You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.en.md
+68-52Lines changed: 68 additions & 52 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,15 +63,31 @@ A lightweight SOC platform built by integrating open-source security tools so th
63
63
64
64
> 🔌 **A read-only evidence layer on top of your existing tools** — **MORI-SOC is designed to sit on top of existing monitoring and security tools, not replace them.** It connects to your running Zabbix / Wazuh / FleetDM / Trivy in **read-only mode via configuration only** (no agent installation, no change to existing tool configuration) and organizes operational evidence, incident history, vulnerability actions, and compliance views.
65
65
66
-
| Area | Tool | MORI's role |
66
+
### Product positioning — not the "viewing layer", the "evidence layer"
67
+
68
+
MORI is **not a unified monitoring dashboard.** Time-series, log exploration, and real-time visualization are delegated to the tools that already do them well (**Grafana/Loki**); MORI sits one layer above and owns **"judge, record, prove."**
> Core thesis: the product is **not "unified monitoring" — it's "monitoring that becomes ISMS-P / ISO 27001 evidence as you look at it."**
76
+
77
+
### Why these five — per-source ISMS-P coverage
78
+
79
+
Each source owns a **non-overlapping set of certification controls.** This mapping is both the rationale for the stack and the basis for poller ordering ("fill the largest evidence gap first").
80
+
81
+
| Data source | ISMS-P controls (representative) | ISO 27001 Annex A | Evidence form | MORI status |
> 💡 Once the control catalog (Phase 2) lands, this mapping auto-derives **"lite = N% control coverage / full = M%"**.
75
91
76
92
---
77
93
@@ -190,6 +206,8 @@ A guidance modal automatically surfaces so that host-level bulk plans don't conf
190
206
|**Overview**| Asset/alert/vuln summary cards + Critical vulnerability detail modal exposing **plan / exception** columns | Per-host progress visible right on the dashboard |
191
207
|**Assets (Server / PC / Trivy)**| Per-host owner/team/category edits + **manual override of server asset importance**| Takes priority over auto-classification (asset_classifier). Audit log records every change |
192
208
|**Vulnerability management (Trivy)**| Host-level remediation plan / exception + **per-CVE detailed plan / exception**| Author / target date / expiry / reason recorded. Conflict guidance modal |
|**🔐 Role-aware dashboard**| Role-aware security hero (risk KPIs/TOP ↔ my-servers remediation) + **24h/12h infra status** (Zabbix/Wazuh deep links) + **panel editing** (per-user widget on/off, persisted) | Responsive grid. Infra/helpdesk see remediation rate, not risk grades |
195
213
|**🚨 Alert Triage**| 3-tier state (🔴🟡🟢) change, analyst·**actor** separation, history display | If actor is omitted on UI, falls back to session user → "unknown" |
@@ -213,8 +231,9 @@ A guidance modal automatically surfaces so that host-level bulk plans don't conf
213
231
|---|---|---|
214
232
|**UI operational state → PostgreSQL persistence (M2-1)**| ✅ Done — `schema/003_*` + `repositories/state_*.py` (StateRepository) cache-aside + write-through. The 6 stores survive restarts, verified by an integration test (`tests/test_state_persistence.py`) | ✅ Done |
215
233
|**Zabbix API polling**| ✅ **Verified** — real Zabbix API, problem→collect→Triage→Incident→evidence→resolve end-to-end (`collectors/zabbix_events.py`, `tests/test_zabbix_events.py`) | ✅ Done |
216
-
|**Fleet / Wazuh API polling**| Parser·Collector ready, REST poller (`pollers/fleet.py`, `pollers/wazuh.py`) not yet connected | 🔴 High |
217
-
|**Trivy JSON ingestion**| Collector implementation complete, scheduled-run packaging in progress | 🔴 High |
234
+
|**Control catalog (Phase 2)**| ISMS-P/ISO N:M mapping + common defects + control-tree screen — **the product-identity pivot; comes before pollers**| 🔴 Top |
235
+
|**Trivy ingest**| ✅ Remote token push (`/ingest/trivy`·`/ingest/evidence`) done · only local scheduled scan automation remains | 🟡 Medium |
236
+
|**Fleet / Wazuh API poller**| Parser·Collector ready, REST poller not yet connected — **Phase 3** (after the control catalog). Done = wired into MORI workflow, not just data arriving | 🔴 High |
218
237
219
238
### 🔲 Planned / Future work
220
239
@@ -644,59 +663,56 @@ MORI SOC combines open-source security tools to provide a single ops screen, wit
644
663
|**LDAP / AD**| Directory account + privilege binding consistency checks (seed) | 🔲 Activates with `LDAP_URL` in production |
> MORI is at **Phase 1 (data collection/normalization core) complete + Phase 2 Alpha (Audit-Ready ops & evidence UI)**. The following is the long-term direction; each Phase builds on the previous one — Phase 2 (make it operational) → Phase 3 (assist judgment) → Phase 4 (adoption & ecosystem).
668
+
> **The identity pivot**: today MORI is an "audit-ready ops UI." The goal is **"a platform where, centered on a control catalog, the monitoring of five sources becomes ISMS-P/ISO 27001 evidence as it happens."** Ordering matters — **the control catalog (Phase 2) comes before the pollers (Phase 3).** Each phase has a **done criterion** to prevent solo-dev drift.
