Skip to content

Commit bb691e5

Browse files
committed
README(EN): 방향성 미러링 — positioning + per-source ISMS mapping + Phase 0~5 roadmap + v0.7 rows
1 parent e471237 commit bb691e5

1 file changed

Lines changed: 68 additions & 52 deletions

File tree

README.en.md

Lines changed: 68 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -63,15 +63,31 @@ A lightweight SOC platform built by integrating open-source security tools so th
6363
6464
> 🔌 **A read-only evidence layer on top of your existing tools****MORI-SOC is designed to sit on top of existing monitoring and security tools, not replace them.** It connects to your running Zabbix / Wazuh / FleetDM / Trivy in **read-only mode via configuration only** (no agent installation, no change to existing tool configuration) and organizes operational evidence, incident history, vulnerability actions, and compliance views.
6565
66-
| Area | Tool | MORI's role |
66+
### Product positioning — not the "viewing layer", the "evidence layer"
67+
68+
MORI is **not a unified monitoring dashboard.** Time-series, log exploration, and real-time visualization are delegated to the tools that already do them well (**Grafana/Loki**); MORI sits one layer above and owns **"judge, record, prove."**
69+
70+
| Layer | Owns | Tool |
6771
|---|---|---|
68-
| Infrastructure monitoring | Zabbix | Asset state / availability evidence |
69-
| Log centralization | Loki + Fluent Bit | Log collection & retention evidence |
70-
| Endpoint management | FleetDM | Asset identification & configuration checks |
71-
| Security events | Wazuh | Alert detection & triage evidence |
72-
| Vulnerability scanning | Trivy | Vulnerability checks, remediation plans & exceptions evidence |
73-
| Visualization | Grafana | Operational dashboards |
74-
| Unified operations UI | **MORI API** (`/ui`) | Unified controls/assets/vulns/alerts/incidents + audit log |
72+
| **Viewing layer** | time-series · logs · real-time visualization | Grafana · Loki *(delegated via deep links)* |
73+
| **Evidence layer (MORI's place)** | triage → remediation workflow → control mapping → evidence PDF → audit log | **MORI API** (`/ui`) |
74+
75+
> Core thesis: the product is **not "unified monitoring" — it's "monitoring that becomes ISMS-P / ISO 27001 evidence as you look at it."**
76+
77+
### Why these five — per-source ISMS-P coverage
78+
79+
Each source owns a **non-overlapping set of certification controls.** This mapping is both the rationale for the stack and the basis for poller ordering ("fill the largest evidence gap first").
80+
81+
| Data source | ISMS-P controls (representative) | ISO 27001 Annex A | Evidence form | MORI status |
82+
|---|---|---|---|---|
83+
| **Fleet** (osquery) | 1.2.1 asset ID · 2.1.3 asset mgmt · 2.10.6 endpoint | A.5.9 · A.8.9 | Asset inventory / config state | 🔲 Phase 3 |
84+
| **Zabbix** | 2.9.x operations/monitoring · availability | A.8.6 · A.8.16 | Uptime · threshold alerts + handling history | ✅ Live (verified) |
85+
| **Trivy** | 2.10.8 patch mgmt · 2.11.2 vuln check/remediate | A.8.8 | Scan history · remediation plans · exception approvals | ✅ Remote push |
86+
| **Wazuh** | 2.9.4~5 log mgmt · 2.10.9 malware · 2.11.3 anomaly | A.8.7 · A.8.15 · A.8.16 | Detection events · rule matches · response records | 🔲 Phase 3 |
87+
| **Loki** | 2.9.4 log retention (statutory access-log retention) | A.8.15 | Retention policy + storage proof | 🟡 Collect |
88+
| **MORI itself** | 1.x management system · 2.11.4~5 incident response | A.5.24~27 | Incident tickets · audit log · PDCA | ✅ Core |
89+
90+
> 💡 Once the control catalog (Phase 2) lands, this mapping auto-derives **"lite = N% control coverage / full = M%"**.
7591
7692
---
7793

