stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
0cb5c9abfbb4abeb778bc2371842a38cbfdcfe87
git.stella-ops.org/docs/airgap/runbooks/av-scan.md
StellaOps Bot e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add DigestUpsertRequest and LockEntity models 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
2025-12-03 07:51:50 +02:00

2.2 KiB
Raw Blame History

AV/YARA Scan Runbook (AIRGAP-AV-510-011)

Purpose: ensure every offline-kit bundle is scanned pre-publish and post-ingest, with deterministic reports and optional signatures.

Inputs

  • Bundle directory containing manifest.json and payload files.
  • AV scanner (e.g., ClamAV) and optional YARA rule set available locally (no network).

Steps (offline)

  1. Scan all bundle files: 
    clamscan -r --max-filesize=2G --max-scansize=4G --no-summary bundle/ > reports/av-scan.txt
  2. Convert to structured report: 
    python - <<'PY'
import hashlib, json, pathlib, sys
root = pathlib.Path("bundle")
report = {
    "scanner": "clamav",
    "scannerVersion": "1.4.1",
    "startedAt": "2025-12-02T00:02:00Z",
    "completedAt": "2025-12-02T00:04:30Z",
    "status": "clean",
    "artifacts": [],
    "errors": []
}
for path in root.glob("**/*"):
    if path.is_file():
        h = hashlib.sha256(path.read_bytes()).hexdigest()
        report["artifacts"].append({
            "path": str(path.relative_to(root)),
            "sha256": h,
            "result": "clean",
            "yaraRules": []
        })
json.dump(report, sys.stdout, indent=2)
PY
  3. Validate report against schema: 
    jq empty --argfile schema docs/airgap/av-report.schema.json 'input' < docs/airgap/samples/av-report.sample.json >/dev/null
  4. Optionally sign report (detached): 
    openssl dgst -sha256 -sign airgap-av-key.pem reports/av-report.json > reports/av-report.sig
  5. Update manifest.json:
    • Set avScan.status to clean or findings.
    • avScan.reportPath and avScan.reportSha256 must match the generated report.

Acceptance checks

  • Report validates against docs/airgap/av-report.schema.json.
  • manifest.json hashes updated and verified via src/AirGap/scripts/verify-manifest.sh.
  • If any artifact result is malicious/suspicious, bundle must be rejected and re-scanned after remediation.

References

  • Manifest schema: docs/airgap/manifest.schema.json
  • Sample report: docs/airgap/samples/av-report.sample.json
  • Manifest verifier: src/AirGap/scripts/verify-manifest.sh