@blamejs/exceptd-skills 0.9.5 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/AGENTS.md +45 -0
  2. package/CHANGELOG.md +120 -0
  3. package/README.md +30 -5
  4. package/bin/exceptd.js +694 -1
  5. package/data/_indexes/_meta.json +2 -2
  6. package/data/playbooks/ai-api.json +1073 -0
  7. package/data/playbooks/containers.json +1078 -0
  8. package/data/playbooks/cred-stores.json +1000 -0
  9. package/data/playbooks/crypto.json +1008 -0
  10. package/data/playbooks/framework.json +1015 -0
  11. package/data/playbooks/hardening.json +945 -0
  12. package/data/playbooks/kernel.json +796 -0
  13. package/data/playbooks/mcp.json +1042 -0
  14. package/data/playbooks/runtime.json +913 -0
  15. package/data/playbooks/sbom.json +1279 -0
  16. package/data/playbooks/secrets.json +959 -0
  17. package/lib/cross-ref-api.js +224 -0
  18. package/lib/playbook-runner.js +896 -0
  19. package/lib/schemas/playbook.schema.json +657 -0
  20. package/manifest-snapshot.json +1 -1
  21. package/manifest.json +39 -39
  22. package/orchestrator/scanner.js +23 -1
  23. package/package.json +1 -1
  24. package/sbom.cdx.json +6 -6
package/data/playbooks/kernel.json ADDED
@@ -0,0 +1,796 @@
1
+ {
2
+ "_meta": {
3
+ "id": "kernel",
4
+ "version": "1.0.0",
5
+ "last_threat_review": "2026-05-11",
6
+ "threat_currency_score": 92,
7
+ "changelog": [
8
+ {
9
+ "version": "1.0.0",
10
+ "date": "2026-05-11",
11
+ "summary": "Initial seven-phase playbook covering catalogued kernel LPE CVEs with version-aware matching, hardening posture, live-patch detection, and full GRC closure (CSAF evidence bundle + jurisdiction-aware notifications + auditor-ready exception generation).",
12
+ "cves_added": [
13
+ "CVE-2026-31431",
14
+ "CVE-2026-43284",
15
+ "CVE-2026-43500"
16
+ ],
17
+ "framework_gaps_updated": [
18
+ "nist-800-53-SI-2",
19
+ "nis2-art21-2c",
20
+ "iso-27001-2022-A.8.8"
21
+ ]
22
+ }
23
+ ],
24
+ "owner": "@blamejs/platform-security",
25
+ "air_gap_mode": false,
26
+ "scope": "system",
27
+ "preconditions": [
28
+ {
29
+ "id": "linux-platform",
30
+ "description": "Playbook targets Linux kernel; macOS / Windows hosts are skipped with a visibility-gap finding rather than executed against.",
31
+ "check": "host.platform == 'linux'",
32
+ "on_fail": "halt"
33
+ },
34
+ {
35
+ "id": "uname-available",
36
+ "description": "uname(1) must be on PATH for any kernel-version finding to be meaningful.",
37
+ "check": "agent_has_command('uname') == true",
38
+ "on_fail": "warn"
39
+ }
40
+ ],
41
+ "mutex": [],
42
+ "feeds_into": [
43
+ {
44
+ "playbook_id": "sbom",
45
+ "condition": "finding.severity == 'critical' OR analyze.blast_radius_score >= 4"
46
+ },
47
+ {
48
+ "playbook_id": "compliance-theater",
49
+ "condition": "analyze.compliance_theater_check.verdict == 'theater'"
50
+ }
51
+ ]
52
+ },
53
+ "domain": {
54
+ "name": "Linux kernel local privilege escalation",
55
+ "attack_class": "kernel-lpe",
56
+ "atlas_refs": [],
57
+ "attack_refs": [
58
+ "T1068",
59
+ "T1611"
60
+ ],
61
+ "cve_refs": [
62
+ "CVE-2026-31431",
63
+ "CVE-2026-43284",
64
+ "CVE-2026-43500"
65
+ ],
66
+ "cwe_refs": [
67
+ "CWE-416",
68
+ "CWE-362",
69
+ "CWE-787"
70
+ ],
71
+ "d3fend_refs": [
72
+ "D3-KBPI",
73
+ "D3-PA"
74
+ ],
75
+ "frameworks_in_scope": [
76
+ "nist-800-53",
77
+ "nist-csf-2",
78
+ "iso-27001-2022",
79
+ "soc2",
80
+ "pci-dss-4",