@@ -190,6 +206,8 @@ A guidance modal automatically surfaces so that host-level bulk plans don't conf
190206
| **Overview** | Asset/alert/vuln summary cards + Critical vulnerability detail modal exposing **plan / exception** columns | Per-host progress visible right on the dashboard |
191207
| **Assets (Server / PC / Trivy)** | Per-host owner/team/category edits + **manual override of server asset importance** | Takes priority over auto-classification (asset_classifier). Audit log records every change |
192208
| **Vulnerability management (Trivy)** | Host-level remediation plan / exception + **per-CVE detailed plan / exception** | Author / target date / expiry / reason recorded. Conflict guidance modal |
209+
| **📥 Remote ingest (v0.7)** | `POST /ingest/trivy` (raw report, `?hostname=` host mapping) · `POST /ingest/evidence` (CSOP before/after diff envelope) — **session-less push** via `MORI_INGEST_TOKEN` | Evidence in `ui_evidence_events` (`schema/006`). `GET /evidence` admin·security only |
210+
| **🧩 Brownfield mode (v0.7)** | `docker compose up` = MORI core only → connect to existing Zabbix/Trivy via `.env`. Bundled sources behind `--profile bundled`/`zabbix`/`fleet`/`wazuh` | [docs/BROWNFIELD_CONNECT.md](docs/BROWNFIELD_CONNECT.md) |
193211
| **🎯 Risk Assessment (R-series)** | Per-CVE **3×3 risk matrix** (impact × likelihood) + treatment decision (mitigate/accept/transfer/avoid) · approver · residual risk · review date. Click a matrix cell/level → drill-down. **Admin-only assessment basis** | ISMS-P risk mgmt / ISO 27001 6.1.2·8.8. **admin·security only**. Persisted in `ui_risk_register` |
194212
| **🔐 Role-aware dashboard** | Role-aware security hero (risk KPIs/TOP ↔ my-servers remediation) + **24h/12h infra status** (Zabbix/Wazuh deep links) + **panel editing** (per-user widget on/off, persisted) | Responsive grid. Infra/helpdesk see remediation rate, not risk grades |
195213
| **🚨 Alert Triage** | 3-tier state (🔴🟡🟢) change, analyst·**actor** separation, history display | If actor is omitted on UI, falls back to session user → "unknown" |
@@ -213,8 +231,9 @@ A guidance modal automatically surfaces so that host-level bulk plans don't conf
213231
|---|---|---|
214232
| **UI operational state → PostgreSQL persistence (M2-1)** | ✅ Done — `schema/003_*` + `repositories/state_*.py` (StateRepository) cache-aside + write-through. The 6 stores survive restarts, verified by an integration test (`tests/test_state_persistence.py`) | ✅ Done |
215233
| **Zabbix API polling** |**Verified** — real Zabbix API, problem→collect→Triage→Incident→evidence→resolve end-to-end (`collectors/zabbix_events.py`, `tests/test_zabbix_events.py`) | ✅ Done |
216-
| **Fleet / Wazuh API polling** | Parser·Collector ready, REST poller (`pollers/fleet.py`, `pollers/wazuh.py`) not yet connected | 🔴 High |
217-
| **Trivy JSON ingestion** | Collector implementation complete, scheduled-run packaging in progress | 🔴 High |
234+
| **Control catalog (Phase 2)** | ISMS-P/ISO N:M mapping + common defects + control-tree screen — **the product-identity pivot; comes before pollers** | 🔴 Top |
235+
| **Trivy ingest** | ✅ Remote token push (`/ingest/trivy`·`/ingest/evidence`) done · only local scheduled scan automation remains | 🟡 Medium |
236+
| **Fleet / Wazuh API poller** | Parser·Collector ready, REST poller not yet connected — **Phase 3** (after the control catalog). Done = wired into MORI workflow, not just data arriving | 🔴 High |
218237

