value: '2026-05-31 17:22', icon: ShieldCheck, tone: 'steady' },
{ key: 'readOnlySnapshot', value: '2026-06-03 10:23', icon: ShieldCheck, tone: 'steady' },
{ key: 'scannerHealth', value: '健康', icon: CheckCircle2, tone: 'steady' },
{ key: 'upgradablePackages', value: '1994', icon: FileWarning, tone: 'warn' },
{ key: 'failedSystemdUnits', value: '1', icon: AlertTriangle, tone: 'warn' },
{ key: 'serviceHardening', value: '0 / 4', icon: Lock, tone: 'warn' },
{ key: 'runtimeGate', value: '閘門 0', icon: Lock, tone: 'locked' },
]
const kaliMaintenanceReadinessBoundaries = [
'kali_112_read_only_snapshot_collected=true',
'kali_112_read_only_observed_at=2026-06-03T10:23:51+08:00',
'kali_112_scanner_health=healthy',
'kali_112_scanner_service_active=active',
'kali_112_scanner_service_enabled=enabled',
'kali_112_upgradable_package_count=1994',
'kali_112_failed_systemd_unit_count=1',
'kali_112_failed_systemd_unit=networking.service',
'kali_112_systemd_hardening_enabled=0/4',
'kali_112_full_upgrade_authorized=false',
'kali_112_reboot_authorized=false',
'kali_112_package_update_executed=false',

30
docs/security/KALI-INTEGRATION-STATUS.md
View File

@@ -2,7 +2,7 @@
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13最新只讀快照 2026-05-31 17:22(台北) |
| 日期 | 2026-05-13最新只讀快照 2026-06-03 10:23(台北) |
| Host | `192.168.0.112` |
| Asset key | `host:kali-112` |
| 狀態 | `partial_runtime_health_integrated` |
@@ -22,7 +22,33 @@ Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runti
但它還沒有完成「資安網閉環」整合Kali scan result 尚未正式寫入 AWOOOI asset / compliance 表,也尚未 mirror 成 AwoooP Runtime State、Channel Event 或 Audit evidence。因此目前判定是「健康與基礎掃描已存在治理閉環尚未接通」。
## 0.1 2026-05-31 只讀實機快照
## 0.1 2026-06-03 只讀實機快照
本輪用既有 SSH key 完成 read-only 連線檢查,沒有輸入或保存密碼,沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 `apt update` / package update、沒有調整設定、沒有重啟。
| 項目 | 結果 |
|------|------|
| 觀測時間 | `2026-06-03T10:23:51+08:00` |
| Collection mode | `ssh_batch_read_only_existing_key` |
| Hostname | `kali` |
| OS | `Kali GNU/Linux Rolling` |
| Kernel | `Linux 6.16.8+kali-amd64` |
| Uptime | `up 3 weeks, 4 days, 8 hours, 31 minutes` |
| Load 1/5/15 | `0.07 0.14 0.16` |
| Memory | `922Mi/7.8Gi` |
| Root disk | `19G/79G 26%` |
| Scanner service | `active / enabled` |
| Scanner API health | `healthy` |
| Docker services | `node-exporter` up、`wg-easy` up healthy |
| Failed systemd units | `1``networking.service` |
| Upgradable packages | `1994` |
| Listening TCP / UDP | `7 / 2` |
| Reboot required | `false` |
| Scanner service hardening | `0 / 4``NoNewPrivileges``PrivateTmp``ProtectSystem``ProtectHome` 尚未啟用) |
結論Kali `192.168.0.112` 今天仍可被 IwoooS 以只讀方式納入證據鏈scanner runtime 健康也有實機證據;但 `networking.service` failed、`upgradable_package_count=1994` 與服務硬化缺口代表後續仍需要維護窗口、rollback / reboot gate、hardening dry-run 與人工批准,不能直接把「可連線」解讀為主機更新、掃描或調校已完成。
## 0.2 2026-05-31 只讀實機快照
本輪用既有 SSH key 完成 read-only 連線檢查,沒有輸入或保存密碼,沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 package update、沒有調整設定、沒有重啟。