81
+ "nis2",
82
+ "dora",
83
+ "uk-caf",
84
+ "au-ism",
85
+ "au-essential-8"
86
+ ]
87
+ },
88
+ "phases": {
89
+ "govern": {
90
+ "jurisdiction_obligations": [
91
+ {
92
+ "jurisdiction": "EU",
93
+ "regulation": "NIS2 Art.23",
94
+ "obligation": "notify_regulator",
95
+ "window_hours": 24,
96
+ "clock_starts": "detect_confirmed",
97
+ "evidence_required": [
98
+ "affected_host_inventory",
99
+ "exploitation_status_assessment",
100
+ "interim_mitigation_record"
101
+ ]
102
+ },
103
+ {
104
+ "jurisdiction": "EU",
105
+ "regulation": "NIS2 Art.23",
106
+ "obligation": "notify_regulator",
107
+ "window_hours": 72,
108
+ "clock_starts": "analyze_complete",
109
+ "evidence_required": [
110
+ "full_incident_assessment",
111
+ "remediation_plan",
112
+ "residual_risk_statement"
113
+ ]
114
+ },
115
+ {
116
+ "jurisdiction": "EU",
117
+ "regulation": "DORA Art.19",
118
+ "obligation": "notify_regulator",
119
+ "window_hours": 4,
120
+ "clock_starts": "detect_confirmed",
121
+ "evidence_required": [
122
+ "initial_notification",
123
+ "ict_third_party_dependencies"
124
+ ]
125
+ },
126
+ {
127
+ "jurisdiction": "AU",
128
+ "regulation": "APRA CPS 234",
129
+ "obligation": "notify_regulator",
130
+ "window_hours": 72,
131
+ "clock_starts": "validate_complete",
132
+ "evidence_required": [
133
+ "materiality_assessment",
134
+ "remediation_completed_evidence"
135
+ ]
136
+ }
137
+ ],
138
+ "theater_fingerprints": [
139
+ {
140
+ "pattern_id": "patch-sla-without-kev-priority",
141
+ "claim": "Critical patches deployed within 30 days satisfies SI-2 / A.8.8 / Art.21(2)(c).",
142
+ "fast_detection_test": "Check whether KEV-listed kernel CVEs got priority over non-KEV CVSS-9 CVEs in the patch queue. Standard 30-day SLA is theater when KEV demands faster.",
143
+ "implicated_controls": [
144
+ "nist-800-53-SI-2",
145
+ "iso-27001-2022-A.8.8",
146
+ "nis2-art21-2c"
147
+ ]
148
+ },
149
+ {
150
+ "pattern_id": "uname-as-patch-evidence",
151
+ "claim": "uname output matches patched version → host is patched.",
152
+ "fast_detection_test": "Distinguish vendor-backport kernels (e.g. RHEL 4.18 with CVE backports) from upstream version-string matches. uname alone is insufficient — distro changelog must be consulted.",
153
+ "implicated_controls": [
154
+ "nist-800-53-SI-2",
155
+ "soc2-cc7.1"
156
+ ]
157
+ }
158
+ ],
159
+ "framework_context": {
160
+ "gap_summary": "Frameworks treat kernel patching as a uniform monthly/quarterly SLA. They do not differentiate KEV-listed kernel LPEs (deterministic, weaponized within hours of disclosure) from typical kernel CVEs (theoretical, slow to weaponize). NIST SI-2 + ISO A.8.8 + NIS2 Art.21(2)(c) all permit 30-day patch windows that are wildly inadequate for confirmed-exploitation kernel CVEs. EU AI Act + DORA additionally require notification clocks that start at *detection*, not *patch deadline*, so framework lag here is measured in compliance windows, not technical posture.",
161
+ "lag_score": 14,
162
+ "per_framework_gaps": [
163
+ {
164
+ "framework": "nist-800-53",
165
+ "control_id": "SI-2(2)",
166
+ "designed_for": "Routine flaw remediation with monthly cadence.",
167
+ "insufficient_because": "Treats all CVEs uniformly. No KEV escalation built into the control. A kernel LPE with confirmed exploitation and a public PoC gets the same 30-day SLA as a theoretical bug."
