2.2 KiB
2.2 KiB
AV/YARA Scan Runbook (AIRGAP-AV-510-011)
Purpose: ensure every offline-kit bundle is scanned pre-publish and post-ingest, with deterministic reports and optional signatures.
Inputs
- Bundle directory containing
manifest.jsonand payload files. - AV scanner (e.g., ClamAV) and optional YARA rule set available locally (no network).
Steps (offline)
- Scan all bundle files:
clamscan -r --max-filesize=2G --max-scansize=4G --no-summary bundle/ > reports/av-scan.txt - Convert to structured report:
python - <<'PY' import hashlib, json, pathlib, sys root = pathlib.Path("bundle") report = { "scanner": "clamav", "scannerVersion": "1.4.1", "startedAt": "2025-12-02T00:02:00Z", "completedAt": "2025-12-02T00:04:30Z", "status": "clean", "artifacts": [], "errors": [] } for path in root.glob("**/*"): if path.is_file(): h = hashlib.sha256(path.read_bytes()).hexdigest() report["artifacts"].append({ "path": str(path.relative_to(root)), "sha256": h, "result": "clean", "yaraRules": [] }) json.dump(report, sys.stdout, indent=2) PY - Validate report against schema:
jq empty --argfile schema docs/modules/airgap/schemas/av-report.schema.json 'input' < docs/modules/airgap/samples/av-report.sample.json >/dev/null - Optionally sign report (detached):
openssl dgst -sha256 -sign airgap-av-key.pem reports/av-report.json > reports/av-report.sig - Update
manifest.json:- Set
avScan.statustocleanorfindings. avScan.reportPathandavScan.reportSha256must match the generated report.
- Set
Acceptance checks
- Report validates against
docs/modules/airgap/schemas/av-report.schema.json. manifest.jsonhashes updated and verified viasrc/AirGap/scripts/verify-manifest.sh.- If any artifact result is
malicious/suspicious, bundle must be rejected and re-scanned after remediation.
References
- Manifest schema:
docs/modules/airgap/schemas/manifest.schema.json - Sample report:
docs/modules/airgap/samples/av-report.sample.json - Manifest verifier:
src/AirGap/scripts/verify-manifest.sh