@blamejs/exceptd-skills 0.10.0 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/bin/exceptd.js +303 -9
- package/data/_indexes/_meta.json +2 -2
- package/data/playbooks/ai-api.json +400 -90
- package/data/playbooks/containers.json +406 -94
- package/data/playbooks/cred-stores.json +374 -89
- package/data/playbooks/crypto.json +369 -87
- package/data/playbooks/framework.json +376 -86
- package/data/playbooks/hardening.json +357 -84
- package/data/playbooks/kernel.json +324 -77
- package/data/playbooks/mcp.json +407 -92
- package/data/playbooks/runtime.json +345 -81
- package/data/playbooks/sbom.json +497 -111
- package/data/playbooks/secrets.json +352 -83
- package/lib/playbook-runner.js +77 -7
- package/lib/schemas/playbook.schema.json +5 -0
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
|
@@ -9,12 +9,21 @@
|
|
|
9
9
|
"version": "1.0.0",
|
|
10
10
|
"date": "2026-05-11",
|
|
11
11
|
"summary": "Initial seven-phase playbook covering catalogued kernel LPE CVEs with version-aware matching, hardening posture, live-patch detection, and full GRC closure (CSAF evidence bundle + jurisdiction-aware notifications + auditor-ready exception generation).",
|
|
12
|
-
"cves_added": [
|
|
13
|
-
|
|
12
|
+
"cves_added": [
|
|
13
|
+
"CVE-2026-31431",
|
|
14
|
+
"CVE-2026-43284",
|
|
15
|
+
"CVE-2026-43500"
|
|
16
|
+
],
|
|
17
|
+
"framework_gaps_updated": [
|
|
18
|
+
"nist-800-53-SI-2",
|
|
19
|
+
"nis2-art21-2c",
|
|
20
|
+
"iso-27001-2022-A.8.8"
|
|
21
|
+
]
|
|
14
22
|
}
|
|
15
23
|
],
|
|
16
24
|
"owner": "@blamejs/platform-security",
|
|
17
25
|
"air_gap_mode": false,
|
|
26
|
+
"scope": "system",
|
|
18
27
|
"preconditions": [
|
|
19
28
|
{
|
|
20
29
|
"id": "linux-platform",
|
|
@@ -41,24 +50,42 @@
|
|
|
41
50
|
}
|
|
42
51
|
]
|
|
43
52
|
},
|
|
44
|
-
|
|
45
53
|
"domain": {
|
|
46
54
|
"name": "Linux kernel local privilege escalation",
|
|
47
55
|
"attack_class": "kernel-lpe",
|
|
48
56
|
"atlas_refs": [],
|
|
49
|
-
"attack_refs": [
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
57
|
+
"attack_refs": [
|
|
58
|
+
"T1068",
|
|
59
|
+
"T1611"
|
|
60
|
+
],
|
|
61
|
+
"cve_refs": [
|
|
62
|
+
"CVE-2026-31431",
|
|
63
|
+
"CVE-2026-43284",
|
|
64
|
+
"CVE-2026-43500"
|
|
65
|
+
],
|
|
66
|
+
"cwe_refs": [
|
|
67
|
+
"CWE-416",
|
|
68
|
+
"CWE-362",
|
|
69
|
+
"CWE-787"
|
|
70
|
+
],
|
|
71
|
+
"d3fend_refs": [
|
|
72
|
+
"D3-KBPI",
|
|
73
|
+
"D3-PA"
|
|
74
|
+
],
|
|
53
75
|
"frameworks_in_scope": [
|
|
54
|
-
"nist-800-53",
|
|
55
|
-
"
|
|
56
|
-
"
|
|
76
|
+
"nist-800-53",
|
|
77
|
+
"nist-csf-2",
|
|
78
|
+
"iso-27001-2022",
|
|
79
|
+
"soc2",
|
|
80
|
+
"pci-dss-4",
|
|
81
|
+
"nis2",
|
|
82
|
+
"dora",
|
|
83
|
+
"uk-caf",
|
|
84
|
+
"au-ism",
|
|
85
|
+
"au-essential-8"
|
|
57
86
|
]
|
|
58
87
|
},
|
|
59
|
-
|
|
60
88
|
"phases": {
|
|
61
|
-
|
|
62
89
|
"govern": {
|
|
63
90
|
"jurisdiction_obligations": [
|
|
64
91
|
{
|
|
@@ -67,7 +94,11 @@
|
|
|
67
94
|
"obligation": "notify_regulator",
|
|
68
95
|
"window_hours": 24,
|
|
69
96
|
"clock_starts": "detect_confirmed",
|
|
70
|
-
"evidence_required": [
|
|
97
|
+
"evidence_required": [
|
|
98
|
+
"affected_host_inventory",
|
|
99
|
+
"exploitation_status_assessment",
|
|
100
|
+
"interim_mitigation_record"
|
|
101
|
+
]
|
|
71
102
|
},
|
|
72
103
|
{
|
|
73
104
|
"jurisdiction": "EU",
|
|
@@ -75,7 +106,11 @@
|
|
|
75
106
|
"obligation": "notify_regulator",
|
|
76
107
|
"window_hours": 72,
|
|
77
108
|