168
+ },
169
+ {
170
+ "framework": "iso-27001-2022",
171
+ "control_id": "A.8.8",
172
+ "designed_for": "Technical vulnerability management with risk-based prioritization.",
173
+ "insufficient_because": "Risk-based prioritization is left to the implementer. Without explicit RWEP or KEV referencing, organizations default to CVSS-only prioritization, which under-scores kernel LPEs in ways the 2026 threat landscape no longer permits."
174
+ },
175
+ {
176
+ "framework": "nis2",
177
+ "control_id": "Art.21(2)(c)",
178
+ "designed_for": "Vulnerability handling and disclosure for essential entities.",
179
+ "insufficient_because": "Specifies process, not tempo. Permits patch-handling procedures that don't differentiate weaponized-in-hours kernel LPEs from theoretical issues."
180
+ }
181
+ ]
182
+ },
183
+ "skill_preload": [
184
+ "kernel-lpe-triage",
185
+ "exploit-scoring",
186
+ "framework-gap-analysis",
187
+ "compliance-theater",
188
+ "policy-exception-gen"
189
+ ]
190
+ },
191
+ "direct": {
192
+ "threat_context": "Kernel LPE landscape Q1-Q2 2026: CVE-2026-31431 'Copy Fail' (AI-discovered in ~1h, deterministic page-cache CoW primitive, no race condition, 732-byte PoC, KEV-listed 2026-03-15, confirmed in-the-wild) is the load-bearing exploit driving the current Linux LPE wave. CVE-2026-43284 + CVE-2026-43500 are sibling LPEs in catalog. Live-patch ecosystem (kpatch, kgraft, livepatch) covers Copy Fail on RHEL 9.4+ / Ubuntu 22.04 HWE / Debian 12 — vendors shipped live patches within 48h of KEV listing. Operators that adopted live-patch are not affected even on technically-vulnerable kernel versions; operators relying solely on reboot-required patches retain exposure for the duration of their reboot window.",
193
+ "rwep_threshold": {
194
+ "escalate": 90,
195
+ "monitor": 70,
196
+ "close": 30
197
+ },
198
+ "framework_lag_declaration": "NIST SI-2 + ISO A.8.8 + NIS2 Art.21(2)(c) permit 30-day patch SLAs that are inadequate for KEV-listed kernel LPEs with confirmed exploitation. NIST 800-53 Rev. 5.1.1 does not require KEV-aware prioritization, only risk-based — leaving it to implementer interpretation. Real-world tempo: weaponization in hours, patch SLA in weeks. Gap = ~28 days. Compensating controls (live-patch, MAC, kernel hardening) MUST close this gap before SLA-only compliance can be accepted.",
199
+ "skill_chain": [
200
+ {
201
+ "skill": "kernel-lpe-triage",
202
+ "purpose": "Determine whether the running kernel + hardening posture actually allows exploitation of a matched CVE.",
203
+ "required": true
204
+ },
205
+ {
206
+ "skill": "exploit-scoring",
207
+ "purpose": "Compute RWEP for each matched CVE; rank for triage.",
208
+ "required": true
209
+ },
210
+ {
211
+ "skill": "framework-gap-analysis",
212
+ "purpose": "Map matched CVEs to which framework controls are insufficient and why.",
213
+ "skip_if": "analyze.framework_gap_mapping.length == 0",
214
+ "required": false
215
+ },
216
+ {
217
+ "skill": "compliance-theater",
218
+ "purpose": "Run the theater test — does the org's claimed patch SLA actually catch this CVE in time?",
219
+ "required": true
220
+ },
221
+ {
222
+ "skill": "policy-exception-gen",
223
+ "purpose": "Generate auditor-ready exception language if a matched CVE cannot be remediated within the jurisdiction's window.",
224
+ "skip_if": "close.exception_generation.trigger_condition == false",
225
+ "required": false
226
+ }
227
+ ],
228
+ "token_budget": {
229
+ "estimated_total": 18000,
230
+ "breakdown": {
231
+ "govern": 2200,
232
+ "direct": 1400,
233
+ "look": 1800,
234
+ "detect": 2400,
235
+ "analyze": 4200,
236
+ "validate": 3600,
237
+ "close": 2400
238
+ }
239
+ }
240
+ },
241
+ "look": {
242
+ "artifacts": [
243
+ {
244
+ "id": "kernel-release",
245
+ "type": "process_list",
246
+ "source": "uname -r",
247
+ "description": "Running kernel release string — required for semver match against catalog affected_versions ranges.",
248
+ "required": true,
249
+ "air_gap_alternative": "Read /proc/version directly if uname(1) is unavailable."
