Files
awoooi/docs/security/IWOOOS-CONFIG-CONTROL-GUARD.md

81 lines
4.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS 高價值配置控管 Guard
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | `repo_snapshot_guard_ready` |
| 腳本 | `scripts/security/iwooos-config-control-guard.py` |
| 模式 | repo snapshot only不連線主機、不讀 secret、不做 runtime 動作 |
| runtime gate | `0` |
## 1. 目的
此 guard 將「所有重要配置都要被資安控管」從文件盤點推進成可重複執行的驗證基線。它讀取既有 Markdown 與 JSON snapshot確認下列配置面都有只讀控管帳本、owner gate、拒收條件與 `0 / false` 邊界:
| 類別 | 代表配置面 |
|------|------------|
| Public gateway | Nginx、reverse proxy、公開 route、rendered diff、`nginx -t` 證據收件規則 |
| DNS / TLS | certbot、certificate path、ACME route、renewal owner |
| K8s / ArgoCD | production manifest、GitOps change evidence、rollback revision |
| Secrets / Runner | workflow、runner attestation、secret name parity、injection route |
| Runtime config | public / admin / API route、CORS、frontend env、Sentry tunnel、webhook / callback |
| Network | SSH、sudoers、known_hosts、防火牆、NodePort、WireGuard |
| Backup / DR | backup、restore、offsite、escrow、retention、Velero |
| Monitoring | Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、Telegram route |
| Cross-product | VibeWork、agent-bounty-protocol、StockPlatform、Bitan、Tsenyang 等產品邊界 |
## 2. 驗證內容
`iwooos-config-control-guard.py` 目前固定檢查:
1. `high-value-config-control-coverage.snapshot.json` 必須有 14 類配置C0 類別 8 個owner response required 14 個owner response received / accepted 為 `0 / 0`runtime gate 與 action button 為 `0`
2. 每個高價值配置類別的 evidence refs 必須能在 repo 中找到對應文件、snapshot、schema、腳本或 source path。
3. Public gateway、DNS / TLS、Docker / systemd、SSH / firewall、Backup / restore、K8s / ArgoCD、CD / runner / secret、Public runtime、Monitoring、agent-bounty-protocol 等帳本必須符合既定 schema、status、candidate count、reviewer checks、outcome lanes 與 blocked actions。
4. 各帳本 summary 中的 `*_authorized_count``*_executed_count``*_received_count``*_accepted_count``*_allowed_count``runtime_gate_count``action_button_count``request_sent_count` 必須維持 `0`
5. `execution_boundaries` 中所有 runtime / host / workflow / secret / scan / deploy 授權旗標必須維持 `false`;只有 `not_authorization=true` 是安全宣告。
6. `security-supply-chain-contract-manifest.snapshot.json` 必須維持 `36` 個 contractdefault enforcement 為 `mirror_only`,且每個 contract 都有 forbidden actions 與存在的 schema / snapshot / human docs ref。
## 3. 指令
```bash
python3 scripts/security/iwooos-config-control-guard.py --root .
```
預期輸出:
```text
IWOOOS_CONFIG_CONTROL_GUARD_OK
```
主進度 guard 已串接此 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
預期仍為:
```text
SECURITY_MIRROR_PROGRESS_GUARD_OK
```
## 4. 邊界
此 guard 通過只代表 repo snapshot 層的配置控管基線完整,不代表:
- owner response 已收到或接受。
- Nginx reload、`nginx -t`、DNS query、TLS probe、certbot renew 已授權。
- ArgoCD sync、kubectl、workflow 修改、runner 啟用、secret 讀取 / 輪替已授權。
- SSH、firewall、port open / close、WireGuard / NodePort / NetworkPolicy 變更已授權。
- backup run、restore drill、offsite sync、retention change、escrow marker write 已授權。
- active scan、Kali `/execute`、agent-bounty runtime、payout、withdrawal 或 production deploy 已授權。
## 5. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| 高價值配置集中 guard | `100%` | 已新增腳本並可獨立執行 |
| 主進度 guard 串接 | `100%` | `security-mirror-progress-guard.py` 已呼叫此 guard |
| dry-run 證據同步 | `100%` | `security-mirror-dry-run.snapshot.json` 已新增 `CHECK_CONFIG_CONTROL_GUARD` |
| runtime / host / secret / scan / deploy 授權 | `0%` | 全部維持 `0 / false` |