stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ea1d58a89baf3b2d351a0fded1a711e0c05ce8c5
git.stella-ops.org/docs/airgap/runbooks/import-verify.md
StellaOps Bot 2d08f52715 feat(zastava): add evidence locker plan and schema examples 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2025-12-02 09:27:31 +02:00

31 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# AirGap Import & Verify (runbook outline)
Related advisory: `docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md` (AG1AG12). Implements AIRGAP-VERIFY-510-014.
## Prerequisites
- `offline-kit/manifest.json` + `manifest.dsse` and `mirror.manifest` present.
- Trust roots: Rekor/TUF roots, Authority signing roots, AV/YARA public keys.
- Tools: `cosign` (or Stella verifier), `sha256sum`, `yara`, `python3`.
## Steps
1) Verify manifest signature
- `cosign verify-blob --key trust-roots/manifest.pub --signature manifest.dsse manifest.json`
- Sample helper: `scripts/airgap/verify-offline-kit.sh <kit-root>`
2) Check staleness and policy/graph hashes
- Compare `feeds[*].snapshot` dates to allowed window; ensure `policyHash`/`graphHash` match target site config; fail closed on mismatch unless override signed.
3) Verify chunks and Merkle root
- For each chunk listed in manifest, `sha256sum -c`; recompute Merkle root per manifest recipe; compare to `rootHash` field.
4) AV/YARA validation
- Run `yara -r rules/offline-kit.yar kit/`; confirm `avReport.sha256` matches signed report in manifest; block on any detection.
5) Replay depth selection
- Modes: `hash-only` (default), `full-recompute`, `policy-freeze`. Select via `--replay-mode`; enforce exit codes 0=pass, 3=stale, 4=hash-drift, 5=av-fail.
6) Ingress/egress receipts
- Generate DSSE receipt `{hash, operator, time, decision}`; store in Proof Graph; verify incoming receipts before import.
## Outputs
- Exit code per replay mode outcome.
- Receipt DSSE stored at `receipts/{tenant}/{timestamp}.dsse`.
- Optional report `verify-report.json` summarizing checks.
> Expand with concrete scripts once tasks 510-010..014 land.
Reference in New Issue View Git Blame Copy Permalink