250
+ },
251
+ {
252
+ "id": "kernel-full",
253
+ "type": "process_list",
254
+ "source": "uname -a",
255
+ "description": "Full uname with build date and arch — provides backport-date signal.",
256
+ "required": false
257
+ },
258
+ {
259
+ "id": "os-release",
260
+ "type": "config_file",
261
+ "source": "/etc/os-release",
262
+ "description": "Distro identity + version — needed to determine whether the vendor ships backported fixes that don't bump the upstream version string.",
263
+ "required": false,
264
+ "air_gap_alternative": "Fall back to /etc/lsb-release or /etc/redhat-release if /etc/os-release missing."
265
+ },
266
+ {
267
+ "id": "livepatch-state",
268
+ "type": "process_list",
269
+ "source": "kpatch list || ls /sys/kernel/livepatch",
270
+ "description": "Live-patch inventory — kpatch / kgraft / livepatch can mitigate a matched CVE without changing uname output.",
271
+ "required": false,
272
+ "air_gap_alternative": "If neither tool is present, mark live-patch=indeterminate and downgrade matched-CVE confidence accordingly."
273
+ },
274
+ {
275
+ "id": "kernel-modules",
276
+ "type": "kernel_module_list",
277
+ "source": "lsmod || cat /proc/modules",
278
+ "description": "Loaded kernel modules — required for subset of CVEs whose vulnerability path depends on module presence (overlayfs, nf_tables, etc.).",
279
+ "required": false
280
+ },
281
+ {
282
+ "id": "sysctl-hardening",
283
+ "type": "config_file",
284
+ "source": "sysctl -a for kernel.kptr_restrict, kernel.unprivileged_userns_clone, kernel.unprivileged_bpf_disabled, kernel.yama.ptrace_scope, kernel.dmesg_restrict",
285
+ "description": "Hardening flags that change matched-CVE practical exploitability — used as confidence modifier.",
286
+ "required": false
287
+ },
288
+ {
289
+ "id": "cpu-vulnerabilities",
290
+ "type": "config_file",
291
+ "source": "/sys/devices/system/cpu/vulnerabilities/*",
292
+ "description": "Distro-reported, post-microcode CPU mitigation status.",
293
+ "required": false
294
+ }
295
+ ],
296
+ "collection_scope": {
297
+ "time_window": "current",
298
+ "asset_scope": "local_host",
299
+ "depth": "standard",
300
+ "sampling": "single-host point-in-time snapshot; re-collect on every regression_trigger event"
301
+ },
302
+ "environment_assumptions": [
303
+ {
304
+ "assumption": "host.platform == 'linux'",
305
+ "if_false": "Skip playbook with visibility_gap=platform_unsupported. macOS/Windows kernels are not in catalog scope."
306
+ },
307
+ {
308
+ "assumption": "agent has read access to /proc and /sys",
309
+ "if_false": "Container with restricted /proc, or hardened host. Mark sysctl/cpu-vulnerabilities artifacts inconclusive; downgrade hardening-modifier confidence."
310
+ },
311
+ {
312
+ "assumption": "uname(1) on PATH",
313
+ "if_false": "Fall back to reading /proc/version. If both fail, halt the playbook — no kernel-version-cve-match is meaningful without a version string."
