{ "alert_message_contract": [ { "field_id": "event_title", "raw_payload_allowed": false, "required": true }, { "field_id": "severity_and_confidence", "raw_payload_allowed": false, "required": true }, { "field_id": "asset_alias_and_scope", "raw_payload_allowed": false, "required": true }, { "field_id": "what_happened_plain_language", "raw_payload_allowed": false, "required": true }, { "field_id": "why_it_matters", "raw_payload_allowed": false, "required": true }, { "field_id": "redacted_evidence_refs", "raw_payload_allowed": false, "required": true }, { "field_id": "ai_triage_lane", "raw_payload_allowed": false, "required": true }, { "field_id": "next_candidate_action", "raw_payload_allowed": false, "required": true }, { "field_id": "owner_gate_and_verification", "raw_payload_allowed": false, "required": true } ], "automation_loop_stages": [ { "runtime_gate_open": false, "stage_id": "sensor_evidence" }, { "runtime_gate_open": false, "stage_id": "normalizer_redaction" }, { "runtime_gate_open": false, "stage_id": "ai_triage_lane" }, { "runtime_gate_open": false, "stage_id": "candidate_generation" }, { "runtime_gate_open": false, "stage_id": "owner_gate" }, { "runtime_gate_open": false, "stage_id": "execution_boundary" }, { "runtime_gate_open": false, "stage_id": "verifier_readback" }, { "runtime_gate_open": false, "stage_id": "learning_writeback" } ], "blocked_actions": [ "ssh_write", "host_live_secret_read", "wazuh_active_response_enable", "kali_active_scan", "kali_execute", "nginx_reload", "firewall_change", "docker_restart", "systemd_restart", "argocd_sync", "kubectl_apply", "workflow_modification", "secret_rotation", "telegram_live_send", "soar_action", "auto_block", "production_write", "force_push" ], "cross_session_sync_checkpoints": [ { "checkpoint_id": "fetch_gitea_main_before_work", "required": true }, { "checkpoint_id": "share_commit_and_run_ids", "required": true }, { "checkpoint_id": "share_production_readback", "required": true }, { "checkpoint_id": "declare_runtime_boundaries", "required": true }, { "checkpoint_id": "freeze_same_host_or_same_gateway_edits", "required": true }, { "checkpoint_id": "record_owner_gate_state", "required": true }, { "checkpoint_id": "update_logbook_after_stage", "required": true } ], "execution_boundaries": { "auto_block_authorized": false, "firewall_change_authorized": false, "host_write_authorized": false, "kali_active_scan_authorized": false, "kali_execute_authorized": false, "nginx_reload_authorized": false, "not_authorization": true, "production_write_authorized": false, "runtime_execution_authorized": false, "secret_value_collection_allowed": false, "soar_action_authorized": false, "telegram_live_send_authorized": false, "wazuh_active_response_authorized": false }, "generated_at": "2026-06-25T17:20:00+08:00", "git_commit": "47dfeed63", "mode": "repo_snapshot_guard_frontstage_only", "no_false_green_rules": [ { "enforced": true, "rule_id": "route_200_is_not_security_clearance" }, { "enforced": true, "rule_id": "dashboard_up_is_not_agent_registry" }, { "enforced": true, "rule_id": "agent_active_is_not_intrusion_closed" }, { "enforced": true, "rule_id": "alert_quiet_is_not_alert_chain_healthy" }, { "enforced": true, "rule_id": "backup_fresh_is_not_restore_drill" }, { "enforced": true, "rule_id": "cd_success_is_not_runtime_authorization" }, { "enforced": true, "rule_id": "ui_visible_is_not_owner_acceptance" }, { "enforced": true, "rule_id": "awooop_approval_is_not_security_approval" }, { "enforced": true, "rule_id": "external_agent_claim_is_not_forensic_proof" }, { "enforced": true, "rule_id": "transport_connection_is_not_registry_acceptance" }, { "enforced": true, "rule_id": "source_snapshot_is_not_live_truth" }, { "enforced": true, "rule_id": "general_continue_is_not_maintenance_window" } ], "operating_roles": [ { "label": "資安作戰負責人", "responsibility": "維護控制面、優先序、完成度與停止線。", "role_id": "security_program_owner", "runtime_gate_open": false }, { "label": "SOC 審查人", "responsibility": "審查告警、SIEM、Wazuh、Kali 