"clock_starts": "analyze_complete",
|
|
78
|
-
"evidence_required": [
|
|
109
|
+
"evidence_required": [
|
|
110
|
+
"full_incident_assessment",
|
|
111
|
+
"remediation_plan",
|
|
112
|
+
"residual_risk_statement"
|
|
113
|
+
]
|
|
79
114
|
},
|
|
80
115
|
{
|
|
81
116
|
"jurisdiction": "EU",
|
|
@@ -83,7 +118,10 @@
|
|
|
83
118
|
"obligation": "notify_regulator",
|
|
84
119
|
"window_hours": 4,
|
|
85
120
|
"clock_starts": "detect_confirmed",
|
|
86
|
-
"evidence_required": [
|
|
121
|
+
"evidence_required": [
|
|
122
|
+
"initial_notification",
|
|
123
|
+
"ict_third_party_dependencies"
|
|
124
|
+
]
|
|
87
125
|
},
|
|
88
126
|
{
|
|
89
127
|
"jurisdiction": "AU",
|
|
@@ -91,7 +129,10 @@
|
|
|
91
129
|
"obligation": "notify_regulator",
|
|
92
130
|
"window_hours": 72,
|
|
93
131
|
"clock_starts": "validate_complete",
|
|
94
|
-
"evidence_required": [
|
|
132
|
+
"evidence_required": [
|
|
133
|
+
"materiality_assessment",
|
|
134
|
+
"remediation_completed_evidence"
|
|
135
|
+
]
|
|
95
136
|
}
|
|
96
137
|
],
|
|
97
138
|
"theater_fingerprints": [
|
|
@@ -99,13 +140,20 @@
|
|
|
99
140
|
"pattern_id": "patch-sla-without-kev-priority",
|
|
100
141
|
"claim": "Critical patches deployed within 30 days satisfies SI-2 / A.8.8 / Art.21(2)(c).",
|
|
101
142
|
"fast_detection_test": "Check whether KEV-listed kernel CVEs got priority over non-KEV CVSS-9 CVEs in the patch queue. Standard 30-day SLA is theater when KEV demands faster.",
|
|
102
|
-
"implicated_controls": [
|
|
143
|
+
"implicated_controls": [
|
|
144
|
+
"nist-800-53-SI-2",
|
|
145
|
+
"iso-27001-2022-A.8.8",
|
|
146
|
+
"nis2-art21-2c"
|
|
147
|
+
]
|
|
103
148
|
},
|
|
104
149
|
{
|
|
105
150
|
"pattern_id": "uname-as-patch-evidence",
|
|
106
151
|
"claim": "uname output matches patched version → host is patched.",
|
|
107
152
|
"fast_detection_test": "Distinguish vendor-backport kernels (e.g. RHEL 4.18 with CVE backports) from upstream version-string matches. uname alone is insufficient — distro changelog must be consulted.",
|
|
108
|
-
"implicated_controls": [
|
|
153
|
+
"implicated_controls": [
|
|
154
|
+
"nist-800-53-SI-2",
|
|
155
|
+
"soc2-cc7.1"
|
|
156
|
+
]
|
|
109
157
|
}
|
|
110
158
|
],
|
|
111
159
|
"framework_context": {
|
|
@@ -132,9 +180,14 @@
|
|
|
132
180
|
}
|
|
133
181
|
]
|
|
134
182
|
},
|
|
135
|
-
"skill_preload": [
|
|
183
|
+
"skill_preload": [
|
|
184
|
+
"kernel-lpe-triage",
|
|
185
|
+
"exploit-scoring",
|
|
186
|
+
"framework-gap-analysis",
|
|
187
|
+
"compliance-theater",
|
|
188
|
+
"policy-exception-gen"
|
|
189
|
+
]
|
|
136
190
|
},
|
|
137
|
-
|
|
138
191
|
"direct": {
|
|
139
192
|
"threat_context": "Kernel LPE landscape Q1-Q2 2026: CVE-2026-31431 'Copy Fail' (AI-discovered in ~1h, deterministic page-cache CoW primitive, no race condition, 732-byte PoC, KEV-listed 2026-03-15, confirmed in-the-wild) is the load-bearing exploit driving the current Linux LPE wave. CVE-2026-43284 + CVE-2026-43500 are sibling LPEs in catalog. Live-patch ecosystem (kpatch, kgraft, livepatch) covers Copy Fail on RHEL 9.4+ / Ubuntu 22.04 HWE / Debian 12 — vendors shipped live patches within 48h of KEV listing. Operators that adopted live-patch are not affected even on technically-vulnerable kernel versions; operators relying solely on reboot-required patches retain exposure for the duration of their reboot window.",
|
|
140
193
|
"rwep_threshold": {
|
|
@@ -144,11 +197,33 @@
|
|
|
144
197
|
},
|
|
145