314
+ }
315
+ ],
316
+ "fallback_if_unavailable": [
317
+ {
318
+ "artifact_id": "livepatch-state",
319
+ "fallback_action": "use_compensating_artifact",
320
+ "confidence_impact": "medium"
321
+ },
322
+ {
323
+ "artifact_id": "kernel-modules",
324
+ "fallback_action": "mark_inconclusive",
325
+ "confidence_impact": "low"
326
+ },
327
+ {
328
+ "artifact_id": "sysctl-hardening",
329
+ "fallback_action": "mark_inconclusive",
330
+ "confidence_impact": "medium"
331
+ },
332
+ {
333
+ "artifact_id": "cpu-vulnerabilities",
334
+ "fallback_action": "mark_inconclusive",
335
+ "confidence_impact": "low"
336
+ },
337
+ {
338
+ "artifact_id": "kernel-release",
339
+ "fallback_action": "escalate_to_human",
340
+ "confidence_impact": "high"
341
+ }
342
+ ]
343
+ },
344
+ "detect": {
345
+ "indicators": [
346
+ {
347
+ "id": "kver-in-affected-range",
348
+ "type": "log_pattern",
349
+ "value": "$kernel_release matches semver-in-range across catalogued kernel/LPE CVE affected_versions",
350
+ "description": "Primary detector — running kernel version falls inside any catalogued CVE's affected_versions range.",
351
+ "confidence": "high",
352
+ "deterministic": false,
353
+ "attack_ref": "T1068"
354
+ },
355
+ {
356
+ "id": "livepatch-active",
357
+ "type": "behavioral_signal",
358
+ "value": "kpatch list emits non-empty result OR /sys/kernel/livepatch contains an active patch entry",
359
+ "description": "Live-patch mitigates a matched CVE without bumping uname output. Presence downgrades confidence of any matched CVE.",
360
+ "confidence": "medium",
361
+ "deterministic": false
362
+ },
363
+ {
364
+ "id": "kaslr-disabled",
365
+ "type": "behavioral_signal",
366
+ "value": "/proc/cmdline contains 'nokaslr'",
367
+ "description": "Disabled KASLR makes matched LPEs deterministic. Raises blast radius.",
368
+ "confidence": "deterministic",
369
+ "deterministic": true
370
+ },
371
+ {
372
+ "id": "unpriv-userns-enabled",
373
+ "type": "behavioral_signal",
374
+ "value": "kernel.unprivileged_userns_clone == 1",
375
+ "description": "Unprivileged user namespaces enabled — required for several catalogued LPE classes.",
376
+ "confidence": "deterministic",
377
+ "deterministic": true,
378
+ "attack_ref": "T1611"
379
+ },
380
+ {
381
+ "id": "unpriv-bpf-allowed",
382
+ "type": "behavioral_signal",
383
+ "value": "kernel.unprivileged_bpf_disabled == 0",
384
+ "description": "Unprivileged BPF allowed — primitive for several kernel LPE classes.",
385
+ "confidence": "deterministic",
386
+ "deterministic": true,
387
+ "attack_ref": "T1068"
388
+ }
389
+ ],
390
+ "false_positive_profile": [
391
+ {
392
+ "indicator_id": "kver-in-affected-range",
393
+ "benign_pattern": "Vendor-shipped distro kernel whose version-string matches an upstream affected range but contains backported fixes (RHEL/Ubuntu/Debian commonly do this).",
394
+ "distinguishing_test": "Read /etc/os-release for distro identity, then consult vendor's CVE backport tracker (Red Hat CVE database, Ubuntu USN, Debian DSA) for the specific CVE. If vendor confirms backport in the kernel package version, downgrade match to medium confidence and add a backport_confirmed=true signal."
395
+ },
396
+ {
397
+ "indicator_id": "kver-in-affected-range",
398
+ "benign_pattern": "Live-patched kernel — uname still reports vulnerable version but kpatch/livepatch has applied the fix in memory.",
399
+ "distinguishing_test": "Look up the matched CVE ID in `kpatch list` or /sys/kernel/livepatch/*/cve-ids if present. If matched CVE appears in active patch list, downgrade match confidence from high to medium and emit a livepatch_mitigation_active visibility note."
400
+ }
401
+ ],
402
+ "minimum_signal": {
403
+ "detected": "At least one indicator with confidence=high or deterministic=true fires, AND $kver was successfully captured. Matched-CVE count > 0.",
404
+ "inconclusive": "$kver captured but every matched CVE either (a) lacks affected_versions in the catalog, (b) has live-patch active, or (c) has confirmed vendor backport. Cannot deny without engaging exploit-replay in validate phase.",
405
+ "not_detected": "$kver captured AND zero matched CVEs in catalog AND hardening posture is high (lockdown=integrity or confidentiality, KASLR enabled, unpriv-userns=0, unpriv-bpf=disabled)."
