stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/operations/airgap-runbooks.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

1.9 KiB
Raw Blame History

Air-gap runbooks (summary)

Core runbooks

  • Import and verify: unpack bundle, validate manifest, verify DSSE signatures.
  • AV scan: scan bundle contents before import if required by policy.
  • Quarantine: isolate bundles with hash or signature mismatches.
  • Sealed startup diagnostics: confirm egress block and time anchor validity.

Offline kit management

  • Generate full or delta kits in connected environments.
  • Verify kit hash and signature before transfer.
  • Import and install kit, then confirm component freshness.

Feed updates

  • Use delta kits for smaller updates.
  • Roll back to previous snapshot when feeds introduce regressions.
  • Track feed age and kit expiry thresholds.

Scanning in air-gap mode

  • Scan local images or SBOMs without registry pull.
  • Generate SBOMs locally and scan from file.
  • Force offline feeds when required by policy.

Verification in air-gap mode

  • Verify proof bundles offline with local trust roots.
  • Export and import trust bundles for signer and CA rotation.
  • Run score replay with frozen timestamps if needed.

Health checks

  • Monitor kit age, feed freshness, trust store validity, disk usage.
  • Use deterministic health checks and keep results for audit.

Import and verify

  • Validate bundle hash, manifest entries, and schema checks.
  • Record import receipt with operator, time anchor, and manifest hash.
  • Reject and log any mismatches or missing provenance.

Quarantine handling

  • Preserve the original bundle and verification logs.
  • Open an incident if mismatches indicate tampering.
  • Re-import only after a new bundle is signed and verified.

Operational notes

  • Keep previous mirror generation as rollback baseline.
  • Use deterministic tools and fixed ordering for all checks.

Related references

  • docs/airgap/runbooks/import-verify.md
  • docs/airgap/runbooks/av-scan.md
  • docs/airgap/runbooks/quarantine-investigation.md
  • docs/airgap/sealed-startup-diagnostics.md