198
|
"framework_lag_declaration": "NIST SI-2 + ISO A.8.8 + NIS2 Art.21(2)(c) permit 30-day patch SLAs that are inadequate for KEV-listed kernel LPEs with confirmed exploitation. NIST 800-53 Rev. 5.1.1 does not require KEV-aware prioritization, only risk-based — leaving it to implementer interpretation. Real-world tempo: weaponization in hours, patch SLA in weeks. Gap = ~28 days. Compensating controls (live-patch, MAC, kernel hardening) MUST close this gap before SLA-only compliance can be accepted.",
|
|
146
199
|
"skill_chain": [
|
|
147
|
-
{
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
200
|
+
{
|
|
201
|
+
"skill": "kernel-lpe-triage",
|
|
202
|
+
"purpose": "Determine whether the running kernel + hardening posture actually allows exploitation of a matched CVE.",
|
|
203
|
+
"required": true
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
"skill": "exploit-scoring",
|
|
207
|
+
"purpose": "Compute RWEP for each matched CVE; rank for triage.",
|
|
208
|
+
"required": true
|
|
209
|
+
},
|
|
210
|
+
{
|
|
211
|
+
"skill": "framework-gap-analysis",
|
|
212
|
+
"purpose": "Map matched CVEs to which framework controls are insufficient and why.",
|
|
213
|
+
"skip_if": "analyze.framework_gap_mapping.length == 0",
|
|
214
|
+
"required": false
|
|
215
|
+
},
|
|
216
|
+
{
|
|
217
|
+
"skill": "compliance-theater",
|
|
218
|
+
"purpose": "Run the theater test — does the org's claimed patch SLA actually catch this CVE in time?",
|
|
219
|
+
"required": true
|
|
220
|
+
},
|
|
221
|
+
{
|
|
222
|
+
"skill": "policy-exception-gen",
|
|
223
|
+
"purpose": "Generate auditor-ready exception language if a matched CVE cannot be remediated within the jurisdiction's window.",
|
|
224
|
+
"skip_if": "close.exception_generation.trigger_condition == false",
|
|
225
|
+
"required": false
|
|
226
|
+
}
|
|
152
227
|
],
|
|
153
228
|
"token_budget": {
|
|
154
229
|
"estimated_total": 18000,
|
|
@@ -163,7 +238,6 @@
|
|
|
163
238
|
}
|
|
164
239
|
}
|
|
165
240
|
},
|
|
166
|
-
|
|
167
241
|
"look": {
|
|
168
242
|
"artifacts": [
|
|
169
243
|
{
|
|
@@ -240,14 +314,33 @@
|
|
|
240
314
|
}
|
|
241
315
|
],
|
|
242
316
|
"fallback_if_unavailable": [
|
|
243
|
-
{
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
317
|
+
{
|
|
318
|
+
"artifact_id": "livepatch-state",
|
|
319
|
+
"fallback_action": "use_compensating_artifact",
|
|
320
|
+
"confidence_impact": "medium"
|
|
321
|
+
},
|
|
322
|
+
{
|
|
323
|
+
"artifact_id": "kernel-modules",
|
|
324
|
+
"fallback_action": "mark_inconclusive",
|
|
325
|
+
"confidence_impact": "low"
|
|
326
|
+
},
|
|
327
|
+
{
|
|
328
|
+
"artifact_id": "sysctl-hardening",
|
|
329
|
+
"fallback_action": "mark_inconclusive",
|
|
330
|
+
"confidence_impact": "medium"
|
|
331
|
+
},
|
|
332
|
+
{
|
|
333
|
+
"artifact_id": "cpu-vulnerabilities",
|
|
334
|
+
"fallback_action": "mark_inconclusive",
|
|
335
|
+
"confidence_impact": "low"
|
|
336
|
+
},
|
|
337
|
+
{
|
|
338
|
+
"artifact_id": "kernel-release",
|
|
339
|
+
"fallback_action": "escalate_to_human",
|
|
340
|
+
"confidence_impact": "high"
|
|
341
|
+
}
|
|
248
342
|
]
|
|
249
343
|
},
|
|
250
|
-
|
|
251
344
|
"detect": {
|
|
252
345
|
"indicators": [
|
|
253
346
|
{
|
|
@@ -312,26 +405,85 @@
|
|
|
312
405
|
"not_detected": "$kver captured AND zero matched CVEs in catalog AND hardening posture is high (lockdown=integrity or confidentiality, KASLR enabled, unpriv-userns=0, unpriv-bpf=disabled)."