219238
### 🔲 Planned / Future work
220239

@@ -644,59 +663,56 @@ MORI SOC combines open-source security tools to provide a single ops screen, wit
644663
| **LDAP / AD** | Directory account + privilege binding consistency checks (seed) | 🔲 Activates with `LDAP_URL` in production |
645664
| **Grafana** | Operational dashboards that query Postgres / Loki directly | ✅ Operational |
646665

647-
## 🗺️ Phase roadmap (Phase 24)
666+
## 🗺️ Roadmap (Phase 05)
648667

649-
> MORI is at **Phase 1 (data collection/normalization core) complete + Phase 2 Alpha (Audit-Ready ops & evidence UI)**. The following is the long-term direction; each Phase builds on the previous one — Phase 2 (make it operational) → Phase 3 (assist judgment) → Phase 4 (adoption & ecosystem).
668+
> **The identity pivot**: today MORI is an "audit-ready ops UI." The goal is **"a platform where, centered on a control catalog, the monitoring of five sources becomes ISMS-P/ISO 27001 evidence as it happens."** Ordering matters — **the control catalog (Phase 2) comes before the pollers (Phase 3).** Each phase has a **done criterion** to prevent solo-dev drift.
650669
651-
### Phase 2 — Read-only Evidence Layer over Existing Tools
670+
> **3 core principles**: ① **delegate viewing to Grafana** — no time-series charts inside MORI (deep links only). ② **collection ≠ evidence** — a poller is done when it's wired into the MORI workflow (triage→remediate→record), not when "data arrives." ③ **lite/full packaging** — a lite profile (no Wazuh) for 1–2 person orgs alongside full.
652671
653-
*Sit **on top of** your existing tools rather than replacing them — persist the in-memory operational state to PostgreSQL (M2-1 done), connect Zabbix/Wazuh/Fleet/Trivy in **config-based read-only** mode (N-series), then extend into real signal flows (M2-2~5) and a Zabbix template (M2-6).*
672+
> **5 read-only integration principles** — ① read-only token recommended ② no change to existing configuration ③ isolated source failure (won't break MORI) ④ source freshness shown ⑤ last sync time / failure reason stored
654673
655-
> **5 read-only integration principles** — ① read-only token recommended ② no change to existing system configuration ③ a single source failure must not break MORI as a whole (isolated failure) ④ source freshness is shown ⑤ last sync time / failure reason is stored
674+
### Phase 0 — Foundations of trust · *in progress*
675+
- 🟡 compose profile split — brownfield default (core only) + `bundled`/`zabbix`/`fleet`/`wazuh` **(done)** → rename to `lite`/`full`/`demo` **(planned)**
676+
- 🟡 pass `MORI_ADMIN_PASSWORD`·`MORI_INGEST_TOKEN` into the container + `/health` insecure warning **(done)** → remove Wazuh hard-coded creds, `:?required` on weak defaults, `MORI_DEMO_SEED` default 0 **(planned)**
677+
- 🔲 move root temp files (`_scan_*`, `_routes_*`) → `tools/`, README-code sync (route snapshot in CI)
678+
-**Done when**: 0 plaintext passwords in the repo · `docker compose -f … lite up` boots in one line
656679

