coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Require concrete OpenBao restore evidence

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-01 23:57:00 +02:00
parent 8f5bfbe20e
commit 6bd822ae71
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
tools/security-bootstrap-console/security_bootstrap_console.py
View File

@@ -1926,6 +1926,11 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
"7. Destroy the isolated environment and record only non-secret evidence in this UI.\n" "7. Destroy the isolated environment and record only non-secret evidence in this UI.\n"
"RESTORE_DRILL" "RESTORE_DRILL"
) )
validate_restore_evidence_command = (
'export OPENBAO_RESTORE_EVIDENCE="${OPENBAO_RESTORE_EVIDENCE:-/tmp/netkingdom-openbao-restore-drill/evidence.json}"\n'
'make -C ../railiance-platform openbao-validate-restore-evidence '
'OPENBAO_RESTORE_EVIDENCE="$OPENBAO_RESTORE_EVIDENCE"'
)
privacyidea_realm_command = f"bash {shlex.quote(str(PRIVACYIDEA_REALM_REPAIR))}" privacyidea_realm_command = f"bash {shlex.quote(str(PRIVACYIDEA_REALM_REPAIR))}"
return [ return [
@@ -2048,6 +2053,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
isolated_restore_command, isolated_restore_command,
downstream_taint, downstream_taint,
), ),
action(
"Validate restore drill evidence",
"Validate the non-secret restore-drill evidence JSON. A checkbox alone is not enough for NET-WP-0017-T02; the evidence must include hashes, isolated restore proof, verification flags, and destruction evidence without secret material.",
validate_restore_evidence_command,
downstream_taint,
),
action( action(
"Run post-restore readiness check", "Run post-restore readiness check",
"Re-run the Railiance post-unseal checks after restore evidence has been captured.", "Re-run the Railiance post-unseal checks after restore evidence has been captured.",

11
workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
View File

@@ -210,6 +210,17 @@ Remaining T02 gates are restore-drill evidence, emergency seal/unseal drill
evidence, the next independent escrow holder, and an explicit risk note if evidence, the next independent escrow holder, and an explicit risk note if
ordinary onboarding proceeds before the production Audit Core sink exists. ordinary onboarding proceeds before the production Audit Core sink exists.
**2026-06-01:** Tightened the restore-drill evidence gate. The local bootstrap
metadata currently says `restore_drill_passed: true`, but that checkbox alone
does not preserve enough non-secret evidence for review. Railiance now has a
restore evidence JSON template and `make openbao-validate-restore-evidence`
validator that checks for snapshot hashes, encrypted-snapshot hash/location,
isolated restore completion, unseal/status/test-secret verification, isolated
environment destruction, and `no_secret_material_recorded`. The NetKingdom
control surface now includes a **Validate restore drill evidence** runbook
card. T02 should not count the restore gate closed until a real non-secret
evidence file from the prior or repeated drill passes that validator.
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
```task ```task