|
|
313
406
|
}
|
|
314
407
|
},
|
|
315
|
-
|
|
316
408
|
"analyze": {
|
|
317
409
|
"rwep_inputs": [
|
|
318
|
-
{
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
{
|
|
325
|
-
|
|
410
|
+
{
|
|
411
|
+
"signal_id": "kver-in-affected-range",
|
|
412
|
+
"rwep_factor": "active_exploitation",
|
|
413
|
+
"weight": 25,
|
|
414
|
+
"notes": "Multiplier — if matched CVE has active_exploitation='confirmed' in catalog, full weight; otherwise 0."
|
|
415
|
+
},
|
|
416
|
+
{
|
|
417
|
+
"signal_id": "kver-in-affected-range",
|
|
418
|
+
"rwep_factor": "cisa_kev",
|
|
419
|
+
"weight": 20,
|
|
420
|
+
"notes": "Multiplier — KEV-listed matched CVE = full weight."
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"signal_id": "kver-in-affected-range",
|
|
424
|
+
"rwep_factor": "public_poc",
|
|
425
|
+
"weight": 15,
|
|
426
|
+
"notes": "PoC availability in catalog (poc_available=true)."
|
|
427
|
+
},
|
|
428
|
+
{
|
|
429
|
+
"signal_id": "kver-in-affected-range",
|
|
430
|
+
"rwep_factor": "ai_weaponization",
|
|
431
|
+
"weight": 10,
|
|
432
|
+
"notes": "AI-discovered or AI-assisted weaponization flagged in catalog."
|
|
433
|
+
},
|
|
434
|
+
{
|
|
435
|
+
"signal_id": "kver-in-affected-range",
|
|
436
|
+
"rwep_factor": "patch_available",
|
|
437
|
+
"weight": -10,
|
|
438
|
+
"notes": "Patch available reduces RWEP by 10. If patch not yet applied, this is informational, not a deduction."
|
|
439
|
+
},
|
|
440
|
+
{
|
|
441
|
+
"signal_id": "livepatch-active",
|
|
442
|
+
"rwep_factor": "live_patch_available",
|
|
443
|
+
"weight": -15,
|
|
444
|
+
"notes": "Live-patch active for this specific CVE reduces RWEP by 15."
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"signal_id": "kaslr-disabled",
|
|
448
|
+
"rwep_factor": "blast_radius",
|
|
449
|
+
"weight": 5,
|
|
450
|
+
"notes": "Disabled KASLR + matched CVE increases blast radius score."
|
|
451
|
+
},
|
|
452
|
+
{
|
|
453
|
+
"signal_id": "unpriv-userns-enabled",
|
|
454
|
+
"rwep_factor": "blast_radius",
|
|
455
|
+
"weight": 5,
|
|
456
|
+
"notes": "Enabled unprivileged userns + matched CVE increases blast radius score for userns-dependent LPEs."
