Skip to content

Commit 08b48b7

Browse files
committed
README 상태 정합성 + root 운영문서(SECURITY/CONTRIBUTING/CHANGELOG) + Fleet 쉬운설치
- README(한/영): TL;DR 영속화 불릿·Alpha 경고에 남아있던 '실시간 폴러 다음 마일스톤/시드 기반' 문구 정정 → Zabbix=검증됨, Fleet/Wazuh=Next, Trivy=부분. (상하단 상태 충돌 완전 해소) - SECURITY.md / CONTRIBUTING.md / CHANGELOG.md 신규(root). 로드맵 P4-5 에 반영. - Fleet 가이드: 클라이언트 쉬운 설치 방법 표(UI 복붙/fleetctl package/MDM/스크립트).
1 parent e375dd6 commit 08b48b7

6 files changed

Lines changed: 162 additions & 6 deletions

File tree

CHANGELOG.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Changelog
2+
3+
All notable changes to this project are documented here.
4+
Format follows [Keep a Changelog](https://keepachangelog.com/); this is an alpha project so
5+
versions are `x.y.z-alpha.n`.
6+
7+
## [v0.6.0-alpha.1] — 2026-07-07 — Zabbix Evidence Flow + Risk Register
8+
9+
### Added
10+
- **Zabbix evidence flow (verified end-to-end against the real Zabbix API)**: problem →
11+
`mori-worker` `problem.get` polling → PostgreSQL `alerts` → Alert Triage (`source=zabbix`)
12+
→ Incident → CSV/PDF evidence → **resolve** (Zabbix recovery → `alert.resolved_at`).
13+
- **Risk assessment (R-series)**: per-CVE 3×3 impact × likelihood matrix, treatment
14+
decision (mitigate/accept/transfer/avoid), residual risk, admin-only provenance panel,
15+
role-gated (admin/security). Persisted in `ui_risk_register` (`schema/004`).
16+
Risk Register CSV/PDF report (6th audit-evidence report).
17+
- **Role-aware dashboard**: security hero + 24h/12h infra status with Zabbix/Wazuh deep
18+
links; panel editing (per-user widget on/off + drag-resize, persisted).
19+
- **Compliance PDCA** on real ISMS-P criteria (2.x controls); weakness-rate summary.
20+
- **Trivy HTTP ingest** (`POST /ingest/trivy`) for remote endpoints; token auth.
21+
- **Onboarding**: `mori-endpoint-onboard.sh` (Zabbix Agent 2 + Trivy, one-command/curl),
22+
`mori-zabbix-template.sh` (MORI Zabbix template with LLD + macros; exported YAML),
23+
`mori-community-pr.sh` (assemble a zabbix/community-templates PR).
24+
- **CI**: GitHub Actions `tests` workflow (ruff + unittest); deploy workflow hardened to
25+
skip gracefully when deploy secrets are absent.
26+
- **Docs**: Zabbix agent, deploy SSH, Fleet, Wazuh, community-template PR guides;
27+
`SECURITY.md`, `CONTRIBUTING.md`, `CHANGELOG.md`.
28+
- Alert `resolved_at` (`schema/005`), Zabbix ↔ Alert Triage bidirectional URL links.
29+
30+
### Changed
31+
- Dashboard reads PostgreSQL **live per request** (postgres backend) — worker-ingested
32+
data surfaces with no API restart.
33+
- READMEs (KO/EN) reworked: 30-second Status table; demo security notice; Zabbix marked
34+
**verified**, Fleet/Wazuh **Next**, Trivy **partial**.
35+
36+
### Removed
37+
- Removed the public demo-server URL/credentials block and internal "resume prompt" from
38+
the README.
39+
40+
## [v0.5.0-alpha.2] — Core Structure Stabilization
41+
- `server.py` modularized into `routes/` (16 domain modules) + `RouteContext`.
42+
- Prepared Phase 2 PostgreSQL persistence (M2-1) foundation.
43+
44+
## [v0.4.0-alpha.1]
45+
- Initial audit-ready operations UI, seed data, compliance/reporting scaffolding.