與 no-false-green evidence。", "role_id": "soc_reviewer", "runtime_gate_open": false }, { "label": "事故指揮", "responsibility": "統一 severity、scope、containment 候選與跨專案同步。", "role_id": "incident_commander", "runtime_gate_open": false }, { "label": "平台負責人", "responsibility": "負責 host、Docker、systemd、Nginx、K8s、ArgoCD 與 public gateway 影響判讀。", "role_id": "platform_owner", "runtime_gate_open": false }, { "label": "服務負責人", "responsibility": "負責產品、API、網站、admin、webhook 與 AI provider route 的驗證。", "role_id": "service_owner", "runtime_gate_open": false }, { "label": "證據保管人", "responsibility": "維護脫敏 refs、chain of custody、retention 與 raw absence attestation。", "role_id": "evidence_custodian", "runtime_gate_open": false }, { "label": "變更管理人", "responsibility": "確認維護窗口、rollback owner、postcheck、operator notification 與 freeze。", "role_id": "change_manager", "runtime_gate_open": false }, { "label": "供應鏈負責人", "responsibility": "負責 workflow、runner、Harbor、SBOM、SLSA、Cosign、KEV / package SLA。", "role_id": "supply_chain_owner", "runtime_gate_open": false }, { "label": "AI 安全審查人", "responsibility": "審核 AI agent tool 權限、prompt redaction、過度代理與成本邊界。", "role_id": "ai_security_reviewer", "runtime_gate_open": false }, { "label": "風險負責人", "responsibility": "接受風險、例外期限、資源優先序與治理報告。", "role_id": "executive_risk_owner", "runtime_gate_open": false } ], "reference_frameworks": [ { "framework_id": "nist_csf_2_0", "label": "NIST CSF 2.0", "source_url": "https://www.nist.gov/cyberframework" }, { "framework_id": "nist_sp_800_61_r3", "label": "NIST SP 800-61 Rev. 3", "source_url": "https://csrc.nist.gov/pubs/sp/800/61/r3/final" }, { "framework_id": "cis_controls_v8_1", "label": "CIS Controls v8.1", "source_url": "https://www.cisecurity.org/controls/v8-1" }, { "framework_id": "cisa_zero_trust", "label": "CISA Zero Trust Maturity Model", "source_url": "https://www.cisa.gov/resources-tools/resources/zero-trust-maturity-model" }, { "framework_id": "cisa_kev", "label": "CISA Known Exploited Vulnerabilities", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "framework_id": "first_epss", "label": "FIRST EPSS", "source_url": "https://www.first.org/epss/" }, { "framework_id": "mitre_attack", "label": "MITRE ATT&CK Enterprise", "source_url": "https://attack.mitre.org/matrices/enterprise/" }, { "framework_id": "mitre_d3fend", "label": "MITRE D3FEND", "source_url": "https://d3fend.mitre.org/" }, { "framework_id": "owasp_asvs", "label": "OWASP ASVS", "source_url": "https://owasp.org/www-project-application-security-verification-standard/" }, { "framework_id": "owasp_samm", "label": "OWASP SAMM", "source_url": "https://owaspsamm.org/" }, { "framework_id": "wazuh_xdr_siem", "label": "Wazuh XDR / SIEM", "source_url": "https://documentation.wazuh.com/current/index.html" }, { "framework_id": "wazuh_active_response", "label": "Wazuh Active Response", "source_url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html" }, { "framework_id": "prometheus_alertmanager", "label": "Prometheus Alertmanager", "source_url": "https://prometheus.io/docs/alerting/latest/alertmanager/" }, { "framework_id": "opentelemetry", "label": "OpenTelemetry", "source_url": "https://opentelemetry.io/docs/what-is-opentelemetry/" }, { "framework_id": "ocsf", "label": "Open Cybersecurity Schema Framework", "source_url": "https://ocsf.io/" }, { "framework_id": "sigma", "label": "Sigma detection rules", "source_url": "https://sigmahq.io/sigma/" }, { "framework_id": "slsa", "label": "SLSA", "source_url": "https://slsa.dev/" }, { "framework_id": "spdx_cyclonedx", "label": "SPDX / CycloneDX", "source_url": "https://spdx.dev/" }, { "framework_id": "sigstore_cosign", "label": "Sigstore / Cosign", "source_url": "https://docs.sigstore.dev/cosign/signing/signing_with_containers/" }, { "framework_id": "nist_ai_rmf", "label": "NIST AI RMF", "source_url": "https://www.nist.gov/itl/ai-risk-management-framework" } ], "schema_version": "iwooos_security_operating_system_v1", "severity_lanes": [ { "label": "已確認入侵或 