|
|
457
|
+
}
|
|
326
458
|
],
|
|
327
459
|
"blast_radius_model": {
|
|
328
460
|
"scope_question": "If a matched kernel LPE is exploited on this host, what scope of compromise is the host realistically delivering to the attacker?",
|
|
329
461
|
"scoring_rubric": [
|
|
330
|
-
{
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
462
|
+
{
|
|
463
|
+
"condition": "host runs as single-tenant service AND no shared filesystem AND no privileged service accounts",
|
|
464
|
+
"blast_radius_score": 1,
|
|
465
|
+
"description": "Single-host root only. Lateral movement requires separate exploit chain."
|
|
466
|
+
},
|
|
467
|
+
{
|
|
468
|
+
"condition": "host has SSH agent forwarding active OR mounts shared NFS/CIFS volumes",
|
|
469
|
+
"blast_radius_score": 2,
|
|
470
|
+
"description": "Root → credential or filesystem theft → adjacent hosts."
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"condition": "host is k8s node OR multi-tenant container host",
|
|
474
|
+
"blast_radius_score": 3,
|
|
475
|
+
"description": "Root → container escape → pod credentials → cluster-wide compromise."
|
|
476
|
+
},
|
|
477
|
+
{
|
|
478
|
+
"condition": "host is k8s control-plane node OR runs Vault/secrets agent OR has cloud-IMDS access with privileged IAM role",
|
|
479
|
+
"blast_radius_score": 4,
|
|
480
|
+
"description": "Root → cluster admin or cloud account takeover."
|
|
481
|
+
},
|
|
482
|
+
{
|
|
483
|
+
"condition": "host is bastion/jumpbox OR runs CA/HSM-adjacent service OR has cross-account trust relationships",
|
|
484
|
+
"blast_radius_score": 5,
|
|
485
|
+
"description": "Root → org-wide pivot. Identity boundary collapse."
|
|
486
|
+
}
|
|
335
487
|
]
|
|
336
488
|
},
|
|
337
489
|
"compliance_theater_check": {
|
|
@@ -364,19 +516,34 @@
|
|
|
364
516
|
}
|
|
365
517
|
],
|
|
366
518
|
"escalation_criteria": [
|
|
367
|
-
{
|
|
368
|
-
|
|
369
|
-
|
|
370
|
-
|
|
519
|
+
{
|
|
520
|
+
"condition": "rwep >= 90 AND patch_available == false",
|
|
521
|
+
"action": "page_on_call"
|
|
522
|
+
},
|
|
523
|
+
{
|
|
524
|
+
"condition": "rwep >= 90 AND patch_available == true AND livepatch_active == false AND reboot_window > 24h",
|
|
525
|
+
"action": "raise_severity"
|
|
526
|
+
},
|
|
527
|
+
{
|
|
528
|
+
"condition": "blast_radius_score >= 4",
|
|
529
|
+
"action": "trigger_playbook",
|
|
530
|
+
"target_playbook": "sbom"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
|
|
534
|
+
"action": "notify_legal"
|
|
535
|
+
}
|
|
371
536
|
]
|
|
372
537
|
},
|
|
373
|
-
|
|
374
538
|
"validate": {
|
|
375
539
|
"remediation_paths": [
|
|
376
540
|
{
|
|
377
541
|
"id": "live-patch-deploy",
|
|
378
542
|
"description": "Deploy vendor live-patch (kpatch / kgraft / canonical livepatch) covering the matched CVE. No reboot required.",
|
|
379
|
-
"preconditions": [
|
|
543
|
+
"preconditions": [
|
|
544
|
+
"livepatch_available_for_cve == true",
|
|
545
|
+
"host_supports_livepatch == true"
|
|
546
|
+
],
|
|
380
547
|
"priority": 1,
|
|
381
548
|
"compensating_controls": [],
|
|
382
549
|
"estimated_time_hours": 1
|
|
@@ -384,25 +551,43 @@
|
|
|
384
551
|
{
|
|
385
552
|
"id": "scheduled-kernel-upgrade",
|
|
386
553
|
"description": "Schedule kernel package upgrade + reboot during next maintenance window.",
|
|
387
|
-
"preconditions": [
|
|
554
|
+
"preconditions": [
|
|
555
|
+
"vendor_patch_available == true",
|
|
556
|
+
"reboot_window_within_72h == true"
|
|
557
|
+
],
|
|
388
558
|
"priority": 2,
|
|
389
|
-
"compensating_controls": [
|
|
559
|
+
"compensating_controls": [
|
|
560
|
+