17
docs/security/KALI-SECURITY-MESH-BLUEPRINT.md
View File

@@ -238,6 +238,23 @@ Kali 112 掃描 / 驗證
4. 不保存 API key、SSH 密碼或任何 secret value。
5. 不做 full-upgrade、autoremove 或 reboot除非先排維護窗口。
## 7.2 2026-06-03 只讀重驗證狀態
`192.168.0.112` 已於 2026-06-03 10:23台北重新完成只讀 SSH 快照,沒有啟動掃描、沒有呼叫 `/execute`、沒有執行套件更新、沒有調整設定、沒有重啟。最新證據正式記錄於 `docs/security/KALI-INTEGRATION-STATUS.md``docs/security/kali-integration-status.snapshot.json`
已確認:
1. 既有 SSH key 可只讀連線。
2. `kali-scanner.service` 仍為 active / enabled。
3. `/health` 仍回 healthy。
4. `node-exporter``wg-easy` 容器仍在運作。
5. 主機時區維持 `Asia/Taipei`
6. `failed_systemd_unit_count=1`,目前為 `networking.service`
7. `upgradable_package_count=1994`
8. scanner service hardening 仍是 `0 / 4``NoNewPrivileges``PrivateTmp``ProtectSystem``ProtectHome` 尚未啟用。
結論Kali 112 已經從「文件與 5/13 盤點」推進到「6/3 再驗證的 live read-only evidence」但仍不代表 full-upgrade、autoremove、reboot、主動掃描、憑證掃描、服務 hardening override 或 AwoooP `/execute` 已被批准。
## 8. 第一波實作建議
建議下一波程式實作:

4
docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md
View File

@@ -1,7 +1,7 @@
# Kali 資訊安全網開工準備
> 日期2026-05-06台北時間
> 狀態原始規劃2026-05-13 已完成 Kali 112 live 盤點、低風險主機更新、`security_finding_v1` sample 與 scan scope approval package尚未開始 AWOOOI runtime ingestion 實作
> 狀態原始規劃2026-05-13 已完成 Kali 112 live 盤點、低風險主機更新、`security_finding_v1` sample 與 scan scope approval package2026-06-03 已完成 Kali 112 只讀重驗證,尚未開始 AWOOOI runtime ingestion 實作
> 上游藍圖:`docs/security/KALI-SECURITY-MESH-BLUEPRINT.md`
> AwoooP 同步:`docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md`
@@ -19,6 +19,8 @@
2026-05-13 追加契約狀態:已建立 `docs/security/SECURITY-FINDING-CONTRACT.md``docs/security/security-finding-kali-sample.snapshot.json``docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md``docs/security/kali-scan-scope-approval.snapshot.json`。這代表 scope 與 finding envelope 可被 review / mirror不代表已批准或執行任何 scan。
2026-06-03 追加只讀重驗證:已用既有 SSH key 讀取 `192.168.0.112` 狀態,確認 scanner health healthy、`kali-scanner.service` active / enabled、node-exporter 與 wg-easy 運作中、失敗服務單元為 `networking.service`、待更新套件仍為 1994、服務 hardening 仍為 `0 / 4`。本追加不代表已批准 active scan、credentialed scan、AWOOOI runtime ingestion、`/execute` 接入、full-upgrade、autoremove、reboot 或服務 hardening 套用。
## 1. 非實作邊界
目前允許:

46
docs/security/iwooos-posture-projection.snapshot.json
View File

@@ -188,7 +188,7 @@
"operator_journey_step_count": 6,
"owner_evidence_readiness_item_count": 7,
"host_coverage_item_count": 3,
"kali_maintenance_readiness_item_count": 4,
"kali_maintenance_readiness_item_count": 6,
"host_action_gate_item_count": 6,
"host_evidence_readiness_item_count": 7,
"host_evidence_collection_step_count": 7,
@@ -2353,7 +2353,7 @@
"item_id": "kali_112_read_only_snapshot",
"display_order": 1,
"source_contract": "kali_integration_status_v1",
"source_observed_at_taipei": "2026-05-31T17:22:20+08:00",
"source_observed_at_taipei": "2026-06-03T10:23:51+08:00",
"readiness_state": "snapshot_collected_read_only",
"display_mode": "maintenance_readiness_only",
"runtime_execution_authorized": false,
@@ -2363,9 +2363,23 @@
"not_authorization": true
},
{
"item_id": "kali_112_upgradable_package_count",
"item_id": "kali_112_scanner_health",
"display_order": 2,
"source_contract": "kali_integration_status_v1",
"metric_value": "healthy",
"scanner_service_state": "active",
"scanner_service_enabled": "enabled",
"readiness_state": "scanner_runtime_healthy_read_only",
"display_mode": "maintenance_readiness_only",
"runtime_execution_authorized": false,
"active_scan_executed": false,
"action_buttons_allowed": false,
"not_authorization": true
},
{
"item_id": "kali_112_upgradable_package_count",
"display_order": 3,
"source_contract": "kali_integration_status_v1",
"metric_value": 1994,
"readiness_state": "maintenance_window_required",
"display_mode": "maintenance_readiness_only",
@@ -2376,18 +2390,40 @@
},
{
"item_id": "kali_112_failed_systemd_unit_count",
"display_order": 3,
"display_order": 4,
"source_contract": "kali_integration_status_v1",
"metric_value": 1,
"failed_unit_name": "networking.service",
"readiness_state": "pre_maintenance_health_check_required",
"display_mode": "maintenance_readiness_only",
"runtime_execution_authorized": false,
"host_reboot_executed": false,
"not_authorization": true
},
{
"item_id": "kali_112_service_hardening_gap",
"display_order": 5,
"source_contract": "kali_integration_status_v1",
"enabled_count": 0,
"expected_count": 4,
"missing_controls": [
"NoNewPrivileges",
"PrivateTmp",
"ProtectSystem",
"ProtectHome"
],
"readiness_state": "systemd_hardening_override_design_required",
"display_mode": "maintenance_readiness_only",
"runtime_execution_authorized": false,
"package_update_executed": false,
"host_reboot_executed": false,
"active_scan_executed": false,
"action_buttons_allowed": false,
"not_authorization": true
},
{
"item_id": "kali_112_full_upgrade_reboot_gate",
"display_order": 4,
"display_order": 6,
"source_contract": "security_approval_queue_v1",
"source_queue_item_id": "kali-full-upgrade-reboot-approval-20260513",
"readiness_state": "pending_approval_requires_window_snapshot_rollback_post_health",

