e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
61 lines
2.2 KiB
Markdown
61 lines
2.2 KiB
Markdown
# AV/YARA Scan Runbook (AIRGAP-AV-510-011)
|
|
|
|
Purpose: ensure every offline-kit bundle is scanned pre-publish and post-ingest, with deterministic reports and optional signatures.
|
|
|
|
## Inputs
|
|
- Bundle directory containing `manifest.json` and payload files.
|
|
- AV scanner (e.g., ClamAV) and optional YARA rule set available locally (no network).
|
|
|
|
## Steps (offline)
|
|
1. Scan all bundle files:
|
|
```bash
|
|
clamscan -r --max-filesize=2G --max-scansize=4G --no-summary bundle/ > reports/av-scan.txt
|
|
```
|
|
2. Convert to structured report:
|
|
```bash
|
|
python - <<'PY'
|
|
import hashlib, json, pathlib, sys
|
|
root = pathlib.Path("bundle")
|
|
report = {
|
|
"scanner": "clamav",
|
|
"scannerVersion": "1.4.1",
|
|
"startedAt": "2025-12-02T00:02:00Z",
|
|
"completedAt": "2025-12-02T00:04:30Z",
|
|
"status": "clean",
|
|
"artifacts": [],
|
|
"errors": []
|
|
}
|
|
for path in root.glob("**/*"):
|
|
if path.is_file():
|
|
h = hashlib.sha256(path.read_bytes()).hexdigest()
|
|
report["artifacts"].append({
|
|
"path": str(path.relative_to(root)),
|
|
"sha256": h,
|
|
"result": "clean",
|
|
"yaraRules": []
|
|
})
|
|
json.dump(report, sys.stdout, indent=2)
|
|
PY
|
|
```
|
|
3. Validate report against schema:
|
|
```bash
|
|
jq empty --argfile schema docs/airgap/av-report.schema.json 'input' < docs/airgap/samples/av-report.sample.json >/dev/null
|
|
```
|
|
4. Optionally sign report (detached):
|
|
```bash
|
|
openssl dgst -sha256 -sign airgap-av-key.pem reports/av-report.json > reports/av-report.sig
|
|
```
|
|
5. Update `manifest.json`:
|
|
- Set `avScan.status` to `clean` or `findings`.
|
|
- `avScan.reportPath` and `avScan.reportSha256` must match the generated report.
|
|
|
|
## Acceptance checks
|
|
- Report validates against `docs/airgap/av-report.schema.json`.
|
|
- `manifest.json` hashes updated and verified via `src/AirGap/scripts/verify-manifest.sh`.
|
|
- If any artifact result is `malicious`/`suspicious`, bundle must be rejected and re-scanned after remediation.
|
|
|
|
## References
|
|
- Manifest schema: `docs/airgap/manifest.schema.json`
|
|
- Sample report: `docs/airgap/samples/av-report.sample.json`
|
|
- Manifest verifier: `src/AirGap/scripts/verify-manifest.sh`
|