406
+ }
407
+ },
408
+ "analyze": {
409
+ "rwep_inputs": [
410
+ {
411
+ "signal_id": "kver-in-affected-range",
412
+ "rwep_factor": "active_exploitation",
413
+ "weight": 25,
414
+ "notes": "Multiplier — if matched CVE has active_exploitation='confirmed' in catalog, full weight; otherwise 0."
415
+ },
416
+ {
417
+ "signal_id": "kver-in-affected-range",
418
+ "rwep_factor": "cisa_kev",
419
+ "weight": 20,
420
+ "notes": "Multiplier — KEV-listed matched CVE = full weight."
421
+ },
422
+ {
423
+ "signal_id": "kver-in-affected-range",
424
+ "rwep_factor": "public_poc",
425
+ "weight": 15,
426
+ "notes": "PoC availability in catalog (poc_available=true)."
427
+ },
428
+ {
429
+ "signal_id": "kver-in-affected-range",
430
+ "rwep_factor": "ai_weaponization",
431
+ "weight": 10,
432
+ "notes": "AI-discovered or AI-assisted weaponization flagged in catalog."
433
+ },
434
+ {
435
+ "signal_id": "kver-in-affected-range",
436
+ "rwep_factor": "patch_available",
437
+ "weight": -10,
438
+ "notes": "Patch available reduces RWEP by 10. If patch not yet applied, this is informational, not a deduction."
439
+ },
440
+ {
441
+ "signal_id": "livepatch-active",
442
+ "rwep_factor": "live_patch_available",
443
+ "weight": -15,
444
+ "notes": "Live-patch active for this specific CVE reduces RWEP by 15."
445
+ },
446
+ {
447
+ "signal_id": "kaslr-disabled",
448
+ "rwep_factor": "blast_radius",
449
+ "weight": 5,
450
+ "notes": "Disabled KASLR + matched CVE increases blast radius score."
451
+ },
452
+ {
453
+ "signal_id": "unpriv-userns-enabled",
454
+ "rwep_factor": "blast_radius",
455
+ "weight": 5,
456
+ "notes": "Enabled unprivileged userns + matched CVE increases blast radius score for userns-dependent LPEs."
457
+ }
458
+ ],
459
+ "blast_radius_model": {
460
+ "scope_question": "If a matched kernel LPE is exploited on this host, what scope of compromise is the host realistically delivering to the attacker?",
461
+ "scoring_rubric": [
462
+ {
463
+ "condition": "host runs as single-tenant service AND no shared filesystem AND no privileged service accounts",
464
+ "blast_radius_score": 1,
465
+ "description": "Single-host root only. Lateral movement requires separate exploit chain."
466
+ },
467
+ {
468
+ "condition": "host has SSH agent forwarding active OR mounts shared NFS/CIFS volumes",
469
+ "blast_radius_score": 2,
470
+ "description": "Root → credential or filesystem theft → adjacent hosts."
471
+ },
472
+ {
473
+ "condition": "host is k8s node OR multi-tenant container host",
474
+ "blast_radius_score": 3,
475
+ "description": "Root → container escape → pod credentials → cluster-wide compromise."
476
+ },
477
+ {
478
+ "condition": "host is k8s control-plane node OR runs Vault/secrets agent OR has cloud-IMDS access with privileged IAM role",
479
+ "blast_radius_score": 4,
480
+ "description": "Root → cluster admin or cloud account takeover."
481
+ },
482
+ {
483
+ "condition": "host is bastion/jumpbox OR runs CA/HSM-adjacent service OR has cross-account trust relationships",
484
+ "blast_radius_score": 5,
485
+ "description": "Root → org-wide pivot. Identity boundary collapse."
486
+ }
487
+ ]
488
+ },
489
+ "compliance_theater_check": {
490
+ "claim": "Patches are deployed within 30 days of release per SI-2 / A.8.8 / Art.21(2)(c) — kernel CVEs are managed.",
491
+ "audit_evidence": "Patch deployment tickets showing kernel package updates within 30 days of CVE publication; quarterly compliance attestation signed by ops manager.",
492
+ "reality_test": "Cross-reference the patch tickets against KEV listing dates (not CVE publication dates). For each KEV-listed kernel CVE: was the patch deployed within (a) KEV due_date, (b) public-PoC publication + 72h, whichever is shorter? Compute the actual gap between weaponization and patch — anything > 72h on a KEV-listed kernel LPE with confirmed exploitation is theater.",
493
+ "theater_verdict_if_gap": "Org demonstrates SLA-compliant patching that nonetheless leaves KEV-listed kernel LPEs exploitable for weeks beyond practical weaponization. Either (a) shorten kernel-specific SLA to 72h for KEV-listed entries, (b) deploy live-patch coverage to close the gap without requiring reboot windows, OR (c) generate a defensible policy exception via policy-exception-gen acknowledging the residual risk + compensating controls."
