Skip to content

Commit ae09660

Browse files
committed
docs: README 청중 분기·커버리지 정직성·아키텍처 다이어그램 + DB ERD/API 설계서 추가
- 상단 2청중 분기(ISMS-P 국내 / ISO27001 셀프호스트 Vanta 대안) + '정직함이 기본' 콜아웃(58/194 reviewed) - 아키텍처 다이어그램(mermaid) 1장 + 설계문서 링크 → README_FULL은 상세로 위임 - docs/DB_ERD.md: 3계층 스키마 ERD(mermaid, schema 001-011, 17테이블) - docs/API_DESIGN.md: 인증/RBAC/인제스트 토큰 모델 + 도메인별 엔드포인트 + 데이터흐름도
1 parent 0949f13 commit ae09660

4 files changed

Lines changed: 402 additions & 2 deletions

File tree

README.ko.md

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@
1616

1717
> **"보는 층"이 아니라 "증적 층"** — 시계열·로그 시각화는 Grafana/Loki에 위임하고, MORI는 그 위에서 **판단·기록·증명**(트리아지 → 조치 → 통제 매핑 → 증적 PDF → 감사 로그)을 담당합니다.
1818
19+
> **대상 — 한 플랫폼, 두 청중**: **(1) ISMS-P를 준비하는 국내 팀** — 국내 인증 실무 흐름, 한국어 우선. **(2) 자체 호스팅 ISO 27001 증적 레이어가 필요한 해외 팀** — 이미 쓰는 도구 위에 read-only로 얹는, Vanta/Drata의 오픈·셀프호스트 대안.
20+
21+
> **정직함이 기본** — 카탈로그는 현재 **194개 중 58개 검토완료(reviewed)**, 나머지 136개는 초안(draft)으로 **UI에 `draft` 라벨** 표시됩니다. 커버리지 %는 검토완료 **+ 증적 연결** 통제만 집계 — 부풀리지 않습니다. 감사 신뢰성이 핵심이라 숫자는 정직하게 둡니다.
22+
1923
<!-- ═══════════════════════════════════════════════════════════════════════
2024
스크린샷 가이드 ① — 대표 이미지(README 맨 위에 크게 들어가는 첫 화면)
2125
"히어로 이미지"라고도 부릅니다. README를 열면 가장 먼저 보이는 한 장이라,
@@ -38,6 +42,30 @@
3842

3943
---
4044

45+
## 아키텍처 한눈에
46+
47+
```mermaid
48+
flowchart LR
49+
ZBX[Zabbix]:::s --> POLL
50+
TRV[Trivy]:::s --> POLL
51+
WZ[Wazuh]:::s --> POLL
52+
FLEET[Fleet/osquery]:::s -.-> POLL
53+
subgraph MORI["MORI — read-only 증적 레이어"]
54+
POLL[Pollers / ingest]:::m --> DB[(PostgreSQL)]:::db --> API[FastAPI /ui]:::m
55+
API --> J[트리아지 · 위험성 · 통제 이행상태]:::m --> E[증적 PDF/CSV/ZIP + 감사로그]:::m
56+
end
57+
API -.->|딥링크| GRAF[Grafana/Loki<br/>보는 층]:::v
58+
J -->|write-back| ZBX
59+
classDef s fill:#dbeafe,stroke:#2563eb,color:#111827
60+
classDef m fill:#dcfce7,stroke:#16a34a,color:#111827
61+
classDef db fill:#fef9c3,stroke:#a16207,color:#111827
62+
classDef v fill:#f3f4f6,stroke:#6b7280,color:#111827
63+
```
64+
65+
> **설계 문서:** [아키텍처 & DB ERD](docs/DB_ERD.md) · [API 설계](docs/API_DESIGN.md) · [수집 기준](docs/collection-standards.md). 상세 → [상세 가이드](./README_FULL.md).
66+
67+
---
68+
4169
## 한눈에
4270