CONTRIBUTING.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
# Contributing to MORI SOC
2+
3+
Thanks for your interest! This is an alpha portfolio project; contributions, issues, and
4+
suggestions are welcome.
5+
6+
## Dev setup
7+
8+
```bash
9+
# Full stack (API + PostgreSQL + Zabbix/Wazuh/Fleet/Trivy/Grafana)
10+
cp .env.example .env
11+
docker compose up -d
12+
13+
# One-line demo (seeds sample data + arms the Zabbix scenario)
14+
./scripts/mori-start-demo.sh # → http://localhost:18000/ui (admin / 1234)
15+
```
16+
17+
The API is Python 3.12 / FastAPI. Source lives in `src/mori_soc` (`PYTHONPATH=src`).
18+
19+
## Tests & lint (must pass — same as CI)
20+
21+
```bash
22+
# In the running api container (fastest):
23+
docker exec -e PYTHONPATH=/app/src:/app -w /app mori-soc-mori-api-1 \
24+
python -m unittest discover -s tests -p "test_*.py"
25+
26+
# Lint (critical errors), matching .github/workflows/test.yml:
27+
ruff check --select E9,F63,F7,F82 src tests
28+
```
29+
30+
Postgres-backed tests self-skip when `MORI_DATABASE_URL` is unset, so the suite runs
31+
green without a database in CI.
32+
33+
## Guidelines
34+
35+
- **Match the surrounding code** — comment density, naming, and idioms.
36+
- **Add a test** for behavior changes (`tests/test_*.py`, `unittest`).
37+
- Keep the API thin: endpoints live in `src/mori_soc/api/routes/<domain>.py`, shared state
38+
flows via `RouteContext` (see `routes/context.py`).
39+
- Templates/i18n: UI strings go through `src/mori_soc/api/i18n.py` (KO + EN).
40+
- **Route/template changes**: verify the app renders (`docker restart mori-soc-mori-api-1`
41+
picks up new code — the image bakes source, so a restart is required to see changes).
42+
43+
## Commit & PR
44+
45+
- Small, focused commits with a clear message (Korean or English both fine).
46+
- Branch from `main`; open a PR describing what and why. Ensure tests + ruff pass.
47+
- For the Zabbix community template, see [docs/COMMUNITY_TEMPLATE_PR.md](docs/COMMUNITY_TEMPLATE_PR.md).
48+
49+
## Reporting security issues
50+
51+
See [SECURITY.md](SECURITY.md) — do not open public issues for vulnerabilities.

README.en.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,10 @@ A one-line (`docker compose up -d`) **ISMS-P / ISO 27001 audit-evidence accumula
2222
- 🌐 **Multi-language UI** — Korean / English toggle on every page (login, dashboard, admin console); moved from a fixed top-right widget into the **account menu (👤)**, persisted in a cookie + localStorage and switches instantly without a reload
2323
- 👤 **User profile + My Servers** — Save name · department · assigned servers to your account, and view only your assets in a dedicated **⭐ My Servers** view (profile-menu shortcut)
2424
- 🧾 **Automatic evidence** — Asset owner/importance, host/CVE-level remediation plans & exceptions, **per-CVE risk assessment**, Triage & Incident state changes
25-
-**Persistence (M2-1 + R-2 done)** — UI operational state stores (asset owners · audit log · vuln actions · Triage · Incidents · profiles + the **risk register `ui_risk_register`**) are **write-through persisted** to PostgreSQL and survive restarts. Real-time pollers are the next milestone (see [Integrations & Roadmap](#-integrations--roadmap))
25+
-**Persistence (M2-1 + R-2 done)** — UI operational state stores (asset owners · audit log · vuln actions · Triage · Incidents · profiles + the **risk register `ui_risk_register`**) are **write-through persisted** to PostgreSQL and survive restarts.
26+
- 🔌 **Live data integration****Zabbix real-time polling is verified against the real API** (problem→Triage→Incident→evidence→resolve). **Fleet / Wazuh live integration is Next**; Trivy is partially integrated.
2627

27-
> ⚠️ **Alpha / Work in Progress** — Day-to-day security operations + audit-evidence accumulation scenarios work, and the **6 UI operational state stores are persisted to PostgreSQL (M2-1 done)** so they survive restarts. Real-time polling is the next milestone; dashboard asset/alert data is still **seed (sample data)** based.
28+
> ⚠️ **Alpha / Work in Progress** — Day-to-day security operations + audit-evidence accumulation work, and **UI operational state is persisted to PostgreSQL (M2-1 · R-2)** across restarts. **Zabbix real-time polling is verified against the real API**, so problem→alert→Triage flows live with no restart (other seed data is for demo). **Fleet / Wazuh live integration is the next step.**
2829
2930
## ⚡ Status — 30-second overview
3031

@@ -661,7 +662,7 @@ MORI SOC combines open-source security tools to provide a single ops screen, wit
661662
| **P4-2** | Zabbix-only Adoption Pack — Zabbix template + export script + `docs/zabbix-only.md` (Trivy/CVE Lite results → zabbix_sender without a full MORI install) |
662663
| **P4-3** | ISMS-P / ISO 27001 Evidence Pack — per-control sample reports (`docs/evidence-pack/`): vulnerability management, logging/monitoring, monthly report, exception register, action plan |
663664
| **P4-4** | Integration Marketplace structure — organize `integrations/{zabbix,trivy,cvelite,wazuh,fleet,ldap}` connector structure/docs (real plugin system later) |
664-
| **P4-5** | Operational hardening — HTTPS/reverse proxy, LDAP/AD production rollout, backup/restore verification, upgrade guide, `SECURITY.md`·`CONTRIBUTING.md`·`CHANGELOG.md`, release checklist |
665+
| **P4-5** | Operational hardening — `SECURITY.md`·`CONTRIBUTING.md`·`CHANGELOG.md` ✅, CI (tests) ✅ / HTTPS·reverse proxy, LDAP/AD rollout, upgrade guide, release checklist 🔲 |
665666
| **P4-6** | Demo scenario / video — compose up → Trivy import → Zabbix alert → CVE plan → exception → Incident → audit PDF → check via Zabbix template (5–8 min) |
666667