61
docs/security/kali-integration-status.snapshot.json
View File

@@ -52,27 +52,46 @@
"remaining_upgradable_count": 1994,
"full_upgrade_status": "not_run_requires_maintenance_window"
},
"latest_read_only_observation": {
"observed_at_utc": "2026-05-31T09:22:20Z",
"observed_at_taipei": "2026-05-31T17:22:20+08:00",
"collection_mode": "ssh_batch_read_only_existing_key",
"runtime_actions_executed": false,
"active_scan_executed": false,
"package_update_executed": false,
"host_reboot_executed": false,
"hostname": "kali",
"os": "Kali GNU/Linux Rolling",
"kernel": "Linux 6.16.8+kali-amd64",
"uptime": "up 3 weeks, 1 day, 21 hours, 58 minutes",
"load_1_5_15": "0.09 0.12 0.15",
"memory_used_total": "885Mi/7.8Gi",
"disk_root_used_total_percent": "19G/79G 26%",
"failed_systemd_unit_count": 1,
"upgradable_package_count": 1994,
"listening_tcp_socket_count": 7,
"listening_udp_socket_count": 2,
"evidence_boundary": "只讀連線與主機狀態快照;未執行掃描、更新、調校、重啟或 /execute。"
},
"latest_read_only_observation": {
"observed_at_utc": "2026-06-03T02:23:51Z",
"observed_at_taipei": "2026-06-03T10:23:51+08:00",
"collection_mode": "ssh_batch_read_only_existing_key",
"runtime_actions_executed": false,
"active_scan_executed": false,
"package_update_executed": false,
"host_reboot_executed": false,
"hostname": "kali",
"os": "Kali GNU/Linux Rolling",
"kernel": "Linux 6.16.8+kali-amd64",
"uptime": "up 3 weeks, 4 days, 8 hours, 31 minutes",
"load_1_5_15": "0.07 0.14 0.16",
"memory_used_total": "922Mi/7.8Gi",
"disk_root_used_total_percent": "19G/79G 26%",
"scanner_service_state": "active",
"scanner_service_enabled": "enabled",
"scanner_api_health_status": "healthy",
"docker_services": [
"node-exporter=Up 3 weeks",
"wg-easy=Up 3 weeks (healthy)"
],
"failed_systemd_unit_count": 1,
"failed_systemd_unit_names": [
"networking.service"
],
"upgradable_package_count": 1994,
"listening_tcp_socket_count": 7,
"listening_udp_socket_count": 2,
"reboot_required": false,
"scanner_systemd_hardening_enabled_count": 0,
"scanner_systemd_hardening_expected_count": 4,
"scanner_systemd_hardening_missing": [
"NoNewPrivileges",
"PrivateTmp",
"ProtectSystem",
"ProtectHome"
],
"evidence_boundary": "只讀連線與主機狀態快照;未執行掃描、更新、調校、重啟或 /execute。"
},
"integration_state": {
"already_integrated": [
"Kali Scanner API 在 192.168.0.112:8080 運作且 /health healthy",

12
docs/security/security-mirror-status-rollup.snapshot.json
View File

@@ -2473,6 +2473,18 @@
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s2_167_iwooos_kali_112_live_read_only_recheck",
"display_order": 196,
"completed_stage": "S2.167 IwoooS Kali 112 今日只讀重驗證",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "IwoooS 只把 2026-06-03T10:23:51+08:00 的 Kali 112 只讀 SSH 快照、scanner health=healthy、scanner service active/enabled、failed_systemd_unit=networking.service、upgradable_package_count=1994 與 systemd hardening 0/4 投影到維護就緒度runtime_actions_executed=false、active_scan_executed=false、package_update_executed=false、host_reboot_executed=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false不把只讀重驗證當掃描、更新、主機調校、修復、部署、Kali /execute、GitHub 主要來源切換或 Gitea 停用。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
}
],
"next_safe_actions": [