4371
- **대상** — 보안 담당자 1~2명 + IT 헬프데스크로 ISMS-P / ISO 27001을 준비하는 중소형 조직
@@ -50,7 +78,7 @@
5078
|---|---|
5179
| **통합 운영 UI** | 대시보드 · Alert Triage · 인시던트 · 자산/취약점 · Compliance PDCA를 한 화면(`/ui`)에서 |
5280
| **위험성 평가** | CVE별 3×3 매트릭스 = 영향도(자산 중요도) × 발생가능성 → **점수(1~9)** + 위험처리 결정·잔여위험·DoA 자동분류 (admin·security) |
53-
| **통제 카탈로그** | ISMS-P 101 + ISO 27001:2022 93 = **194 인증기준**(한/영) 트리 + 이행상태 편집·영속 + **admin 직접 편집(추가/수정/삭제)** + **법령 텍스트 NLP 임포트**(Claude/휴리스틱) + **수기 증적 문서화 + 실증적 상세 자동 스냅샷(정기·일괄)** + **증적 문서**(자산 인벤토리 표) **CSV/PDF 다운로드** |
81+
| **통제 카탈로그** | ISMS-P 101 + ISO 27001:2022 93 = **194 인증기준**(한/영) **58 검토완료 · 136 초안**(초안은 UI에 라벨; 커버리지는 검토완료+증적 연결만 집계) — 트리 + 이행상태 편집·영속 + **admin 직접 편집(추가/수정/삭제)** + **법령 텍스트 NLP 임포트**(Claude/휴리스틱) + **수기 증적 문서화 + 실증적 상세 자동 스냅샷(정기·일괄)** + **증적 문서**(자산 인벤토리 표) **CSV/PDF 다운로드** |
5482
| **계정 거버넌스** | 서버·PC 로컬 계정(osquery) × LDAP × 승인대장 대조 → 퇴사자 잔존·미등록 특권·미승인 sudo·휴면 검출 · IP 팀/용도 선별 CSV (기본 admin·security, admin이 열람 역할 조정) |
5583
| **자동 증적** | 자산 담당자·중요도, CVE 조치·예외, 위험성 평가, Triage·인시던트 변경을 _who/when/what_ 으로 누적 → **6종 CSV/PDF** |
5684
| **역할별 화면** | 위험성 평가·통제는 admin·security 전용, 인프라·헬프데스크는 **내 담당 서버 조치율**|

README.md

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@ It sits **read-only on top of your existing** **Zabbix · FleetDM · Wazuh · Tr
1616

1717
> **An "evidence layer," not a "viewing layer"** — time-series and log visualization are delegated to Grafana/Loki; MORI sits above them to handle **judge → record → prove** (triage → remediation → control mapping → evidence PDF → audit log).
1818
19+
> **Who it's for** — two audiences, one platform: **(1) Korean teams preparing ISMS-P** — the domestic certification workflow, Korean-first; **(2) overseas teams wanting a self-hosted ISO 27001 evidence layer** — an open, self-host alternative to Vanta/Drata that runs read-only on the tools you already have.
20+
21+
> **Honest by design** — the catalog is **58 / 194 controls reviewed** today; the other 136 are draft skeletons, **labeled `draft` in the UI**. Coverage % counts only reviewed **and** evidence-wired controls — no inflation. Audit trust is the whole point, so the numbers stay honest.
22+
1923
<!-- ═══════════════════════════════════════════════════════════════════════
2024
SCREENSHOT GUIDE ① — hero image (the big first screen at the top of the README)
2125
It's the first thing readers see, so this one shot is MORI's "explained in a
@@ -38,6 +42,30 @@ It sits **read-only on top of your existing** **Zabbix · FleetDM · Wazuh · Tr
3842