657-
| ID | Work | Status |
658-
|---|---|---|
659-
| **J** (foundation) | Split `server.py` into modules — i18n / templates / auth / payloads + a `routes/` package (16 domain modules, `RouteContext`). **2,962→888 lines (-70%)**, lossless-verified (OpenAPI diff · SHA · 115 tests). A refactor that lowers regression risk for the persistence/poller work that follows | ✅ Done |
660-
| **M2-1** (M-series) | Persist the 6 UI operational state stores (`asset_owners`·`asset_audit_log`·`vuln_actions`·`triage_store`·`incident_store`·`user_profiles`) to PostgreSQL — `schema/003_*` + `repositories/state_*.py` (StateRepository) cache-aside + write-through. Round-trip integration test passes (`tests/test_state_persistence.py`), 120 tests green | ✅ Done |
661-
| **N-1** (config onboarding) | Config-based source onboarding — `config/sources.yaml` schema + loader (per-source `enabled`/`url`/`username`/`token_env`/`input_dir`). Secrets referenced only by `*_env` env-var names (never stored in the repo/DB) | 🔲 New |
662-
| **N-2** (connection metadata) | Source connection metadata store — persist per-source enabled flag, last sync time, last failure reason (extends `source_syncs`) | 🔲 New |
663-
| **N-3** (guardrails) | Read-only onboarding guardrails — no agent install, no change to existing tool config, isolated source failure, freshness surfacing (healthy/warning/stale) | 🔲 New |
664-
| **M2-2** | Zabbix API polling integration — problem → ingestion → alert → triage → incident → evidence → resolve |**Done (verified against real API)** |
665-
| **M2-3** | Fleet / Wazuh REST poller connection — host/osquery·alert → asset/triage, reflect `source_syncs` freshness | 🔲 Parser·Collector ready |
666-
| **M2-4** | Trivy JSON ingestion automation — `trivy-*-scan.sh` output → vulnerabilities → vuln_actions → reports | 🟡 Automation packaging |
667-
| **M2-5** | Add CVE Lite collector — JS/TS lockfile dependency vulnerability source (`source=cve_lite`, direct/transitive, fix_command) | 🔲 New |
668-
| **M2-6** | MORI → Zabbix Template/export — `templates/zabbix/mori-soc-template.yaml` + `mori-zabbix-export-metrics.py` (critical/high/pending/lag metrics) | 🔲 New |
669-
670-
### Phase 3 — Guided Investigation & Evidence Assistant
671-
672-
*Based on the accumulated data/evidence, help a single security operator decide "what to look at first." Not AI auto-patching — limited to investigation/summary assistance.*
673-
674-
| ID | Work |
675-
|---|---|
676-
| **P3-1** | Evidence Gap Detector — Critical/High without a plan, exceptions expiring soon, completed items without a rescan, untriaged alerts, closed incidents without an exported report |
677-
| **P3-2** | Guided Triage Summary — alert/finding summary + affected assets · related CVEs/triggers · recent observations · recommended check points |
678-
| **P3-3** | Multi-source Investigation Pivot — Zabbix problem → host → Fleet/Wazuh/Trivy → user/ip/process → expand to same owner/team assets |
679-
| **P3-4** | Audit Report Draft — monthly Critical/High · remediated/pending/exception · evidence gaps · SLA breaches summary draft |
680-
| **P3-5** | Control Mapping Assistant — map Findings/Incidents to ISMS-P / ISO 27001 control candidates (applied after operator approval) |
680+
### Phase 1 — Structure + persistence · ✅ *mostly done*
681+
-**J**: `server.py` split into `routes/` (16 domains) + `RouteContext`, 2,962→888 lines (-70%), lossless-verified
682+
-**M2-1 + R-2**: 6 UI operational stores + risk register → PostgreSQL cache-aside + write-through (`schema/003·004`)
683+
-**Done when**: triage/incident/owner/plan survive a restart (round-trip test passes)
681684

682-
> 🚫 **Phase 3 hard limits**: no auto-patch / auto-exception-approval / auto-incident-close. **Judgment assistance only.**
685+
### Phase 2 — Control catalog (identity pivot) · 🔲 *next, the core*
686+
- `controls/` open data — ISMS-P 101 + ISO 93 + N:M mapping + `common_defects` (v1: full skeleton + 60~70 mappings + 10~15 deep defect cases)
687+
- `schema/007` control tables + YAML→DB sync on boot + evidence mapper
688+
- PDCA screen → **control-tree screen** (evidence-source status / last update / owner / evidence PDF button)
689+
- dashboard **GRC preset** (today's work queue / evidence gaps / audit D-day), catalog community release
690+
-**Done when**: NLQ "show me evidence for 2.11.2" → real-data answer · PDF in one click from the control screen
683691