494
+ },
495
+ "framework_gap_mapping": [
496
+ {
497
+ "finding_id": "kernel-lpe-detected",
498
+ "framework": "nist-800-53",
499
+ "claimed_control": "SI-2(2) — Flaw Remediation, Automated Flaw Remediation Status",
500
+ "actual_gap": "Control specifies process for tracking flaw remediation status, not tempo. No KEV-aware fast-path requirement. Permits 30-day SLA when 72h is the actual exploitation tempo.",
501
+ "required_control": "Add a KEV-fast-path control variant requiring KEV-listed flaws to be patched within max(KEV due_date, 72h post public-PoC). Live-patch deployment satisfies the variant without requiring reboot."
502
+ },
503
+ {
504
+ "finding_id": "kernel-lpe-detected",
505
+ "framework": "iso-27001-2022",
506
+ "claimed_control": "A.8.8 — Management of technical vulnerabilities",
507
+ "actual_gap": "Risk-based prioritization is left to the implementer. Without explicit RWEP/KEV referencing, defaults to CVSS-only — which under-scores deterministic kernel LPEs.",
508
+ "required_control": "Require RWEP or equivalent prioritization scheme that incorporates KEV + public-PoC + active-exploitation + AI-discovery as first-class signals beyond CVSS. Document a fast-path SLA for kernel CVEs with RWEP >= 90."
509
+ },
510
+ {
511
+ "finding_id": "kernel-lpe-detected",
512
+ "framework": "nis2",
513
+ "claimed_control": "Art.21(2)(c) — Policies and procedures for vulnerability handling and disclosure",
514
+ "actual_gap": "Specifies process not tempo. Permits patch handling that doesn't differentiate weaponized-in-hours kernel LPEs from theoretical issues.",
515
+ "required_control": "Mandate documented fast-path for vulnerabilities classified by RWEP >= 90 OR KEV-listed, with patching tempo aligned to weaponization tempo not framework SLA."
516
+ }
517
+ ],
518
+ "escalation_criteria": [
519
+ {
520
+ "condition": "rwep >= 90 AND patch_available == false",
521
+ "action": "page_on_call"
522
+ },
523
+ {
524
+ "condition": "rwep >= 90 AND patch_available == true AND livepatch_active == false AND reboot_window > 24h",
525
+ "action": "raise_severity"
526
+ },
527
+ {
528
+ "condition": "blast_radius_score >= 4",
529
+ "action": "trigger_playbook",
530
+ "target_playbook": "sbom"
531
+ },
532
+ {
533
+ "condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
534
+ "action": "notify_legal"
535
+ }
536
+ ]
537
+ },
538
+ "validate": {
539
+ "remediation_paths": [
540
+ {
541
+ "id": "live-patch-deploy",
542
+ "description": "Deploy vendor live-patch (kpatch / kgraft / canonical livepatch) covering the matched CVE. No reboot required.",
543
+ "preconditions": [
544
+ "livepatch_available_for_cve == true",
545
+ "host_supports_livepatch == true"
546
+ ],
547
+ "priority": 1,
548
+ "compensating_controls": [],
549
+ "estimated_time_hours": 1
550
+ },
551
+ {
552
+ "id": "scheduled-kernel-upgrade",
553
+ "description": "Schedule kernel package upgrade + reboot during next maintenance window.",
554
+ "preconditions": [
555
+ "vendor_patch_available == true",
556
+ "reboot_window_within_72h == true"
557
+ ],
558
+ "priority": 2,
559
+ "compensating_controls": [
560
+ "MAC_policy_tightened_until_reboot",
561
+ "ssh_access_restricted_to_admins_until_reboot"
562
+ ],
563
+ "estimated_time_hours": 4
564
+ },
565
+ {
566
+ "id": "hardening-compensation",
567
+ "description": "When reboot impossible within compliance window: tighten hardening flags (disable unpriv-userns, disable unpriv-bpf, set kptr_restrict=2, raise yama.ptrace_scope to 2) to break the exploit's primitive without patching.",
568
+ "preconditions": [
569
+ "matched_cve.vector matches userns|bpf|ptrace|kptr",
570
+ "ops_authorization_for_sysctl_changes == true"