3943
---
4044

45+
## Architecture in one look
46+
47+
```mermaid
48+
flowchart LR
49+
ZBX[Zabbix]:::s --> POLL
50+
TRV[Trivy]:::s --> POLL
51+
WZ[Wazuh]:::s --> POLL
52+
FLEET[Fleet/osquery]:::s -.-> POLL
53+
subgraph MORI["MORI — read-only evidence layer"]
54+
POLL[Pollers / ingest]:::m --> DB[(PostgreSQL)]:::db --> API[FastAPI /ui]:::m
55+
API --> J[Triage · Risk · Control status]:::m --> E[Evidence PDF/CSV/ZIP + audit log]:::m
56+
end
57+
API -.->|deep link| GRAF[Grafana/Loki<br/>viewing layer]:::v
58+
J -->|write-back| ZBX
59+
classDef s fill:#dbeafe,stroke:#2563eb,color:#111827
60+
classDef m fill:#dcfce7,stroke:#16a34a,color:#111827
61+
classDef db fill:#fef9c3,stroke:#a16207,color:#111827
62+
classDef v fill:#f3f4f6,stroke:#6b7280,color:#111827
63+
```
64+
65+
> **Design docs:** [Architecture & DB ERD](docs/DB_ERD.md) · [API design](docs/API_DESIGN.md) · [collection standards](docs/collection-standards.md). Deep dive → [Full Guide](./README_FULL.md).
66+
67+
---
68+
4169
## At a glance
4270

4371
- **Who it's for** — small/mid orgs preparing ISMS-P / ISO 27001 with 1–2 security staff + IT help desk
@@ -50,7 +78,7 @@ It sits **read-only on top of your existing** **Zabbix · FleetDM · Wazuh · Tr
5078
|---|---|
5179
| **Unified operations UI** | Dashboard · Alert Triage · Incidents · Assets/Vulns · Compliance PDCA on one screen (`/ui`) |
5280
| **Risk assessment** | Per-CVE 3×3 matrix = impact (asset criticality) × likelihood → **score (1–9)** + treatment decision, residual risk, DoA auto-classify (admin·security) |
53-
| **Control catalog** | ISMS-P 101 + ISO 27001:2022 93 = **194 controls** (KO/EN) tree + editable/persisted status + **admin direct edit (add/edit/delete)** + **regulation-text NLP import** (Claude/heuristic) + **documented manual evidence + detailed live-evidence snapshot (scheduled/bulk)** + **evidence document** (asset-inventory tables) **CSV/PDF** |
81+
| **Control catalog** | ISMS-P 101 + ISO 27001:2022 93 = **194 controls** (KO/EN) **58 reviewed · 136 draft** (drafts labeled in UI; coverage counts reviewed+evidence-wired only) — tree + editable/persisted status + **admin direct edit (add/edit/delete)** + **regulation-text NLP import** (Claude/heuristic) + **documented manual evidence + detailed live-evidence snapshot (scheduled/bulk)** + **evidence document** (asset-inventory tables) **CSV/PDF** |
5482
| **Account governance** | Server/PC local accounts (osquery) × LDAP × approval ledger → detects leavers, unregistered privilege, unapproved sudo, dormant · IP team/purpose CSV export (defaults to admin·security, admin configures view roles) |
5583
| **Automatic evidence** | Asset owner/criticality, CVE remediation/exception, risk assessment, triage & incident changes accrued as _who/when/what_**6 CSV/PDF reports** |
5684
| **Role-based views** | Risk & controls are admin·security only; infra/help-desk see **only their own servers'remediation rate** |

