wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/kali-112-maintenance-window-draft.snapshot.json

218 lines
7.8 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "kali_maintenance_window_draft_v1",
"status": "draft_waiting_owner_review",
"date": "2026-06-04",
"mode": "maintenance_window_draft_only",
"source_evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/kali-integration-status.snapshot.json",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md",
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md"
],
"summary": {
"host": "192.168.0.112",
"asset_key": "host:kali-112",
"pending_update_count": 1994,
"failed_systemd_unit_count": 1,
"service_hardening_enabled_count": 0,
"service_hardening_expected_count": 4,
"reboot_required": false,
"maintenance_window_package_ready": true,
"maintenance_window_completion_percent": 100,
"maintenance_window_approved": false,
"host_update_authorized": false,
"service_restart_authorized": false,
"hardening_authorized": false,
"reboot_authorized": false,
"active_scan_authorized": false,
"execute_endpoint_authorized": false
},
"observed_gaps": [
{
"gap_id": "pending-updates-1994",
"current_evidence": "2026-06-04 只讀快照顯示 upgradable_package_count=1994。",
"risk": "MEDIUM",
"required_before_action": [
"maintenance window owner response",
"package change scope",
"rollback owner",
"post-check owner",
"reboot decision"
]
},
{
"gap_id": "networking-service-failed",
"current_evidence": "2026-06-04 只讀快照顯示 failed_systemd_unit_names=[networking.service]。",
"risk": "MEDIUM",
"required_before_action": [
"service owner confirmation",
"expected network manager / interface model",
"restart impact review",
"rollback path",
"out-of-band access confirmation"
]
},
{
"gap_id": "scanner-service-hardening-0-of-4",
"current_evidence": "2026-06-04 只讀快照顯示 NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。",
"risk": "MEDIUM",
"required_before_action": [
"dry-run hardening design",
"scanner tool compatibility review",
"override rollback file plan",
"health check plan",
"manual approval"
]
},
{
"gap_id": "execute-endpoint-present",
"current_evidence": "Kali Scanner API 文件化存在 /execute path仍是 block candidate。",
"risk": "HIGH",
"required_before_action": [
"separate high-risk approval",
"allowlist / disable gate design",
"audit event design",
"runtime gate",
"manual exception record"
]
}
],
"owner_response_handoff": {
"status": "ready_not_dispatched",
"request_dispatch_authorized": false,
"required_response_fields": [
"owner_role_or_team",
"maintenance_window_start_end_taipei",
"change_scope",
"rollback_owner",
"validation_owner",
"communication_owner",
"reboot_decision",
"redacted_evidence_refs",
"followup_owner"
],
"forbidden_inputs": [
"password value",
"token value",
"private key",
"API key value",
"runner token",
"raw secret",
"command to execute",
"apt upgrade request",
"service restart request",
"hardening apply request",
"active scan request",
"execute endpoint request"
],
"response_received": false,
"response_accepted": false
},
"maintenance_window_draft": {
"window_status": "waiting_owner_selection",
"candidate_window": "建議由 owner 指定台北時間低流量 2 小時窗口;本草案不自動指定日期或開始維護。",
"change_lanes": [
{
"lane_id": "package-update-planning",
"description": "整理 full-upgrade / autoremove / reboot 的人工批准前檢查,不執行 apt upgrade。",
"authorization_required": "kali-full-upgrade-reboot approval + rollback owner + post-check owner",
"current_authorized": false
},
{
"lane_id": "networking-service-review",
"description": "釐清 networking.service failed 是否為 expected / legacy / real failure不直接 restart。",
"authorization_required": "service owner decision + out-of-band access + rollback path",
"current_authorized": false
},
{
"lane_id": "scanner-systemd-hardening-dry-run-design",
"description": "設計 kali-scanner.service hardening override 的 dry-run / compatibility review不套用 hardening。",
"authorization_required": "scanner owner decision + health compatibility review + rollback file plan",
"current_authorized": false
},
{
"lane_id": "post-maintenance-validation",
"description": "定義維護後 scanner health、Docker service、failed units、pending updates、reboot required 與 AwoooP / IwoooS evidence readback。",
"authorization_required": "validation owner + evidence refs + reviewer acceptance",
"current_authorized": false
}
],
"pre_window_checks": [
"確認 maintenance window owner response 已收到且 accepted。",
"確認 package / service / hardening / reboot scope 沒有混在同一個未批准動作中。",
"確認不保存任何 credential value。",
"確認 rollback owner 與 validation owner 已指定。",
"確認 out-of-band access 與停止條件已定義。",
"確認 active scan、credentialed scan 與 /execute 仍未授權。"
]
},
"rollback_plan_draft": [
{
"rollback_item": "package update rollback",
"required_evidence": [
"pre-window package list snapshot ref",
"apt history / dpkg log redacted ref",
"rollback owner",
"reboot decision"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "networking.service restart rollback",
"required_evidence": [
"current network service model",
"out-of-band access confirmation",
"previous service state snapshot ref",
"rollback owner"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "systemd hardening override rollback",
"required_evidence": [
"override file path",
"scanner tool compatibility result",
"scanner health before / after refs",
"rollback owner"
],
"owner_status": "waiting_owner_assignment"
}
],
"post_check_plan": [
"scanner API /health returns healthy",
"kali-scanner.service active / enabled",
"node-exporter container up",
"wg-easy container healthy",
"failed systemd units reviewed",
"pending update count recorded",
"reboot required flag recorded",
"service hardening state recorded",
"AwoooP / IwoooS evidence refs updated",
"no active scan or /execute call occurred during maintenance unless separately approved"
],
"acceptance_rules": [
"本草案完成不代表 maintenance window 已批准。",
"maintenance owner response received / accepted 前,不得執行 apt upgrade、restart、hardening 或 reboot。",
"任何 active scan、credentialed scan 或 /execute 都必須走獨立 approval gate不可包進維護窗口。",
"所有 evidence refs 必須脫敏,不保存 credential value。",
"維護後若任何 post-check 失敗,只能建立人工 follow-up不得自動補救。"
],
"forbidden_actions": [
"apt_upgrade",
"apt_full_upgrade",
"apt_autoremove",
"restart_networking_service",
"apply_systemd_hardening",
"reboot_host",
"active_scan",
"credentialed_scan",
"call_execute_endpoint",
"store_credential_value",
"change_firewall",
"change_networkpolicy",
"change_rbac",
"enable_runtime_blocking_control"
]
}
Reference in New Issue View Git Blame Copy Permalink