Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
53
docs/doctor/articles/timestamping/ocsp-responder.md
Normal file
53
docs/doctor/articles/timestamping/ocsp-responder.md
Normal file
@@ -0,0 +1,53 @@
|
||||
---
|
||||
checkId: check.timestamp.ocsp.responder
|
||||
plugin: stellaops.doctor.timestamping
|
||||
severity: warn
|
||||
tags: [timestamping, ocsp, responder, revocation]
|
||||
---
|
||||
# OCSP Responder Availability
|
||||
|
||||
## What It Checks
|
||||
Checks that configured OCSP responders are accessible. The check:
|
||||
|
||||
- Gets configured OCSP responders from the registry.
|
||||
- Sends an OPTIONS request to each responder with a 10-second timeout.
|
||||
- Considers 2xx and 405 (Method Not Allowed) responses as healthy.
|
||||
- Fails if all responders are unavailable. Warns if some are unavailable.
|
||||
- Reports degraded if no responders are configured.
|
||||
|
||||
## Why It Matters
|
||||
OCSP responders provide real-time certificate revocation status. If OCSP responders are unavailable, the system cannot verify whether TSA certificates have been revoked, potentially accepting timestamps from compromised certificates.
|
||||
|
||||
## Common Causes
|
||||
- OCSP responder server is down
|
||||
- Network connectivity issues
|
||||
- Firewall blocking HTTP/HTTPS to OCSP URLs
|
||||
- OCSP responder URL changed by the CA
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
```bash
|
||||
# Test OCSP responder connectivity
|
||||
docker exec <platform-container> curl -v http://ocsp.digicert.com
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
```bash
|
||||
# Test OCSP responder
|
||||
openssl ocsp -issuer /path/to/issuer.pem -cert /path/to/cert.pem \
|
||||
-url http://ocsp.digicert.com -resp_text
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
Ensure egress NetworkPolicies allow traffic to OCSP responder URLs.
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.timestamp.ocsp.responder
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.timestamp.ocsp.stapling` — checks OCSP stapling configuration
|
||||
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness
|
||||
- `check.timestamp.crl.distribution` — checks CRL distribution point availability
|
||||
Reference in New Issue
Block a user