81 lines
4.1 KiB
Markdown
81 lines
4.1 KiB
Markdown
# IwoooS 高價值配置控管 Guard
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-15 |
|
||
| 狀態 | `repo_snapshot_guard_ready` |
|
||
| 腳本 | `scripts/security/iwooos-config-control-guard.py` |
|
||
| 模式 | repo snapshot only,不連線主機、不讀 secret、不做 runtime 動作 |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
此 guard 將「所有重要配置都要被資安控管」從文件盤點推進成可重複執行的驗證基線。它讀取既有 Markdown 與 JSON snapshot,確認下列配置面都有只讀控管帳本、owner gate、拒收條件與 `0 / false` 邊界:
|
||
|
||
| 類別 | 代表配置面 |
|
||
|------|------------|
|
||
| Public gateway | Nginx、reverse proxy、公開 route、rendered diff、`nginx -t` 證據收件規則 |
|
||
| DNS / TLS | certbot、certificate path、ACME route、renewal owner |
|
||
| K8s / ArgoCD | production manifest、GitOps change evidence、rollback revision |
|
||
| Secrets / Runner | workflow、runner attestation、secret name parity、injection route |
|
||
| Runtime config | public / admin / API route、CORS、frontend env、Sentry tunnel、webhook / callback |
|
||
| Network | SSH、sudoers、known_hosts、防火牆、NodePort、WireGuard |
|
||
| Backup / DR | backup、restore、offsite、escrow、retention、Velero |
|
||
| Monitoring | Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、Telegram route |
|
||
| Cross-product | VibeWork、agent-bounty-protocol、StockPlatform、Bitan、Tsenyang 等產品邊界 |
|
||
|
||
## 2. 驗證內容
|
||
|
||
`iwooos-config-control-guard.py` 目前固定檢查:
|
||
|
||
1. `high-value-config-control-coverage.snapshot.json` 必須有 14 類配置,C0 類別 8 個,owner response required 14 個,owner response received / accepted 為 `0 / 0`,runtime gate 與 action button 為 `0`。
|
||
2. 每個高價值配置類別的 evidence refs 必須能在 repo 中找到對應文件、snapshot、schema、腳本或 source path。
|
||
3. Public gateway、DNS / TLS、Docker / systemd、SSH / firewall、Backup / restore、K8s / ArgoCD、CD / runner / secret、Public runtime、Monitoring、agent-bounty-protocol 等帳本必須符合既定 schema、status、candidate count、reviewer checks、outcome lanes 與 blocked actions。
|
||
4. 各帳本 summary 中的 `*_authorized_count`、`*_executed_count`、`*_received_count`、`*_accepted_count`、`*_allowed_count`、`runtime_gate_count`、`action_button_count`、`request_sent_count` 必須維持 `0`。
|
||
5. `execution_boundaries` 中所有 runtime / host / workflow / secret / scan / deploy 授權旗標必須維持 `false`;只有 `not_authorization=true` 是安全宣告。
|
||
6. `security-supply-chain-contract-manifest.snapshot.json` 必須維持 `36` 個 contract,default enforcement 為 `mirror_only`,且每個 contract 都有 forbidden actions 與存在的 schema / snapshot / human docs ref。
|
||
|
||
## 3. 指令
|
||
|
||
```bash
|
||
python3 scripts/security/iwooos-config-control-guard.py --root .
|
||
```
|
||
|
||
預期輸出:
|
||
|
||
```text
|
||
IWOOOS_CONFIG_CONTROL_GUARD_OK
|
||
```
|
||
|
||
主進度 guard 已串接此 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
預期仍為:
|
||
|
||
```text
|
||
SECURITY_MIRROR_PROGRESS_GUARD_OK
|
||
```
|
||
|
||
## 4. 邊界
|
||
|
||
此 guard 通過只代表 repo snapshot 層的配置控管基線完整,不代表:
|
||
|
||
- owner response 已收到或接受。
|
||
- Nginx reload、`nginx -t`、DNS query、TLS probe、certbot renew 已授權。
|
||
- ArgoCD sync、kubectl、workflow 修改、runner 啟用、secret 讀取 / 輪替已授權。
|
||
- SSH、firewall、port open / close、WireGuard / NodePort / NetworkPolicy 變更已授權。
|
||
- backup run、restore drill、offsite sync、retention change、escrow marker write 已授權。
|
||
- active scan、Kali `/execute`、agent-bounty runtime、payout、withdrawal 或 production deploy 已授權。
|
||
|
||
## 5. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| 高價值配置集中 guard | `100%` | 已新增腳本並可獨立執行 |
|
||
| 主進度 guard 串接 | `100%` | `security-mirror-progress-guard.py` 已呼叫此 guard |
|
||
| dry-run 證據同步 | `100%` | `security-mirror-dry-run.snapshot.json` 已新增 `CHECK_CONFIG_CONTROL_GUARD` |
|
||
| runtime / host / secret / scan / deploy 授權 | `0%` | 全部維持 `0 / false` |
|