684-
### Phase 4 — Deployment, Ecosystem & Small-Team Adoption
692+
### Phase 3 — Complete collection, realize "see it all in one place" · 🟡 *partial*
693+
-**M2-2** Zabbix poller verified against real API · ✅ Trivy/CSOP remote push (`/ingest/trivy`·`/ingest/evidence`)
694+
- 🔲 Trivy auto-scan by default (`MORI_ENABLE_TRIVY` on + schedule)
695+
- 🔲 **Wazuh poller (new)** — detection events → MORI alert queue → handling history as 2.11.3 evidence (compose service def first)
696+
- 🔲 **Fleet poller (new)** — asset inventory → MORI asset sync (manual → auto-discovery, 1.2.1 evidence)
697+
- 🔲 tie Loki retention to controls — statutory access-log retention (1yr default, 2yr for unique-ID data) surfaced as 2.9.4 evidence
698+
- 🔲 ship 5 Grafana dashboard JSONs (1/source + 1 unified) — control screen → Grafana panel deep link
699+
-**Done when**: in the full profile, all 5 sources map onto control screens
685700

686-
*Real adoptability and ecosystem. So that a small/mid org with no dedicated infra staff can drive ISMS-P/ISO 27001 compliance with a single security operator.*
701+
### Phase 4 — Complete audit readiness · 🔲
702+
- Risk assessment UI (`schema/004`): asset importance × threat × real vuln → treatment decision + approval record
703+
- **Evidence Gap Detector** (new intent `evidence_gaps`) — expired freshness / exceptions expiring / Critical without a plan
704+
- SoA generator · **Evidence Pack** (P4-3): per-control evidence bundle PDF · defect tracker (finding → remediation → completion evidence)
705+
-**Done when**: a "mock audit scenario" — every document an auditor asks for is exportable from the tool
687706

688-
| ID | Work |
689-
|---|---|
690-
| **P4-1** | MORI Lite packaging — lightweight stack (API/UI + PostgreSQL + Trivy + CVE Lite) vs MORI Full Demo (Zabbix/Fleet/Wazuh/Loki/Grafana) |
691-
| **P4-2** | Zabbix-only Adoption Pack — Zabbix template + export script + `docs/zabbix-only.md` (Trivy/CVE Lite results → zabbix_sender without a full MORI install) |
692-
| **P4-3** | ISMS-P / ISO 27001 Evidence Pack — per-control sample reports (`docs/evidence-pack/`): vulnerability management, logging/monitoring, monthly report, exception register, action plan |
693-
| **P4-4** | Integration Marketplace structure — organize `integrations/{zabbix,trivy,cvelite,wazuh,fleet,ldap}` connector structure/docs (real plugin system later) |
694-
| **P4-5** | Operational hardening — `SECURITY.md`·`CONTRIBUTING.md`·`CHANGELOG.md` ✅, CI (tests) ✅ / HTTPS·reverse proxy, LDAP/AD rollout, upgrade guide, release checklist 🔲 |
695-
| **P4-6** | Demo scenario / video — compose up → Trivy import → Zabbix alert → CVE plan → exception → Incident → audit PDF → check via Zabbix template (5–8 min) |
707+
### Phase 5 — Adoption · 🔲 *(can run in parallel)*
708+
- onboarding wizard (scope → assets → owners, first value in 30 min) · Korean-first docs + "Top-N ISMS-P defects & fixes" content · 2–3 pilot orgs
696709

697-
### Other backlog
710+
> 🚫 **AI hard limits** (collection/investigation assistance only): no auto-patch / auto-exception-approval / auto-incident-close.
698711
699-
- **Webhook integrations** — Slack / Teams / Email notifications (`SLACK_WEBHOOK_URL` slot exists only)
712+
### Other backlog
713+
- **Webhook integrations** — Slack / Teams / Email (`SLACK_WEBHOOK_URL` slot only)
714+
- **CVE Lite collector** — JS/TS lockfile dependency vulnerabilities (`source=cve_lite`)
715+
- **MORI → Zabbix export** — critical/high/pending/lag metrics → zabbix_sender (Zabbix-only adoption pack)
700716
- **SQL-based read optimization** — gradually move snapshot reads to Postgres views
701717

702718
---

0 commit comments

Comments
 (0)