667668
### Other backlog

README.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,10 @@
2222
- 🌐 **다국어 UI** — 로그인·대시보드·어드민 콘솔 전 페이지 한국어/영어 토글 (우상단 고정 위젯 → **계정 메뉴(👤)**로 이동, 쿠키·localStorage 저장, 새로고침 없이 즉시 전환)
2323
- 👤 **사용자 프로필 + 내 서버** — 이름·부서·담당 서버를 계정에 저장하고, 담당 자산만 모아 보는 **⭐ 내 서버** 뷰(프로필 메뉴 바로가기) 제공
2424
- 🧾 **자동 증적** — 자산 담당자·중요도, 호스트/CVE 단위 조치 계획·예외, **CVE별 위험성 평가**, Triage·인시던트 상태 변경
25-
-**영속화 (M2-1 + R-2 완료)** — UI 운영 상태 store(자산 담당자·감사로그·취약점 조치·Triage·인시던트·프로필 + **위험성 평가 대장 `ui_risk_register`**)는 PostgreSQL에 **write-through 영속화**되어 재시작 후에도 유지. 실시간 폴러는 다음 마일스톤 ([Integrations & 확장 방향](#-integrations--확장-방향) 참조)
25+
-**영속화 (M2-1 + R-2 완료)** — UI 운영 상태 store(자산 담당자·감사로그·취약점 조치·Triage·인시던트·프로필 + **위험성 평가 대장 `ui_risk_register`**)는 PostgreSQL에 **write-through 영속화**되어 재시작 후에도 유지.
26+
- 🔌 **실데이터 연동****Zabbix 실시간 폴링은 실 API로 검증됨**(problem→Triage→Incident→증적→해소). **Fleet / Wazuh 라이브 연동은 다음 단계(Next)**, Trivy는 부분 통합.
2627

27-
> ⚠️ **Alpha / Work in Progress** — 일상 보안 운영 + 감사 증적 누적 시나리오가 동작하며, **UI 운영 상태 6종은 PostgreSQL에 영속화(M2-1 완료)** 되어 재시작 후에도 유지됩니다. 실시간 폴링은 다음 마일스톤이며, 대시보드 자산·경보 데이터는 아직 **시드(sample data)** 기반입니다.
28+
> ⚠️ **Alpha / Work in Progress** — 일상 보안 운영 + 감사 증적 누적 시나리오가 동작하고, **UI 운영 상태는 PostgreSQL에 영속화(M2-1·R-2)** 되어 재시작 후에도 유지됩니다. **Zabbix 는 실시간 폴링이 실 API로 검증**되어 problem→alert→Triage 가 재시작 없이 흐릅니다(다른 시드 데이터는 데모용). **Fleet / Wazuh 라이브 연동은 다음 단계**입니다.
2829
2930
## ⚡ Status — 30초 요약
3031

@@ -661,7 +662,7 @@ MORI SOC는 오픈소스 보안 도구를 결합해 단일 운영 화면을 제
661662
| **P4-2** | Zabbix-only Adoption Pack — Zabbix 템플릿 + export 스크립트 + `docs/zabbix-only.md` (MORI 전체 설치 없이 Trivy/CVE Lite 결과 → zabbix_sender) |
662663
| **P4-3** | ISMS-P / ISO 27001 Evidence Pack — 통제별 샘플 리포트(`docs/evidence-pack/`): 취약점 관리, 로깅/모니터링, 월간 리포트, 예외 등록부, 조치계획 |
663664
| **P4-4** | Integration Marketplace 구조 — `integrations/{zabbix,trivy,cvelite,wazuh,fleet,ldap}` connector 구조/문서 정리(실제 플러그인 시스템은 추후) |
664-
| **P4-5** | 운영 안정화 — HTTPS/리버스 프록시, LDAP/AD 운영 적용, backup/restore 검증, upgrade guide, `SECURITY.md`·`CONTRIBUTING.md`·`CHANGELOG.md`, release checklist |
665+
| **P4-5** | 운영 안정화 — `SECURITY.md`·`CONTRIBUTING.md`·`CHANGELOG.md` ✅, CI(tests) ✅ / HTTPS·리버스 프록시, LDAP/AD 운영 적용, upgrade guide, release checklist 🔲 |
665666
| **P4-6** | 데모 시나리오 / 영상 — compose up → Trivy import → Zabbix alert → CVE 조치계획 → 예외 → Incident → 감사 PDF → Zabbix template 확인 (5~8분) |
666667

