112 lines
5.4 KiB
Markdown
112 lines
5.4 KiB
Markdown
# IwoooS SSH / network access 只讀清冊
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-11 |
|
||
| 狀態 | `repo_only_inventory_ready` |
|
||
| 工具 | `scripts/security/ssh-network-access-inventory.py` |
|
||
| Snapshot | `docs/security/ssh-network-access-inventory.snapshot.json` |
|
||
| Schema | `docs/schemas/ssh_network_access_inventory_v1.schema.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
這份清冊補齊高價值配置覆蓋矩陣中的 `ssh_firewall_network_access` 類別,把 repo 內會影響 SSH、sudoers、known_hosts、firewall / NetworkPolicy、NodePort 與 WireGuard 的配置來源先集中成可重跑 snapshot。
|
||
|
||
本階段仍是 repo-only 只讀清冊。它不是 live host truth,不是 firewall approval,不是 known_hosts patch approval,不是 NetworkPolicy apply approval,也不是 WireGuard cutover approval。
|
||
|
||
## 2. 覆蓋摘要
|
||
|
||
| 指標 | 目前值 | 說明 |
|
||
|------|--------|------|
|
||
| repo surface | `16` | 已納入 SSH / network access 相關 committed source |
|
||
| source exists / hash | `16` | 每個 source path 皆存在並有 SHA-256 |
|
||
| expected scope | `16` | 已整理每個 surface 的預期影響範圍 |
|
||
| SSH source surface | `11` | 包含 inventory、CI deploy、monitoring、backup、alert action |
|
||
| NetworkPolicy surface | `2` | production 與 ArgoCD metrics policy |
|
||
| NodePort surface | `2` | ArgoCD metrics 與 Velero metrics |
|
||
| sudoers surface | `1` | `awoooi-wrapper.sudoers` |
|
||
| WireGuard surface | `1` | GCP Ollama WireGuard mesh runbook |
|
||
| write-capable surface | `6` | CI deploy、monitoring deploy、sudoers、alert action catalog |
|
||
| owner response received / accepted | `0 / 0` | 尚未收到或接受 owner response |
|
||
| live evidence received | `0` | 尚未取得 owner-provided live evidence |
|
||
| runtime / action | `0 / 0` | 未開 runtime gate,未提供操作按鈕 |
|
||
| SSH / network 類別成熟度 | `48% -> 54%` | 只代表 repo-only 清冊完成,不代表 live 授權 |
|
||
|
||
## 3. 已納入 surface
|
||
|
||
| Surface | 類型 | 範圍 | 寫入能力 |
|
||
|---------|------|------|----------|
|
||
| `ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | 否 |
|
||
| `ansible_common_ssh_args` | SSH client policy | `multi_host` | 否 |
|
||
| `gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | 否 |
|
||
| `gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | 是 |
|
||
| `gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | 是 |
|
||
| `deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | 是 |
|
||
| `monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | 否 |
|
||
| `monitoring_exporter_deploy_ssh` | monitoring SSH deploy script | `192.168.0.188` | 是 |
|
||
| `backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | 否 |
|
||
| `host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | 是 |
|
||
| `k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | 否 |
|
||
| `argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | 否 |
|
||
| `argocd_metrics_nodeport` | K8s NodePort service | `argocd_nodeport_30882_30883` | 否 |
|
||
| `velero_metrics_nodeport` | K8s NodePort service | `velero_nodeport_30885` | 否 |
|
||
| `wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | 否 |
|
||
| `alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | 是 |
|
||
|
||
## 4. 固定 0 / false 邊界
|
||
|
||
```text
|
||
runtime_execution_authorized=false
|
||
host_write_authorized=false
|
||
ssh_read_authorized=false
|
||
ssh_write_authorized=false
|
||
sudo_action_authorized=false
|
||
firewall_change_authorized=false
|
||
network_policy_apply_authorized=false
|
||
nodeport_change_authorized=false
|
||
wireguard_change_authorized=false
|
||
known_hosts_patch_authorized=false
|
||
host_keyscan_authorized=false
|
||
live_host_read_authorized=false
|
||
secret_value_collection_allowed=false
|
||
ssh_key_collection_allowed=false
|
||
active_scan_authorized=false
|
||
action_buttons_allowed=false
|
||
```
|
||
|
||
## 5. 判讀規則
|
||
|
||
1. `source_exists=true` 只代表 repo 檔案存在,不代表 live host 與 repo 一致。
|
||
2. `sha256` 是 committed source 的 hash,不是 live `/etc/ssh`、firewall、sudoers、NetworkPolicy 或 WireGuard hash。
|
||
3. `write_capable_surface_count=6` 代表需要 owner review 的高風險入口,不代表可執行。
|
||
4. `accept-new`、known_hosts、NodePort、NetworkPolicy 與 WireGuard 只能先形成 owner 問題,不得自動 patch、keyscan、apply 或 cutover。
|
||
5. 後續若要取得 live evidence,只能走 owner-provided redacted evidence、維護窗口與 rollback owner;不得在本階段主動 SSH、sudo、掃描或讀 secret。
|
||
|
||
## 6. 指令
|
||
|
||
```bash
|
||
python3 scripts/security/ssh-network-access-inventory.py \
|
||
--root . \
|
||
--output docs/security/ssh-network-access-inventory.snapshot.json
|
||
```
|
||
|
||
固定 committed snapshot 時間:
|
||
|
||
```bash
|
||
python3 scripts/security/ssh-network-access-inventory.py \
|
||
--root . \
|
||
--generated-at 2026-06-11T23:55:00+08:00 \
|
||
--output docs/security/ssh-network-access-inventory.snapshot.json
|
||
```
|
||
|
||
## 7. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| repo-only surface 註冊 | `100%` | 已納入 16 個 SSH / network access surface |
|
||
| source existence / hash | `100%` | 16 個 source path 皆已驗證存在並產生 hash |
|
||
| owner response 收件 | `0%` | 尚未收到或接受 owner response |
|
||
| live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall、未讀 live sudoers |
|
||
| SSH / sudo / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 全部維持未授權 |
|