active exploitation", "runtime_gate_open": false, "severity": "SEV0", "triage_target": "15 分鐘內形成 case / freeze / containment 候選;不得無 owner 直接執行。" }, { "label": "公開入口高風險、KEV、credential exposure、Wazuh agent 消失", "runtime_gate_open": false, "severity": "SEV1", "triage_target": "30 分鐘內形成 owner packet、證據缺口與維護窗口草案。" }, { "label": "Nginx / firewall / runner / workflow / runtime drift", "runtime_gate_open": false, "severity": "SEV2", "triage_target": "4 小時內完成 diff、owner、rollback 與 postcheck 計畫。" }, { "label": "告警噪音、coverage gap、dashboard degradation", "runtime_gate_open": false, "severity": "SEV3", "triage_target": "1 個工作日內進入 backlog 與 no-false-green 修正。" }, { "label": "治理、文件、成熟度與低風險 hardening", "runtime_gate_open": false, "severity": "SEV4", "triage_target": "納入週期報告與例外期限,不得混成緊急事件。" } ], "status": "iwooos_security_operating_system_ready_no_runtime_action", "summary": { "action_button_count": 0, "alert_contract_field_count": 9, "alert_receipt_accepted_count": 0, "automation_loop_stage_count": 8, "blocked_action_count": 18, "cross_session_sync_checkpoint_count": 7, "evidence_weighted_security_operating_system_percent": 62, "host_forensics_accepted_count": 0, "incident_case_accepted_count": 0, "kali_scope_accepted_count": 0, "no_false_green_rule_count": 12, "operating_role_count": 10, "owner_response_accepted_count": 0, "owner_response_received_count": 0, "p0_workstream_count": 12, "p1_workstream_count": 8, "p2_workstream_count": 4, "reference_framework_count": 20, "runtime_gate_count": 0, "runtime_response_percent": 0, "severity_lane_count": 5, "soc_siem_framework_percent": 92, "source_control_artifact_percent": 100, "verification_stage_count": 12, "wazuh_manager_registry_acceptance_percent": 100, "wazuh_registry_accepted_count": 6, "workstream_count": 24 }, "verification_stages": [ { "accepted": false, "stage_id": "source_guard" }, { "accepted": false, "stage_id": "snapshot_schema" }, { "accepted": false, "stage_id": "redaction_guard" }, { "accepted": false, "stage_id": "owner_packet_preflight" }, { "accepted": true, "stage_id": "wazuh_registry_readback" }, { "accepted": false, "stage_id": "kali_scope_readback" }, { "accepted": false, "stage_id": "alert_receipt_readback" }, { "accepted": false, "stage_id": "route_desktop_mobile_smoke" }, { "accepted": false, "stage_id": "postcheck_metrics" }, { "accepted": false, "stage_id": "cross_session_sync" }, { "accepted": false, "stage_id": "logbook_update" }, { "accepted": false, "stage_id": "no_false_green_review" } ], "workstreams": [ { "lane_id": "asset_exposure_graph", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "host、domain、route、service、port、package、repo、runner、secret metadata、backup、AI agent", "title": "資產 / 暴露面總圖", "workstream_id": "P0-01" }, { "lane_id": "wazuh_registry_truth", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "agent total、active、disconnected、last seen、expected minimum、dashboard / API mismatch", "title": "Wazuh manager registry truth", "workstream_id": "P0-02" }, { "lane_id": "host_intrusion_forensics", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "auth、sudo、process、network、FIM、persistence、package、service、Docker event", "title": "主機入侵與鑑識", "workstream_id": "P0-03" }, { "lane_id": "gateway_config_control", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "source-to-live diff、rendered diff、nginx test ref、route smoke、rollback", "title": "Nginx / Gateway config-control", "workstream_id": "P0-04" }, { "lane_id": "network_access_baseline", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "before / after、actor、impact、operator notification、restoration evidence", "title": "SSH / firewall / WireGuard / NodePort baseline", "workstream_id": "P0-05" }, { "lane_id": "secret_identity_hygiene", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "SSH、sudo、deploy key、runner token name、webhook secret name、OIDC、break-glass", "title": "身分與 secret metadata", "workstream_id": "P0-06" }, { "lane_id": "alert_readability_receipt", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "Telegram / Alertmanager / Wazuh alert card、dedupe、noise budget、receipt", "title": "告警可讀性與 receipt", "workstream_id": "P0-07" }, { "lane_id": "incident_case_gate", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "case id、timeline、owner、decision、containment、recovery、postcheck、lesson learned", "title": "Incident case gate", "workstream_id": "P0-08" }, { "lane_id": "kev_exposure_patch_priority", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "CISA KEV、EPSS、public exposure、asset criticality、maintenance window", "title": "KEV / exposure / package SLA", "workstream_id": "P0-09" }, { "lane_id": "backup_restore_forensic_retention", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "restore drill、offsite、escrow、chain of custody、retention、rollback proof", "title": "備份 / 還原 / 鑑識保存", "workstream_id": "P0-10" }, { "lane_id": "runner_workflow_supply_chain", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "Gitea、workflow、runner、deploy key、Harbor、SBOM、Cosign、SLSA", "title": "Runner / workflow / supply-chain", "workstream_id": "P0-11" }, { "lane_id": "ai_agent_permission_gate", "owner_packet_required": true, "priority": "P0", "runtime_gate_open": false, "scope": "tool allowlist、redaction、cost、privacy、approval、excessive agency", "title": "AI Agent 權限閘", "workstream_id": "P0-12" }, { "lane_id": "kali_evidence_envelope", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "health、tool version、scope、normalized finding、active scan approval packet", "title": "Kali 112 evidence envelope", "workstream_id": "P1-01" }, { "lane_id": "detection_as_code", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "ATT&CK、D3FEND、Sigma、測試資料、false-positive budget、rule owner", "title": "Detection-as-code", "workstream_id": "P1-02" }, { "lane_id": "ndr_passive_sensor", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "Suricata、Zeek、DNS / TLS / HTTP / flow logs;不開 IPS", "title": "NDR passive sensor", "workstream_id": "P1-03" }, { "lane_id": "k8s_docker_hardening", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "CIS / NSA-CISA 對照、Pod Security、RBAC、NetworkPolicy、audit log", "title": "K8s / Docker hardening", "workstream_id": "P1-04" }, { "lane_id": "appsec_api_asvs", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "auth、authorization、session、rate limit、CORS、security headers、webhook abuse case", "title": "AppSec / API ASVS", "workstream_id": "P1-05" }, { "lane_id": "sbom_slsa_cosign", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "SPDX、CycloneDX、VEX、provenance、artifact signing、verify", "title": "SBOM / SLSA / Cosign", "workstream_id": "P1-06" }, { "lane_id": "soar_dry_run_case_enrichment", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "TheHive / Cortex 類 case draft、enrichment、blast radius、rollback", "title": "SOAR dry-run / case enrichment", "workstream_id": "P1-07" }, { "lane_id": "grc_exception_register", "owner_packet_required": true, "priority": "P1", "runtime_gate_open": false, "scope": "risk register、accepted risk、expiry、audit evidence、control owner", "title": "GRC / exception register", "workstream_id": "P1-08" }, { "lane_id": "ueba_behavior_baseline", "owner_packet_required": true, "priority": "P2", "runtime_gate_open": false, "scope": "使用者、service account、runner、AI agent、host process、egress baseline", "title": "UEBA / 行為基線", "workstream_id": "P2-01" }, { "lane_id": "purple_team_validation", "owner_packet_required": true, "priority": "P2", "runtime_gate_open": false, "scope": "ATT&CK emulation、BAS / canary、偵測回歸;需授權 scope", "title": "Purple-team / tabletop", "workstream_id": "P2-02" }, { "lane_id": "mdr_247_process", "owner_packet_required": true, "priority": "P2", "runtime_gate_open": false, "scope": "on-call、升級、SLA、交接、值班報表、演練", "title": "MDR / 24x7 流程", "workstream_id": "P2-03" }, { "lane_id": "exposure_management_graph", "owner_packet_required": true, "priority": "P2", "runtime_gate_open": false, "scope": "外部攻擊面、弱點、身份、雲端、repo、AI agent、資料流", "title": "Exposure management graph", "workstream_id": "P2-04" } ] }