"MAC_policy_tightened_until_reboot",
|
|
561
|
+
"ssh_access_restricted_to_admins_until_reboot"
|
|
562
|
+
],
|
|
390
563
|
"estimated_time_hours": 4
|
|
391
564
|
},
|
|
392
565
|
{
|
|
393
566
|
"id": "hardening-compensation",
|
|
394
567
|
"description": "When reboot impossible within compliance window: tighten hardening flags (disable unpriv-userns, disable unpriv-bpf, set kptr_restrict=2, raise yama.ptrace_scope to 2) to break the exploit's primitive without patching.",
|
|
395
|
-
"preconditions": [
|
|
568
|
+
"preconditions": [
|
|
569
|
+
"matched_cve.vector matches userns|bpf|ptrace|kptr",
|
|
570
|
+
"ops_authorization_for_sysctl_changes == true"
|
|
571
|
+
],
|
|
396
572
|
"priority": 3,
|
|
397
|
-
"compensating_controls": [
|
|
573
|
+
"compensating_controls": [
|
|
574
|
+
"sysctl_changes_recorded_in_change_management",
|
|
575
|
+
"exploit_replay_negative_test_passed"
|
|
576
|
+
],
|
|
398
577
|
"estimated_time_hours": 2
|
|
399
578
|
},
|
|
400
579
|
{
|
|
401
580
|
"id": "policy-exception",
|
|
402
581
|
"description": "Generate an auditor-ready policy exception via policy-exception-gen documenting that all faster remediation paths are blocked, with compensating controls and time-bound risk acceptance.",
|
|
403
|
-
"preconditions": [
|
|
582
|
+
"preconditions": [
|
|
583
|
+
"remediation_paths[1..3] all blocked",
|
|
584
|
+
"ciso_acceptance_obtainable == true"
|
|
585
|
+
],
|
|
404
586
|
"priority": 4,
|
|
405
|
-
"compensating_controls": [
|
|
587
|
+
"compensating_controls": [
|
|
588
|
+
"enhanced_logging_for_LPE_indicators",
|
|
589
|
+
"monthly_residual_risk_review"
|
|
590
|
+
],
|
|
406
591
|
"estimated_time_hours": 8
|
|
407
592
|
}
|
|
408
593
|
],
|
|
@@ -442,46 +627,84 @@
|
|
|
442
627
|
"risk": "Kernel LPE matched but not yet patched OR patched via hardening compensation rather than vendor patch.",
|
|
443
628
|
"why_remains": "Either (a) reboot window scheduled but not yet executed, (b) live-patch unavailable for this CVE on this kernel + distro combination, OR (c) hardening compensation broke the primitive but the underlying vulnerable code path is unmodified — a future, related CVE could re-expose the host via a different primitive.",
|
|
444
629
|
"acceptance_level": "ciso",
|
|
445
|
-
"compensating_controls_in_place": [
|
|
630
|
+
"compensating_controls_in_place": [
|
|
631
|
+
"MAC_policy_active",
|
|
632
|
+
"enhanced_LPE_indicator_logging",
|
|
633
|
+
"ssh_access_restricted_to_admins"
|
|
634
|
+
]
|
|
446
635
|
},
|
|
447
636
|
"evidence_requirements": [
|
|
448
637
|
{
|
|
449
638
|
"evidence_type": "patch_record",
|
|
450
639
|
"description": "Kernel package upgrade ticket with timestamps showing decision, deployment, and validation. For live-patch path: kpatch load record.",
|
|
451
640
|
"retention_period": "7_years",
|
|
452
|
-
"framework_satisfied": [
|
|
641
|
+
"framework_satisfied": [
|
|
642
|
+
"nist-800-53-SI-2",
|
|
643
|
+
"iso-27001-2022-A.8.8",
|
|
644
|
+
"soc2-cc7.1",
|
|
645
|
+
"nis2-art21-2c"
|
|
646
|
+
]
|
|
453
647
|
},
|
|
454
648
|
{
|
|
455
649
|
"evidence_type": "exploit_replay_negative",
|
|
456
650
|
"description": "Sandbox replay of the CVE's primitive-trigger step showing it now fails post-remediation. Distinguishes patch_applied=true from actually_exploit_broken=true.",
|
|
457
651
|
"retention_period": "1_year",
|
|
458
|
-
"framework_satisfied": [
|
|
652
|
+
"framework_satisfied": [
|
|
653
|
+
"soc2-cc7.1",
|
|
654
|
+
"iso-27001-2022-A.8.8"
|
|
655
|
+
]
|
|
459
656
|
},
|
|
460
657
|
{
|
|
461
658
|
"evidence_type": "config_diff",
|
|
462