90
scripts/security/security-mirror-progress-guard.py
View File

@@ -515,8 +515,10 @@ def validate(root: Path) -> None:
)
for key in [
"readOnlySnapshot",
"scannerHealth",
"upgradablePackages",
"failedSystemdUnits",
"serviceHardening",
"runtimeGate",
]:
assert_contains(
@@ -527,8 +529,15 @@ def validate(root: Path) -> None:
for text in [
"KaliMaintenanceReadinessBoard",
'data-testid="iwooos-kali-maintenance-readiness-board"',
"2026-06-03 10:23",
"kali_112_read_only_observed_at=2026-06-03T10:23:51+08:00",
"kali_112_scanner_health=healthy",
"kali_112_scanner_service_active=active",
"kali_112_scanner_service_enabled=enabled",
"kali_112_upgradable_package_count=1994",
"kali_112_failed_systemd_unit_count=1",
"kali_112_failed_systemd_unit=networking.service",
"kali_112_systemd_hardening_enabled=0/4",
"kali_112_full_upgrade_authorized=false",
"kali_112_reboot_authorized=false",
"kali_112_package_update_executed=false",
@@ -757,6 +766,7 @@ def validate(root: Path) -> None:
"s2_164_iwooos_s49_owner_response_intake_blocker_focus",
"s2_165_iwooos_s49_owner_response_delivery_cards",
"s2_166_iwooos_progress_integrity_ribbon",
"s2_167_iwooos_kali_112_live_read_only_recheck",
]
assert_equal(
"progress_delta_ledger.delta_ids",
@@ -2332,8 +2342,10 @@ def validate(root: Path) -> None:
]
expected_iwooos_kali_maintenance_readiness_item_ids = [
"kali_112_read_only_snapshot",
"kali_112_scanner_health",
"kali_112_upgradable_package_count",
"kali_112_failed_systemd_unit_count",
"kali_112_service_hardening_gap",
"kali_112_full_upgrade_reboot_gate",
]
expected_iwooos_host_action_gate_item_ids = [
@@ -4018,17 +4030,52 @@ def validate(root: Path) -> None:
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.upgradable_package_count",
iwooos_kali_maintenance_readiness[1]["metric_value"],
iwooos_kali_maintenance_readiness[2]["metric_value"],
1994,
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.failed_systemd_unit_count",
iwooos_kali_maintenance_readiness[2]["metric_value"],
iwooos_kali_maintenance_readiness[3]["metric_value"],
1,
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.scanner_health",
iwooos_kali_maintenance_readiness[1]["metric_value"],
"healthy",
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.scanner_service_state",
iwooos_kali_maintenance_readiness[1]["scanner_service_state"],
"active",
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.scanner_service_enabled",
iwooos_kali_maintenance_readiness[1]["scanner_service_enabled"],
"enabled",
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.failed_unit_name",
iwooos_kali_maintenance_readiness[3]["failed_unit_name"],
"networking.service",
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.hardening_enabled_count",
iwooos_kali_maintenance_readiness[4]["enabled_count"],
0,
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.hardening_expected_count",
iwooos_kali_maintenance_readiness[4]["expected_count"],
4,
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.hardening_missing_controls",
iwooos_kali_maintenance_readiness[4]["missing_controls"],
["NoNewPrivileges", "PrivateTmp", "ProtectSystem", "ProtectHome"],
)
assert_equal(
"iwooos_projection.kali_maintenance_readiness_items.reboot_gate_queue_item",
iwooos_kali_maintenance_readiness[3]["source_queue_item_id"],
iwooos_kali_maintenance_readiness[5]["source_queue_item_id"],
"kali-full-upgrade-reboot-approval-20260513",
)
for item in iwooos_kali_maintenance_readiness:
@@ -6814,7 +6861,7 @@ def validate(root: Path) -> None:
assert_equal(
"kali_status.latest_read_only_observation.observed_at_taipei",
latest_kali_observation["observed_at_taipei"],
"2026-05-31T17:22:20+08:00",
"2026-06-03T10:23:51+08:00",
)
assert_equal(
"kali_status.latest_read_only_observation.collection_mode",
@@ -6831,6 +6878,41 @@ def validate(root: Path) -> None:
latest_kali_observation["failed_systemd_unit_count"],
1,
)
assert_equal(
"kali_status.latest_read_only_observation.scanner_api_health_status",
latest_kali_observation["scanner_api_health_status"],
"healthy",
)
assert_equal(
"kali_status.latest_read_only_observation.scanner_service_state",
latest_kali_observation["scanner_service_state"],
"active",
)
assert_equal(
"kali_status.latest_read_only_observation.scanner_service_enabled",
latest_kali_observation["scanner_service_enabled"],
"enabled",
)
assert_equal(
"kali_status.latest_read_only_observation.failed_systemd_unit_names",
latest_kali_observation["failed_systemd_unit_names"],
["networking.service"],
)
assert_equal(
"kali_status.latest_read_only_observation.scanner_systemd_hardening_enabled_count",
latest_kali_observation["scanner_systemd_hardening_enabled_count"],
0,
)
assert_equal(
"kali_status.latest_read_only_observation.scanner_systemd_hardening_expected_count",
latest_kali_observation["scanner_systemd_hardening_expected_count"],
4,
)
assert_equal(
"kali_status.latest_read_only_observation.scanner_systemd_hardening_missing",
latest_kali_observation["scanner_systemd_hardening_missing"],
["NoNewPrivileges", "PrivateTmp", "ProtectSystem", "ProtectHome"],
)
for forbidden_runtime_flag in [
"runtime_actions_executed",
"active_scan_executed",