Files
awoooi/docs/security/wazuh-runtime-controlled-apply-preflight.snapshot.json
Your Name b010afdbf6
Some checks failed
Ansible / Reboot Recovery Contract / validate (push) Successful in 1m16s
CD Pipeline / tests (push) Failing after 35s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Code Review / ai-code-review (push) Successful in 17s
feat(iwooos): add wazuh controlled apply preflight
2026-06-28 10:10:47 +08:00

224 lines
6.8 KiB
JSON

{
"schema_version": "wazuh_runtime_controlled_apply_preflight_v1",
"generated_at": "2026-06-28T10:30:00+08:00",
"status": "controlled_apply_preflight_ready_no_runtime_action",
"mode": "committed_preflight_readback_no_live_wazuh_no_secret_collection",
"summary": {
"expected_scope_alias_count": 6,
"target_selector_count": 6,
"source_of_truth_diff_count": 1,
"check_mode_plan_count": 1,
"dry_run_required_count": 1,
"rollback_plan_count": 1,
"post_apply_verifier_count": 1,
"km_playbook_writeback_count": 1,
"maintenance_window_required_count": 1,
"owner_review_ready_count": 1,
"controlled_apply_preflight_ready_count": 1,
"controlled_apply_packet_received_count": 0,
"controlled_apply_packet_accepted_count": 0,
"controlled_apply_packet_quarantined_count": 0,
"controlled_apply_runtime_action_rejected_count": 0,
"forbidden_payload_count": 18,
"forbidden_action_count": 20,
"runtime_gate_count": 0,
"wazuh_api_live_query_authorized_count": 0,
"wazuh_active_response_authorized_count": 0,
"host_write_authorized_count": 0,
"secret_value_collection_allowed_count": 0
},
"target_selectors": [
{
"node_alias": "managed_core_node_a",
"scope": "wazuh_manager_registry_accepted_alias",
"selector_kind": "public_alias_only",
"runtime_write_allowed": false
},
{
"node_alias": "managed_core_node_b",
"scope": "wazuh_manager_registry_accepted_alias",
"selector_kind": "public_alias_only",
"runtime_write_allowed": false
},
{
"node_alias": "managed_core_node_c",
"scope": "wazuh_manager_registry_accepted_alias",
"selector_kind": "public_alias_only",
"runtime_write_allowed": false
},
{
"node_alias": "managed_edge_node_a",
"scope": "wazuh_manager_registry_accepted_alias",
"selector_kind": "public_alias_only",
"runtime_write_allowed": false
},
{
"node_alias": "managed_edge_node_b",
"scope": "wazuh_manager_registry_accepted_alias",
"selector_kind": "public_alias_only",
"runtime_write_allowed": false
},
{
"node_alias": "managed_lab_node_a",
"scope": "wazuh_manager_registry_accepted_alias",
"selector_kind": "public_alias_only",
"runtime_write_allowed": false
}
],
"required_packet_fields": [
"controlled_apply_intent",
"target_selector_aliases",
"source_of_truth_diff_ref",
"check_mode_plan_ref",
"dry_run_evidence_ref",
"blast_radius_statement",
"rollback_plan_ref",
"post_apply_verifier_ref",
"km_playbook_writeback_ref",
"maintenance_window",
"followup_owner",
"rollback_owner",
"audit_receipt_ref",
"runtime_boundary_ack"
],
"preflight_items": [
{
"item_id": "target_selector",
"title": "Public alias target selector",
"state_key": "target_selector_ready",
"ready": true,
"required_fields": [
"target_selector_aliases"
],
"next_gate": "run check-mode against allowlisted route before any runtime action"
},
{
"item_id": "source_of_truth_diff",
"title": "Source-of-truth diff reference",
"state_key": "source_of_truth_diff_ready",
"ready": true,
"required_fields": [
"source_of_truth_diff_ref"
],
"next_gate": "review repo or playbook diff before controlled apply"
},
{
"item_id": "check_mode_dry_run",
"title": "Check-mode and dry-run evidence",
"state_key": "check_mode_dry_run_ready",
"ready": true,
"required_fields": [
"check_mode_plan_ref",
"dry_run_evidence_ref"
],
"next_gate": "store dry-run evidence reference without raw host output"
},
{
"item_id": "rollback",
"title": "Rollback plan",
"state_key": "rollback_ready",
"ready": true,
"required_fields": [
"rollback_plan_ref",
"rollback_owner"
],
"next_gate": "rollback must remain available before apply"
},
{
"item_id": "post_apply_verifier",
"title": "Post-apply verifier",
"state_key": "post_apply_verifier_ready",
"ready": true,
"required_fields": [
"post_apply_verifier_ref"
],
"next_gate": "verifier readback must run after any future controlled apply"
},
{
"item_id": "learning_writeback",
"title": "KM and PlayBook trust writeback",
"state_key": "learning_writeback_ready",
"ready": true,
"required_fields": [
"km_playbook_writeback_ref",
"audit_receipt_ref"
],
"next_gate": "writeback receipt required after verifier"
}
],
"outcome_lanes": [
"accepted_for_controlled_apply_preflight_review_only",
"request_controlled_apply_packet_supplement",
"quarantine_sensitive_payload",
"reject_runtime_action_request"
],
"forbidden_payloads": [
"secret_value",
"token_value",
"private_key",
"cookie",
"session",
"authorization_header",
"client.keys",
"raw_wazuh_payload",
"raw_agent_identity",
"raw_hostname",
"internal_ip",
"full_cli_output",
"full_journal",
"raw_dashboard_request",
"unredacted_screenshot",
"private_namespace",
"raw_env_file",
"raw_runtime_volume"
],
"forbidden_actions": [
"wazuh_api_live_query",
"wazuh_active_response",
"wazuh_agent_restart",
"wazuh_agent_reenroll",
"wazuh_manager_restart",
"host_write",
"systemd_restart",
"docker_restart",
"nginx_reload",
"firewall_change",
"kali_active_scan",
"credentialed_scan",
"exploit_attempt",
"secret_rotation",
"k8s_apply",
"argocd_sync",
"database_migration",
"force_push",
"repo_ref_delete",
"workflow_trigger"
],
"execution_boundaries": {
"active_scan_authorized": false,
"alertmanager_reload_authorized": false,
"auto_block_authorized": false,
"credentialed_scan_authorized": false,
"firewall_change_authorized": false,
"host_write_authorized": false,
"kali_execute_authorized": false,
"kali_scan_authorized": false,
"nginx_reload_authorized": false,
"production_write_authorized": false,
"runtime_execution_authorized": false,
"runtime_gate_open": false,
"secret_value_collection_allowed": false,
"telegram_send_authorized": false,
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false,
"not_authorization": true
},
"no_false_green_rules": [
"Controlled apply preflight ready does not open runtime gate.",
"Target selectors are public aliases only and do not authorize host writes.",
"Check-mode and dry-run references do not authorize live Wazuh queries.",
"Rollback and verifier readiness does not authorize active response.",
"KM and PlayBook writeback readiness does not permit secret collection."
]
}