docs/API_DESIGN.md

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
# MORI SOC — API Design
2+
3+
FastAPI (Python 3.12). `server.py` is a thin orchestrator that assembles a `RouteContext` and registers ~16 domain modules under [`src/mori_soc/api/routes/`](../src/mori_soc/api/routes/). OpenAPI is served at `/docs`.
4+
5+
## Auth & access model
6+
7+
| Mechanism | Where | Notes |
8+
|---|---|---|
9+
| **Session cookie** `mori_session` | browser `/ui`·`/admin` | issued by `POST /auth/login` (httponly, 7-day); local users + optional LDAP bind |
10+
| **RBAC roles** | per request | `admin · security · monitor · auditor · helpdesk · user`. Risk/controls/evidence = `admin·security`; infra/help-desk see only their own servers |
11+
| **Ingest token** | `POST /ingest/*` | `MORI_INGEST_TOKEN` via `Authorization: Bearer` or `X-MORI-Token` (session fallback) |
12+
| **Language** | any | `?lang=`/`mori_lang` cookie → KO/EN response where localized (e.g. `/guides`) |
13+
14+
**Conventions** — JSON in/out; `200` ok · `400` bad body · `401` unauth · `403` role · `404` missing · `503` backend (e.g. ingest needs `MORI_DATABASE_URL`). Reads hit the query backend live per request; writes are cache-aside + write-through to Postgres.
15+
16+
---
17+
18+
## Endpoints by domain
19+
20+
### Auth · profile
21+
`GET /login` · `POST /auth/login` · `GET /auth/logout` · `GET /auth/me` · `GET|POST /auth/profile` · `POST /auth/signup-request` · `GET /auth/signup-requests` · `PATCH /auth/signup-requests/{req_id}`
22+
23+
### Pages · health
24+
`GET /` · `GET /ui` · `GET /admin` · `GET /catalog` · `GET /health` (insecure-config warning when demo creds/no token)
25+
26+
### Dashboard · query
27+
`GET /dashboard/summary` · `POST /query` · `POST /interpret` (NLQ) · `GET|POST /dashboard/preferences` · `GET|POST /admin/dashboard/preferences` · `GET /admin/dashboard/user-preferences` · `DELETE /admin/dashboard/user-preferences/{username}`
28+
29+
### Assets
30+
`GET /assets` (fleet+zabbix+trivy rollup) · `POST /assets/refresh` (on-demand poll: zabbix\|fleet\|wazuh\|trivy) · `GET|POST /assets/owners` · `DELETE /assets/owners/{hostname}` · `GET|PUT /assets/plans/{host_id}` · `GET /fleet/hosts` · `GET /zabbix/hosts` · `GET /trivy/vulnerabilities`
31+
32+
### Alerts · Triage · Incidents
33+
`GET /alerts` · `PATCH /alerts/{alert_id}/triage` · `POST /alerts/{alert_id}/zabbix/suppress` · `POST /alerts/{alert_id}/zabbix/unsuppress` · `GET|POST /incidents` · `PATCH /incidents/{incident_id}` · `POST /incidents/{incident_id}/notes`
34+
35+
### Vulnerabilities · Risk
36+
`GET /vulnerabilities/{vuln_id}/action` · `PUT /vulnerabilities/{vuln_id}/plan` · `PUT|DELETE /vulnerabilities/{vuln_id}/exception` · `GET|PUT /vulnerabilities/{vuln_id}/risk` (3×3 matrix) · `GET /vulnerabilities/risk-summary` · `GET|PUT /settings/risk`
37+
38+
### Compliance · Control catalog
39+
`GET /compliance/pdca` · `GET /compliance/pdca/pending.csv` · `GET /compliance/reports` · `GET /compliance/reports/{report_type}` · `GET /dashboard/evidence-gaps` · `GET /dashboard/host-remediation/{hostname}` · `GET /controls/tree` (incl. `coverage.review` reviewed/draft) · `GET /controls/detail/{id}` · `PUT /controls/status/{id}` · `POST /controls` · `DELETE /controls/{id}` · `POST /controls/import-nlp` · `GET|PUT /controls/claude-key`
