b010afdbf6
Some checks failed
Ansible / Reboot Recovery Contract / validate (push) Successful in 1m16s
CD Pipeline / tests (push) Failing after 35s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Code Review / ai-code-review (push) Successful in 17s
224 lines
6.8 KiB
JSON
224 lines
6.8 KiB
JSON
{
|
|
"schema_version": "wazuh_runtime_controlled_apply_preflight_v1",
|
|
"generated_at": "2026-06-28T10:30:00+08:00",
|
|
"status": "controlled_apply_preflight_ready_no_runtime_action",
|
|
"mode": "committed_preflight_readback_no_live_wazuh_no_secret_collection",
|
|
"summary": {
|
|
"expected_scope_alias_count": 6,
|
|
"target_selector_count": 6,
|
|
"source_of_truth_diff_count": 1,
|
|
"check_mode_plan_count": 1,
|
|
"dry_run_required_count": 1,
|
|
"rollback_plan_count": 1,
|
|
"post_apply_verifier_count": 1,
|
|
"km_playbook_writeback_count": 1,
|
|
"maintenance_window_required_count": 1,
|
|
"owner_review_ready_count": 1,
|
|
"controlled_apply_preflight_ready_count": 1,
|
|
"controlled_apply_packet_received_count": 0,
|
|
"controlled_apply_packet_accepted_count": 0,
|
|
"controlled_apply_packet_quarantined_count": 0,
|
|
"controlled_apply_runtime_action_rejected_count": 0,
|
|
"forbidden_payload_count": 18,
|
|
"forbidden_action_count": 20,
|
|
"runtime_gate_count": 0,
|
|
"wazuh_api_live_query_authorized_count": 0,
|
|
"wazuh_active_response_authorized_count": 0,
|
|
"host_write_authorized_count": 0,
|
|
"secret_value_collection_allowed_count": 0
|
|
},
|
|
"target_selectors": [
|
|
{
|
|
"node_alias": "managed_core_node_a",
|
|
"scope": "wazuh_manager_registry_accepted_alias",
|
|
"selector_kind": "public_alias_only",
|
|
"runtime_write_allowed": false
|
|
},
|
|
{
|
|
"node_alias": "managed_core_node_b",
|
|
"scope": "wazuh_manager_registry_accepted_alias",
|
|
"selector_kind": "public_alias_only",
|
|
"runtime_write_allowed": false
|
|
},
|
|
{
|
|
"node_alias": "managed_core_node_c",
|
|
"scope": "wazuh_manager_registry_accepted_alias",
|
|
"selector_kind": "public_alias_only",
|
|
"runtime_write_allowed": false
|
|
},
|
|
{
|
|
"node_alias": "managed_edge_node_a",
|
|
"scope": "wazuh_manager_registry_accepted_alias",
|
|
"selector_kind": "public_alias_only",
|
|
"runtime_write_allowed": false
|
|
},
|
|
{
|
|
"node_alias": "managed_edge_node_b",
|
|
"scope": "wazuh_manager_registry_accepted_alias",
|
|
"selector_kind": "public_alias_only",
|
|
"runtime_write_allowed": false
|
|
},
|
|
{
|
|
"node_alias": "managed_lab_node_a",
|
|
"scope": "wazuh_manager_registry_accepted_alias",
|
|
"selector_kind": "public_alias_only",
|
|
"runtime_write_allowed": false
|
|
}
|
|
],
|
|
"required_packet_fields": [
|
|
"controlled_apply_intent",
|
|
"target_selector_aliases",
|
|
"source_of_truth_diff_ref",
|
|
"check_mode_plan_ref",
|
|
"dry_run_evidence_ref",
|
|
"blast_radius_statement",
|
|
"rollback_plan_ref",
|
|
"post_apply_verifier_ref",
|
|
"km_playbook_writeback_ref",
|
|
"maintenance_window",
|
|
"followup_owner",
|
|
"rollback_owner",
|
|
"audit_receipt_ref",
|
|
"runtime_boundary_ack"
|
|
],
|
|
"preflight_items": [
|
|
{
|
|
"item_id": "target_selector",
|
|
"title": "Public alias target selector",
|
|
"state_key": "target_selector_ready",
|
|
"ready": true,
|
|
"required_fields": [
|
|
"target_selector_aliases"
|
|
],
|
|
"next_gate": "run check-mode against allowlisted route before any runtime action"
|
|
},
|
|
{
|
|
"item_id": "source_of_truth_diff",
|
|
"title": "Source-of-truth diff reference",
|
|
"state_key": "source_of_truth_diff_ready",
|
|
"ready": true,
|
|
"required_fields": [
|
|