667668
### 그 외 백로그

SECURITY.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Security Policy
2+
3+
MORI SOC is an **alpha** audit-evidence platform. It ships with intentionally simple
4+
demo defaults; do not run it as-is in production.
5+
6+
## Supported versions
7+
8+
| Version | Supported |
9+
|---|---|
10+
| `0.6.x-alpha` (current) | ✅ security fixes |
11+
| `< 0.6` ||
12+
13+
## Reporting a vulnerability
14+
15+
Please **do not open a public issue** for security problems.
16+
17+
- Email: **qorwlsdk1996@gmail.com** (subject: `MORI SECURITY`), or
18+
- Use GitHub **Security → Report a vulnerability** (private advisory) on `saranf/mori-soc`.
19+
20+
Include: affected component/endpoint, reproduction steps, impact, and (if possible) a fix
21+
suggestion. We aim to acknowledge within a few days.
22+
23+
## Scope
24+
25+
In scope: the MORI API (`src/mori_soc`), auth/RBAC, ingest endpoints, deployment scripts,
26+
and the Docker Compose stack wiring.
27+
Out of scope: vulnerabilities in bundled third-party tools (Zabbix, Wazuh, FleetDM, Trivy,
28+
Grafana, PostgreSQL) — report those upstream.
29+
30+
## Demo credentials & hardening
31+
32+
- Demo accounts (`admin` / `security` / `monitor`, password `1234`) and default service
33+
passwords are **for isolated demo use only** and contain **seeded sample data only**.
34+
- For any non-demo deployment you **must**:
35+
- Change `MORI_ADMIN_PASSWORD` and all service passwords (`.env`), set `MORI_DEMO_MODE=false`.
36+
- Serve over HTTPS behind a reverse proxy.
37+
- Restrict RBAC and network exposure; rotate `MORI_INGEST_TOKEN` and Zabbix/Wazuh/Fleet secrets.
38+
- MORI connects to source tools **read-only**; it does not modify their configuration.

docs/FLEET_SETUP_AND_OPERATIONS.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,26 @@ fleetctl package --type=rpm --fleet-url=http://<서버>:1337 --enroll-secret=<
8181

8282
Fleet UI → **Hosts** 에 단말이 **online** 으로 뜨면 성공. 수 분 내 OS·하드웨어·소프트웨어 정보가 수집됩니다.
8383

84+
### 4-3. 클라이언트에 "쉽게" 설치하는 방법들 (상황별 추천)
85+
86+
| 방법 | 언제 | 방법 |
87+
|---|---|---|
88+
| **① Fleet UI 복붙 (가장 쉬움)** | 단말 1~수십 대, 손으로 설치 | Fleet UI → **Hosts → Add hosts** → OS 선택 → **생성된 설치 명령/패키지를 그대로 복사** 해 단말에서 실행. fleet-url·enroll secret 이 이미 박혀 나옴 |
89+
| **`fleetctl package` (대량/오프라인)** | 이미지·배포도구로 뿌릴 때 | 위 4-1 처럼 msi/pkg/deb/rpm 생성 → **MDM / Intune / Ansible / GPO / SCCM** 으로 푸시 |
90+
| **③ macOS 대량** | 회사 맥 다수 | 생성한 `.pkg`**MDM(Jamf 등)** 에 업로드해 무인 배포. 상세: [FLEET_MACBOOK_ENROLLMENT_AND_TEST.md](./FLEET_MACBOOK_ENROLLMENT_AND_TEST.md) |
91+
| **④ 스크립트 자동화** | 프로비저닝 자동화 | `fleetctl package ...` 산출물을 프로비저닝 스크립트/cloud-init 에 넣어 부팅 시 설치 |
92+
93+
**가장 빠른 길(단건):** Fleet UI → **Add hosts** 에서 나오는 명령을 그대로 붙여넣기.
94+
예시(Linux, Fleet 가 생성해주는 형태):
95+
96+
```bash
97+
# Fleet UI 가 만들어주는 실제 명령을 사용하세요(아래는 형태 예시)
98+
sudo fleetctl package --type=deb --fleet-url=http://<서버>:1337 --enroll-secret=<SECRET>
99+
sudo dpkg -i fleet-osquery_*.deb # 설치 즉시 자동 등록
100+
```
101+
102+
> ⚠️ enroll secret 은 비밀입니다. 스크립트/이미지에 하드코딩하지 말고 배포도구의 시크릿으로 주입하세요.
103+
84104
---
85105

86106
## 5. 운영 — 자주 쓰는 것

0 commit comments

Comments
 (0)