stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
2d08f52715816a8c27e0741f0d05a16ca4aca71b
git.stella-ops.org/docs/airgap/runbooks/import-verify.md
StellaOps Bot 2d08f52715 feat(zastava): add evidence locker plan and schema examples 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2025-12-02 09:27:31 +02:00

1.7 KiB
Raw Blame History

AirGap Import & Verify (runbook outline)

Related advisory: docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md (AG1AG12). Implements AIRGAP-VERIFY-510-014.

Prerequisites

  • offline-kit/manifest.json + manifest.dsse and mirror.manifest present.
  • Trust roots: Rekor/TUF roots, Authority signing roots, AV/YARA public keys.
  • Tools: cosign (or Stella verifier), sha256sum, yara, python3.

Steps

  1. Verify manifest signature
    • cosign verify-blob --key trust-roots/manifest.pub --signature manifest.dsse manifest.json
    • Sample helper: scripts/airgap/verify-offline-kit.sh <kit-root>
  2. Check staleness and policy/graph hashes
    • Compare feeds[*].snapshot dates to allowed window; ensure policyHash/graphHash match target site config; fail closed on mismatch unless override signed.
  3. Verify chunks and Merkle root
    • For each chunk listed in manifest, sha256sum -c; recompute Merkle root per manifest recipe; compare to rootHash field.
  4. AV/YARA validation
    • Run yara -r rules/offline-kit.yar kit/; confirm avReport.sha256 matches signed report in manifest; block on any detection.
  5. Replay depth selection
    • Modes: hash-only (default), full-recompute, policy-freeze. Select via --replay-mode; enforce exit codes 0=pass, 3=stale, 4=hash-drift, 5=av-fail.
  6. Ingress/egress receipts
    • Generate DSSE receipt {hash, operator, time, decision}; store in Proof Graph; verify incoming receipts before import.

Outputs

  • Exit code per replay mode outcome.
  • Receipt DSSE stored at receipts/{tenant}/{timestamp}.dsse.
  • Optional report verify-report.json summarizing checks.

Expand with concrete scripts once tasks 510-010..014 land.