650
669
651
-
### Phase 2 — Read-only Evidence Layer over Existing Tools
670
+
> **3 core principles**: ① **delegate viewing to Grafana** — no time-series charts inside MORI (deep links only). ② **collection ≠ evidence** — a poller is done when it's wired into the MORI workflow (triage→remediate→record), not when "data arrives." ③ **lite/full packaging** — a lite profile (no Wazuh) for 1–2 person orgs alongside full.
652
671
653
-
*Sit**on top of**your existing tools rather than replacing them — persist the in-memory operational state to PostgreSQL (M2-1 done), connect Zabbix/Wazuh/Fleet/Trivy in **config-based read-only** mode (N-series), then extend into real signal flows (M2-2~5) and a Zabbix template (M2-6).*
672
+
>**5 read-only integration principles**— ① read-only token recommended ② no change to existing configuration ③ isolated source failure (won't break MORI) ④ source freshness shown ⑤ last sync time / failure reason stored
654
673
655
-
> **5 read-only integration principles** — ① read-only token recommended ② no change to existing system configuration ③ a single source failure must not break MORI as a whole (isolated failure) ④ source freshness is shown ⑤ last sync time / failure reason is stored
674
+
### Phase 0 — Foundations of trust · *in progress*
- ✅ **Done when**: 0 plaintext passwords in the repo · `docker compose -f … lite up` boots in one line
656
679
657
-
| ID | Work | Status |
658
-
|---|---|---|
659
-
|**J** (foundation) | Split `server.py` into modules — i18n / templates / auth / payloads + a `routes/` package (16 domain modules, `RouteContext`). **2,962→888 lines (-70%)**, lossless-verified (OpenAPI diff · SHA · 115 tests). A refactor that lowers regression risk for the persistence/poller work that follows | ✅ Done |
660
-
|**M2-1** (M-series) | Persist the 6 UI operational state stores (`asset_owners`·`asset_audit_log`·`vuln_actions`·`triage_store`·`incident_store`·`user_profiles`) to PostgreSQL — `schema/003_*` + `repositories/state_*.py` (StateRepository) cache-aside + write-through. Round-trip integration test passes (`tests/test_state_persistence.py`), 120 tests green | ✅ Done |
661
-
|**N-1** (config onboarding) | Config-based source onboarding — `config/sources.yaml` schema + loader (per-source `enabled`/`url`/`username`/`token_env`/`input_dir`). Secrets referenced only by `*_env` env-var names (never stored in the repo/DB) | 🔲 New |
662
-
|**N-2** (connection metadata) | Source connection metadata store — persist per-source enabled flag, last sync time, last failure reason (extends `source_syncs`) | 🔲 New |
663
-
|**N-3** (guardrails) | Read-only onboarding guardrails — no agent install, no change to existing tool config, isolated source failure, freshness surfacing (healthy/warning/stale) | 🔲 New |
664
-
|**M2-2**| Zabbix API polling integration — problem → ingestion → alert → triage → incident → evidence → resolve | ✅ **Done (verified against real API)**|
*Based on the accumulated data/evidence, help a single security operator decide "what to look at first." Not AI auto-patching — limited to investigation/summary assistance.*
673
-
674
-
| ID | Work |
675
-
|---|---|
676
-
|**P3-1**| Evidence Gap Detector — Critical/High without a plan, exceptions expiring soon, completed items without a rescan, untriaged alerts, closed incidents without an exported report |
- 🔲 tie Loki retention to controls — statutory access-log retention (1yr default, 2yr for unique-ID data) surfaced as 2.9.4 evidence
698
+
- 🔲 ship 5 Grafana dashboard JSONs (1/source + 1 unified) — control screen → Grafana panel deep link
699
+
- ✅ **Done when**: in the full profile, all 5 sources map onto control screens
685
700
686
-
*Real adoptability and ecosystem. So that a small/mid org with no dedicated infra staff can drive ISMS-P/ISO 27001 compliance with a single security operator.*
701
+
### Phase 4 — Complete audit readiness · 🔲
702
+
- Risk assessment UI (`schema/004`): asset importance × threat × real vuln → treatment decision + approval record
703
+
-**Evidence Gap Detector** (new intent `evidence_gaps`) — expired freshness / exceptions expiring / Critical without a plan
704
+
- SoA generator · **Evidence Pack** (P4-3): per-control evidence bundle PDF · defect tracker (finding → remediation → completion evidence)
705
+
- ✅ **Done when**: a "mock audit scenario" — every document an auditor asks for is exportable from the tool
687
706
688
-
| ID | Work |
689
-
|---|---|
690
-
|**P4-1**| MORI Lite packaging — lightweight stack (API/UI + PostgreSQL + Trivy + CVE Lite) vs MORI Full Demo (Zabbix/Fleet/Wazuh/Loki/Grafana) |
691
-
|**P4-2**| Zabbix-only Adoption Pack — Zabbix template + export script + `docs/zabbix-only.md` (Trivy/CVE Lite results → zabbix_sender without a full MORI install) |
0 commit comments