stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
323bf5844f4138511ab804e4251accdc1a12a3f5
git.stella-ops.org/docs/24_OFFLINE_KIT.md
master 323bf5844f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add scripts for resolving and verifying Chromium binary paths 
- Implemented `chrome-path.js` to define functions for locating Chromium binaries across different platforms and nested directories.
- Added `verify-chromium.js` to check for the presence of the Chromium binary and log the results, including candidate paths checked.
- The scripts support Linux, Windows, and macOS environments, enhancing the flexibility of Chromium binary detection.
2025-10-22 09:14:36 +03:00

5.7 KiB
Executable File
Raw Blame History

Offline Update Kit (OUK) — AirGap Bundle

The Offline Update Kit packages everything StellaOps needs to run on a completely isolated network:

Component Contents
Merged vulnerability feeds OSV, GHSA plus optional NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU
Container images stella-ops, Zastava sidecar (x8664 &arm64)
Provenance Cosign signature, SPDX 2.3 SBOM, intoto SLSA attestation
Attested manifest offline-manifest.json + detached JWS covering bundle metadata, signed during export.
Delta patches Daily diff bundles keep size <350MB
Scanner plug-ins OS analyzers and the Node.js language analyzer packaged under plugins/scanner/analyzers/** with manifests so Workers load deterministically offline.

RU BDU note: ship the official Russian Trusted Root/Sub CA bundle (certificates/russian_trusted_bundle.pem) inside the kit so concelier:httpClients:source.bdu:trustedRootPaths can resolve it when the service runs in an airgapped network. Drop the most recent vulxml.zip alongside the kit if operators need a cold-start cache.

Language analyzers: the kit now carries the restart-only Node.js analyzer plug-in (plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Node/). Drop the directory alongside Worker binaries so the unified plug-in catalog can load it without outbound fetches; upcoming Python/Go/.NET/Rust plug-ins will follow the same layout.

Scanner core: C# 12 on .NET{{ dotnet }}.
Imports are idempotent and atomic — no service downtime.

1·Download & verify

curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz
curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz.sig
curl -LO https://get.stella-ops.org/ouk/offline-manifest-<DATE>.json
curl -LO https://get.stella-ops.org/ouk/offline-manifest-<DATE>.json.jws

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature stella-ops-offline-kit-<DATE>.tgz.sig \
  stella-ops-offline-kit-<DATE>.tgz

CLI shortcut. stellaops-cli offline kit pull --destination ./offline-kit downloads the bundle, manifest, and detached signatures in one step, resumes partial transfers, and writes a .metadata.json summary for later import.

Verification prints OK and the SHA256 digest; crosscheck against the changelog.

Validate the attested manifest before distribution:

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature offline-manifest-<DATE>.json.jws \
  offline-manifest-<DATE>.json

jq '.artifacts[] | {name, sha256, size, capturedAt}' offline-manifest-<DATE>.json

The manifest enumerates every artefact (name, sha256, size, capturedAt) and is signed with the same key registry as Authority revocation bundles. Operators can ship the manifest alongside the tarball so downstream mirrors can re-verify without unpacking the kit.

2·Import on the airgapped host

docker compose --env-file .env \
  -f docker-compose.stella-ops.yml \
  exec stella-ops \
  stella admin import-offline-usage-kit stella-ops-offline-kit-<DATE>.tgz

Alternatively, run

stellaops-cli offline kit import stella-ops-offline-kit-<DATE>.tgz \
  --manifest offline-manifest-<DATE>.json \
  --bundle-signature stella-ops-offline-kit-<DATE>.tgz.sig \
  --manifest-signature offline-manifest-<DATE>.json.jws

The CLI validates recorded digests (when .metadata.json is present) before streaming the multipart payload to /api/offline-kit/import.

  • The CLI validates the Cosign signature before activation.
  • Old feeds are kept until the new bundle is fully verified.
  • Import time on a SATA SSD: ≈25s for a 300MB kit.

3·Delta patch workflow

  1. Connected site fetches stella-ouk-YYYYMMDD.delta.tgz.
  2. Transfer via any medium (USB, portable disk).
  3. stella admin import-offline-usage-kit <delta> applies only changed CVE rows & images.

Daily deltas are <30MB; weekly rollup produces a fresh full kit.

4·Quota behaviour offline

The scanner enforces the same fairuse limits offline:

  • Anonymous: {{ quota_anon }} scans per UTC day
  • Free JWT: {{ quota_token }} scans per UTC day

Soft reminder at 200 scans; throttle above the ceiling but never block. See the detailed rules in 33_333_QUOTA_OVERVIEW.md.

5·Troubleshooting

Symptom Explanation Fix
could not verify SBOM hash Bundle corrupted in transit Redownload / recopy
Import hangs at Applying feeds… Low disk space in /var/lib/stella Free ≥2GiB before retry
quota exceeded same day after import Import resets counters at UTC 00:00 only Wait until next UTC day or load a JWT

6·Related documentation

  • Install guide: /install/#air-gapped
  • Sovereign mode rationale: /sovereign/
  • Security policy: /security/#reporting-a-vulnerability
  • CERT-Bund snapshots: python tools/certbund_offline_snapshot.py --help (see docs/ops/concelier-certbund-operations.md)