"source_of_truth_diff_ref"
|
|
],
|
|
"next_gate": "review repo or playbook diff before controlled apply"
|
|
},
|
|
{
|
|
"item_id": "check_mode_dry_run",
|
|
"title": "Check-mode and dry-run evidence",
|
|
"state_key": "check_mode_dry_run_ready",
|
|
"ready": true,
|
|
"required_fields": [
|
|
"check_mode_plan_ref",
|
|
"dry_run_evidence_ref"
|
|
],
|
|
"next_gate": "store dry-run evidence reference without raw host output"
|
|
},
|
|
{
|
|
"item_id": "rollback",
|
|
"title": "Rollback plan",
|
|
"state_key": "rollback_ready",
|
|
"ready": true,
|
|
"required_fields": [
|
|
"rollback_plan_ref",
|
|
"rollback_owner"
|
|
],
|
|
"next_gate": "rollback must remain available before apply"
|
|
},
|
|
{
|
|
"item_id": "post_apply_verifier",
|
|
"title": "Post-apply verifier",
|
|
"state_key": "post_apply_verifier_ready",
|
|
"ready": true,
|
|
"required_fields": [
|
|
"post_apply_verifier_ref"
|
|
],
|
|
"next_gate": "verifier readback must run after any future controlled apply"
|
|
},
|
|
{
|
|
"item_id": "learning_writeback",
|
|
"title": "KM and PlayBook trust writeback",
|
|
"state_key": "learning_writeback_ready",
|
|
"ready": true,
|
|
"required_fields": [
|
|
"km_playbook_writeback_ref",
|
|
"audit_receipt_ref"
|
|
],
|
|
"next_gate": "writeback receipt required after verifier"
|
|
}
|
|
],
|
|
"outcome_lanes": [
|
|
"accepted_for_controlled_apply_preflight_review_only",
|
|
"request_controlled_apply_packet_supplement",
|
|
"quarantine_sensitive_payload",
|
|
"reject_runtime_action_request"
|
|
],
|
|
"forbidden_payloads": [
|
|
"secret_value",
|
|
"token_value",
|
|
"private_key",
|
|
"cookie",
|
|
"session",
|
|
"authorization_header",
|
|
"client.keys",
|
|
"raw_wazuh_payload",
|
|
"raw_agent_identity",
|
|
"raw_hostname",
|
|
"internal_ip",
|
|
"full_cli_output",
|
|
"full_journal",
|
|
"raw_dashboard_request",
|
|
"unredacted_screenshot",
|
|
"private_namespace",
|
|
"raw_env_file",
|
|
"raw_runtime_volume"
|
|
],
|
|
"forbidden_actions": [
|
|
"wazuh_api_live_query",
|
|
"wazuh_active_response",
|
|
"wazuh_agent_restart",
|
|
"wazuh_agent_reenroll",
|
|
"wazuh_manager_restart",
|
|
"host_write",
|
|
"systemd_restart",
|
|
"docker_restart",
|
|
"nginx_reload",
|
|
"firewall_change",
|
|
"kali_active_scan",
|
|
"credentialed_scan",
|
|
"exploit_attempt",
|
|
"secret_rotation",
|
|
"k8s_apply",
|
|
"argocd_sync",
|
|
"database_migration",
|
|
"force_push",
|
|
"repo_ref_delete",
|
|
"workflow_trigger"
|
|
],
|
|
"execution_boundaries": {
|
|
"active_scan_authorized": false,
|
|
"alertmanager_reload_authorized": false,
|
|
"auto_block_authorized": false,
|
|
"credentialed_scan_authorized": false,
|
|
"firewall_change_authorized": false,
|
|
"host_write_authorized": false,
|
|
"kali_execute_authorized": false,
|
|
"kali_scan_authorized": false,
|
|
"nginx_reload_authorized": false,
|
|
"production_write_authorized": false,
|
|
"runtime_execution_authorized": false,
|
|
"runtime_gate_open": false,
|
|
"secret_value_collection_allowed": false,
|
|
"telegram_send_authorized": false,
|
|
"wazuh_active_response_authorized": false,
|
|
"wazuh_api_live_query_authorized": false,
|
|
"not_authorization": true
|
|
},
|
|
"no_false_green_rules": [
|
|
"Controlled apply preflight ready does not open runtime gate.",
|
|
"Target selectors are public aliases only and do not authorize host writes.",
|
|
"Check-mode and dry-run references do not authorize live Wazuh queries.",
|
|
"Rollback and verifier readiness does not authorize active response.",
|
|
"KM and PlayBook writeback readiness does not permit secret collection."
|
|
]
|
|
}
|