Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
53
docs/doctor/articles/timestamping/ocsp-stapling-enabled.md
Normal file
53
docs/doctor/articles/timestamping/ocsp-stapling-enabled.md
Normal file
@@ -0,0 +1,53 @@
|
||||
---
|
||||
checkId: check.timestamp.ocsp.stapling
|
||||
plugin: stellaops.doctor.timestamping
|
||||
severity: warn
|
||||
tags: [timestamping, ocsp, stapling, revocation]
|
||||
---
|
||||
# OCSP Stapling Enabled
|
||||
|
||||
## What It Checks
|
||||
Checks whether TSA OCSP stapling is configured and fresh. The check:
|
||||
|
||||
- Queries the stapling status provider for all TSA providers.
|
||||
- Reports which providers have OCSP stapling enabled or disabled.
|
||||
- Fails if all providers have stapling disabled. Warns if some are disabled.
|
||||
- Reports degraded if no stapling status data is available.
|
||||
|
||||
## Why It Matters
|
||||
OCSP stapling embeds the OCSP response directly in the TLS handshake or timestamp token, eliminating the need for clients to perform live OCSP lookups. This is critical for air-gapped deployments where live OCSP lookups are impossible, and improves performance for all deployments.
|
||||
|
||||
## Common Causes
|
||||
- OCSP stapling not configured for TSA providers
|
||||
- Stapling status monitoring not set up
|
||||
- TSA provider does not support stapling
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
Enable OCSP stapling in TSA provider configuration:
|
||||
|
||||
```yaml
|
||||
environment:
|
||||
Timestamping__OcspStapling__Enabled: "true"
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
Configure OCSP stapling in `appsettings.json` and ensure TSA providers support it.
|
||||
|
||||
### Kubernetes / Helm
|
||||
```yaml
|
||||
timestamping:
|
||||
ocspStapling:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.timestamp.ocsp.stapling
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.timestamp.ocsp.responder` — checks OCSP responder availability
|
||||
- `check.timestamp.evidence.tst.missing-stapling` — detects timestamps without stapled data
|
||||
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness
|
||||
Reference in New Issue
Block a user