stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/blast-radius-fleet-view.md

38 lines
2.8 KiB
Markdown
Raw Blame History

# Blast radius / fleet view
## Module
Policy
## Status
IMPLEMENTED
## Description
Blast radius containment schema and unknown ranker service assess impact across environments and services.
## Implementation Details
- **BlastRadius Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs` -- `BlastRadius` (sealed record)
- `Dependents` (int) -- number of packages that directly or transitively depend on this package; 0 indicates isolation
- `NetFacing` (bool) -- whether the package is reachable from network-facing entrypoints
- `Privilege` (string?) -- privilege level: root, user, none
- **ContainmentSignals Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/ContainmentSignals.cs` -- runtime containment posture
- Seccomp enforcement status, filesystem mode (ro/rw), network policy (isolated/connected)
- **UnknownRanker Integration**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` -- blast radius is integrated into the `ComputeContainmentReduction` method
- Isolated package (Dependents=0): 15% risk reduction
- Not network-facing: 5% risk reduction
- Non-root privilege (user/none): 5% risk reduction
- Seccomp enforced: 10% reduction; read-only filesystem: 10% reduction; network isolated: 5% reduction
- Maximum containment reduction capped at 40%
- Applied after time-based decay: `finalScore = decayedScore * (1 - containmentReduction)`
- **UnknownRankerOptions**: Configurable reductions via `IsolatedReduction`, `NotNetFacingReduction`, `NonRootReduction`, `SeccompEnforcedReduction`, `FsReadOnlyReduction`, `NetworkIsolatedReduction`, `MaxContainmentReduction`
- **Unknown Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs` -- unknown entity with blast radius reference
- **Unknowns Budget Enforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs` -- enforces blast radius-aware budget thresholds
- **Unknowns Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs` -- REST API for querying unknowns with blast radius data
## E2E Test Plan
- [ ] Rank an unknown with `Dependents=0, NetFacing=false, Privilege="none"` and verify containment reduction is 25% (15+5+5)
- [ ] Rank an unknown with `Dependents=50, NetFacing=true, Privilege="root"` and verify containment reduction is 0%
- [ ] Rank an unknown with full containment signals (seccomp=enforced, fs=ro, network=isolated) and blast radius isolation; verify capped at 40% max reduction
- [ ] Query unknowns API and verify each unknown includes blast radius data (dependents, netFacing, privilege)
- [ ] Verify a high-score unknown (HOT band) drops to WARM band when isolated package containment is applied
- [ ] Verify containment reduction is disabled when `EnableContainmentReduction=false` in options
Reference in New Issue View Git Blame Copy Permalink