Add OpenBao authenticated proof runbook

2026-06-01 22:46:15 +02:00
parent 1f09e6dcae
commit dc4fe883a5
2 changed files with 24 additions and 0 deletions
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1849,6 +1849,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
    audit_list_command = token_prompt_command("bao audit list")
    secrets_list_command = token_prompt_command("bao secrets list")
    auth_list_command = token_prompt_command("bao auth list")
+    authenticated_readiness_command = (
+        "make -C ../railiance-platform openbao-verify-authenticated\n\n"
+        "# If a previous attended OIDC login stored a still-valid token in the pod helper, use:\n"
+        "make -C ../railiance-platform openbao-verify-authenticated "
+        "OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper"
+    )
    platform_admin_token_command = token_prompt_command(
        "bao token create -policy=platform-admin -period=24h -orphan"
    )
@@ -1958,6 +1964,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
            auth_list_command,
            downstream_taint,
        ),
+        action(
+            "OpenBao authenticated readiness proof",
+            "Run the Railiance evidence-only verifier for file audit, platform secrets, Kubernetes auth, KeyCape auth, and audit-log write state. The default path prompts for a token without echoing it; the token-helper variant avoids local token movement when a valid pod helper token already exists.",
+            authenticated_readiness_command,
+            downstream_taint,
+        ),
        action(
            "Create platform-admin token",
            "Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -165,6 +165,18 @@ remained ready. T02 remains open for the authenticated `bao audit list` proof,
 durable audit shipping beyond the audit PVC, restore-drill evidence, emergency
 seal/unseal drill evidence, and the next independent escrow holder.

+**2026-06-01:** Added a Railiance evidence-only helper for the authenticated
+OpenBao proof: `make openbao-verify-authenticated` prompts for an approved
+OpenBao token without echoing it and verifies `file/` audit visibility,
+`platform/` secrets, `kubernetes/` auth, `keycape/` auth, and a non-empty audit
+log without mutating OpenBao configuration. The helper can also reuse a
+still-valid pod token helper with
+`OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper`, avoiding token movement through
+the local shell. It is ready to run with the MFA-backed
+`platform-root`/`platform-admin` path. Durable audit shipping remains open; the
+audit PVC is not a durable sink and non-secret evidence hashes or State Hub
+notes are not substitutes for retained audit log custody.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths

 ```task