40+
41+
### Evidence (catalog)
42+
`GET /controls/detail/{id}/evidence.pdf` · `…/evidence.csv` · `GET /controls/evidence-bundle.zip?scope=mapped|all` · `GET|POST /controls/detail/{id}/evidence-records` · `POST …/evidence-records/auto` (dated live snapshot) · `DELETE …/evidence-records/{evidence_id}` · `GET|POST /controls/evidence-snapshot/config` · `POST /controls/evidence-snapshot/run`
43+
44+
### Account governance
45+
`GET /accounts/overview` · `GET /accounts/overview.csv` · `GET /accounts/host/{host_key}` · `…/privileged` · `GET|POST /accounts/approvals` · `DELETE /accounts/approvals/{id}` · `POST /accounts/approval-requests` · `POST /accounts/approvals/{id}/approve|reject` · `GET|POST /accounts/view-roles`
46+
47+
### Guides · settings · webhooks
48+
`GET /guides` · `GET /guides/{id}` (KO/EN by `?lang=`) · `PUT /guides/{id}` · `GET|POST /webhooks` · `DELETE /webhooks/{id}` · `POST /webhooks/{id}/test`
49+
50+
### Admin: audit · RBAC · LDAP
51+
`GET /admin/action-audit-log` · `POST /admin/action-audit-log` · `GET /admin/audit-log` · `GET /admin/logs` · `GET|POST /admin/role-permissions` · `GET /admin/user-tab-permissions` · `POST|DELETE /admin/user-tab-permissions/{username}` · `GET /admin/ldap/status` · `GET|POST /admin/ldap/users` · `POST /admin/ldap/users/{uid}/password|role` · `DELETE /admin/ldap/users/{uid}`
52+
53+
### Ingest (token-gated, push)
54+
| Endpoint | Source → | Effect |
55+
|---|---|---|
56+
| `POST /ingest/trivy` | Trivy scan JSON | vulnerabilities + evidence |
57+
| `POST /ingest/wazuh` | Wazuh alert(s) | → Alert Triage queue |
58+
| `POST /ingest/evidence` | CSOP before/after diff | evidence envelope |
59+
| `POST /ingest/accounts` | osquery local accounts | `host_accounts` (governance) |
60+
| `GET /evidence` || list ingested evidence |
61+
62+
---
63+
64+
## Data flow (read-only evidence layer)
65+
66+
```mermaid
67+
flowchart LR
68+
subgraph SRC["Source tools (unchanged)"]
69+
ZBX[Zabbix]:::s
70+
FLEET[Fleet / osquery]:::s
71+
WZ[Wazuh]:::s
72+
TRV[Trivy]:::s
73+
LOKI[Loki]:::s
74+
end
75+
subgraph MORI["MORI — evidence layer"]
76+
POLL[Pollers / ingest]:::m --> DB[(PostgreSQL<br/>schema 001-011)]:::db
77+
DB --> API[FastAPI /ui]:::m
78+
API --> JUDGE[Triage - Risk - Control status]:::m
79+
JUDGE --> EVID[Evidence PDF/CSV/ZIP + audit log]:::m
80+
end
81+
ZBX -->|"REST poll 30s"| POLL
82+
TRV -->|"token push / daily"| POLL
83+
WZ -->|"/ingest/wazuh"| POLL
84+
FLEET -.->|"Phase 3 poller"| POLL
85+
API -.->|"deep link"| GRAF[Grafana / Loki<br/>viewing layer]:::v
86+
JUDGE -->|"write-back L1-3"| ZBX
87+
88+
classDef s fill:#dbeafe,stroke:#2563eb,color:#111827
89+
classDef m fill:#dcfce7,stroke:#16a34a,color:#111827
90+
classDef db fill:#fef9c3,stroke:#a16207,color:#111827
91+
classDef v fill:#f3f4f6,stroke:#6b7280,color:#111827
92+
```
93+
94+
See also: [DB ERD](./DB_ERD.md) · [collection standards](./collection-standards.md) · [full reference](../README_FULL.md).

0 commit comments

Comments
 (0)