659
|
"description": "For hardening-compensation path: diff of sysctl values before and after remediation, plus the change-management approval reference.",
|
|
463
660
|
"retention_period": "audit_cycle",
|
|
464
|
-
"framework_satisfied": [
|
|
661
|
+
"framework_satisfied": [
|
|
662
|
+
"nist-800-53-CM-3",
|
|
663
|
+
"iso-27001-2022-A.8.32"
|
|
664
|
+
]
|
|
465
665
|
},
|
|
466
666
|
{
|
|
467
667
|
"evidence_type": "attestation",
|
|
468
668
|
"description": "Signed exceptd attestation file with evidence_hash, RWEP at detection, RWEP post-remediation, residual risk acceptance.",
|
|
469
669
|
"retention_period": "7_years",
|
|
470
|
-
"framework_satisfied": [
|
|
670
|
+
"framework_satisfied": [
|
|
671
|
+
"nist-800-53-CA-7",
|
|
672
|
+
"iso-27001-2022-A.5.36",
|
|
673
|
+
"nis2-art21-2c"
|
|
674
|
+
]
|
|
471
675
|
}
|
|
472
676
|
],
|
|
473
677
|
"regression_trigger": [
|
|
474
|
-
{
|
|
475
|
-
|
|
476
|
-
|
|
477
|
-
|
|
678
|
+
{
|
|
679
|
+
"condition": "new_cve_in_class == true",
|
|
680
|
+
"interval": "on_event"
|
|
681
|
+
},
|
|
682
|
+
{
|
|
683
|
+
"condition": "kernel_upgrade == true",
|
|
684
|
+
"interval": "on_event"
|
|
685
|
+
},
|
|
686
|
+
{
|
|
687
|
+
"condition": "monthly",
|
|
688
|
+
"interval": "30d"
|
|
689
|
+
},
|
|
690
|
+
{
|
|
691
|
+
"condition": "post_major_deploy",
|
|
692
|
+
"interval": "on_event"
|
|
693
|
+
}
|
|
478
694
|
]
|
|
479
695
|
},
|
|
480
|
-
|
|
481
696
|
"close": {
|
|
482
697
|
"evidence_package": {
|
|
483
698
|
"bundle_format": "csaf-2.0",
|
|
484
|
-
"contents": [
|
|
699
|
+
"contents": [
|
|
700
|
+
"all_validation_tests_passed",
|
|
701
|
+
"patch_records",
|
|
702
|
+
"exploit_replay_negative",
|
|
703
|
+
"residual_risk_statement",
|
|
704
|
+
"framework_gap_mapping",
|
|
705
|
+
"compliance_theater_verdict",
|
|
706
|
+
"attestation"
|
|
707
|
+
],
|
|
485
708
|
"destination": "local_only",
|
|
486
709
|
"signed": true
|
|
487
710
|
},
|
|
@@ -493,21 +716,33 @@
|
|
|
493
716
|
"framework_gap": "NIST 800-53 + ISO 27001 + NIS2 vulnerability-handling controls specify process not tempo, and do not require KEV-aware fast-path. Frameworks lag real-world weaponization by ~28 days.",
|
|
494
717
|
"new_control_requirement": "Add a KEV-fast-path variant to vulnerability-handling controls: KEV-listed flaws must be patched within max(KEV due_date, 72h post public-PoC). Live-patch deployment satisfies the variant. Hardening-only compensation requires CISO-level risk acceptance and time-bound exception."
|
|
495
718
|
},
|
|
496
|
-
"feeds_back_to_skills": [
|
|
719
|
+
"feeds_back_to_skills": [
|
|
720
|
+
"kernel-lpe-triage",
|
|
721
|
+
"framework-gap-analysis",
|
|
722
|
+
"compliance-theater",
|
|
723
|
+
"zeroday-gap-learn"
|
|
724
|
+
]
|
|
497
725
|
},
|
|
498
726
|
"notification_actions": [
|
|
499
727
|
{
|
|
500
728
|
"obligation_ref": "EU/NIS2 Art.23 24h",
|
|
501
729
|
"deadline": "computed_at_runtime",
|
|
502
730
|
"recipient": "internal_legal",
|
|
503
|
-
"evidence_attached": [
|
|
731
|
+
"evidence_attached": [
|
|
732
|
+
"affected_host_inventory",
|
|
733
|
+
"exploitation_status_assessment",
|
|
734
|
+
"interim_mitigation_record"
|
|
735
|
+
],
|
|
504
736
|
"draft_notification": "Initial NIS2 Art.23 24-hour early-warning notification: Kernel LPE matched against catalogued CVE(s) ${matched_cve_ids} on ${affected_host_count} host(s). KEV-listed: ${kev_listed_count}. Active exploitation status: ${active_exploitation}. Interim mitigation in place: ${interim_mitigation}. Full incident assessment to follow within 72 hours per Art.23(4)."
|
|
505
737
|
},
|
|
506
738
|
{
|
|
507
739
|
"obligation_ref": "EU/DORA Art.19 4h",
|
|
508
740
|
"deadline": "computed_at_runtime",
|
|
509
741
|
"recipient": "internal_legal",
|
|
510
|
-
"evidence_attached": [
|
|
742
|
+
"evidence_attached": [
|
|
743
|
+
"initial_notification",
|
|
744
|
+
"ict_third_party_dependencies"
|
|
745
|
+
],
|
|
511
746
|
"draft_notification": "DORA Art.19 initial notification: Major ICT-related incident — kernel LPE on financial-entity host(s). ${matched_cve_ids}. ICT third-party dependencies affected: ${ict_dependencies}. Full classification + impact assessment to follow within statutory windows."
|
|
512
747
|
}
|
|
513
748
|
],
|
|
@@ -516,7 +751,12 @@
|
|
|
516
751
|
"exception_template": {
|
|
517
752
|
"scope": "Kernel LPE matched against ${matched_cve_ids} on ${affected_host_count} host(s); remediation paths 1-3 blocked.",
|
|
518
753
|
"duration": "until_vendor_patch",
|
|
519
|
-
"compensating_controls": [
|
|
754
|
+
"compensating_controls": [
|
|
755
|
+
"MAC_policy_active",
|
|
756
|
+
"sysctl_hardening_at_max",
|
|
757
|
+
"enhanced_LPE_indicator_logging",
|
|
758
|
+
"ssh_access_restricted_to_admins"
|
|
759
|
+
],
|
|
520
760
|
"risk_acceptance_owner": "ciso",
|
|
521
761
|
"auditor_ready_language": "Pursuant to ${framework_id} ${control_id}, the organization documents a time-bound risk acceptance for kernel LPE ${matched_cve_ids} on ${affected_host_count} host(s). Vendor patch availability: ${patch_available_status}. Live-patch availability for this kernel+distro: ${livepatch_status}. Reboot window: ${reboot_window}. Compensating controls in place: ${compensating_controls}. Residual RWEP post-compensation: ${rwep_post_compensation}. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry}. Detection coverage for exploitation attempts during the exception window is provided by ${detection_controls}. The exception will be re-evaluated on (a) vendor patch publication, (b) the listed expiry date, OR (c) a new exploitation indicator firing — whichever is first."
|
|
522
762
|
}
|
|
@@ -528,20 +768,27 @@
|
|
|
528
768
|
}
|
|
529
769
|
}
|
|
530
770
|
},
|
|
531
|
-
|
|
532
771
|
"directives": [
|
|
533
772
|
{
|
|
534
773
|
"id": "all-catalogued-kernel-cves",
|
|
535
774
|
"title": "Match running kernel against every catalogued kernel/LPE CVE",
|
|
536
|
-
"applies_to": {
|
|
775
|
+
"applies_to": {
|
|
776
|
+
"always": true
|
|
777
|
+
}
|
|
537
778
|
},
|
|
538
779
|
{
|
|
539
780
|
"id": "copy-fail-specific",
|
|
540
781
|
"title": "Targeted investigation for CVE-2026-31431 'Copy Fail' (KEV, AI-discovered, deterministic)",
|
|
541
|
-
"applies_to": {
|
|
782
|
+
"applies_to": {
|
|
783
|
+
"cve": "CVE-2026-31431"
|
|
784
|
+
},
|
|
542
785
|
"phase_overrides": {
|
|
543
786
|
"direct": {
|
|
544
|
-
"rwep_threshold": {
|
|
787
|
+
"rwep_threshold": {
|
|
788
|
+
"escalate": 80,
|
|
789
|
+
"monitor": 60,
|
|
790
|
+
"close": 30
|
|
791
|
+
}
|
|
545
792
|
}
|
|
546
793
|
}
|
|
547
794
|
}
|