571
+ ],
572
+ "priority": 3,
573
+ "compensating_controls": [
574
+ "sysctl_changes_recorded_in_change_management",
575
+ "exploit_replay_negative_test_passed"
576
+ ],
577
+ "estimated_time_hours": 2
578
+ },
579
+ {
580
+ "id": "policy-exception",
581
+ "description": "Generate an auditor-ready policy exception via policy-exception-gen documenting that all faster remediation paths are blocked, with compensating controls and time-bound risk acceptance.",
582
+ "preconditions": [
583
+ "remediation_paths[1..3] all blocked",
584
+ "ciso_acceptance_obtainable == true"
585
+ ],
586
+ "priority": 4,
587
+ "compensating_controls": [
588
+ "enhanced_logging_for_LPE_indicators",
589
+ "monthly_residual_risk_review"
590
+ ],
591
+ "estimated_time_hours": 8
592
+ }
593
+ ],
594
+ "validation_tests": [
595
+ {
596
+ "id": "uname-version-post-fix",
597
+ "test": "Run `uname -r` post-remediation. For scheduled-kernel-upgrade: confirm version now outside any matched-CVE affected_versions range.",
598
+ "expected_result": "Kernel release version outside catalogued affected_versions for all matched CVEs.",
599
+ "test_type": "functional"
600
+ },
601
+ {
602
+ "id": "livepatch-applied",
603
+ "test": "Run `kpatch list` (or `cat /sys/kernel/livepatch/*/cve-ids` if available). Confirm the matched CVE ID appears in the active live-patch set.",
604
+ "expected_result": "All previously-matched CVE IDs present in active live-patch list.",
605
+ "test_type": "functional"
606
+ },
607
+ {
608
+ "id": "hardening-primitive-broken",
609
+ "test": "For hardening-compensation path: verify the exploit's specific primitive is now unavailable. e.g. for unpriv-bpf-dependent CVE, run `sysctl kernel.unprivileged_bpf_disabled` — must return 1.",
610
+ "expected_result": "Primitive sysctl returns the hardened value; running the exploit's pre-flight check (without payload) returns EPERM.",
611
+ "test_type": "negative"
612
+ },
613
+ {
614
+ "id": "exploit-replay-negative",
615
+ "test": "Run a CVE-specific safe-mode exploit replay (no payload, no real privilege escalation; just the primitive-trigger step) in a sandbox copy of the production host config.",
616
+ "expected_result": "Primitive trigger fails; no EPRIV or EAGAIN signaling the exploit's first stage succeeded.",
617
+ "test_type": "exploit_replay"
618
+ },
619
+ {
620
+ "id": "no-regression-in-userns-bpf-userspace",
621
+ "test": "Run the host's standard container/test suite that exercises userns + bpf + ptrace pathways. Confirm legitimate workloads still function after hardening changes.",
622
+ "expected_result": "All tests pass; no regression in unprivileged userland that depends on the hardening flags' permissive values.",
623
+ "test_type": "regression"
624
+ }
625
+ ],
626
+ "residual_risk_statement": {
627
+ "risk": "Kernel LPE matched but not yet patched OR patched via hardening compensation rather than vendor patch.",
628
+ "why_remains": "Either (a) reboot window scheduled but not yet executed, (b) live-patch unavailable for this CVE on this kernel + distro combination, OR (c) hardening compensation broke the primitive but the underlying vulnerable code path is unmodified — a future, related CVE could re-expose the host via a different primitive.",
629
+ "acceptance_level": "ciso",
630
+ "compensating_controls_in_place": [
631
+ "MAC_policy_active",
632
+ "enhanced_LPE_indicator_logging",
633
+ "ssh_access_restricted_to_admins"
634
+ ]
635
+ },
636
+ "evidence_requirements": [
637
+ {
638
+ "evidence_type": "patch_record",
639
+ "description": "Kernel package upgrade ticket with timestamps showing decision, deployment, and validation. For live-patch path: kpatch load record.",
640
+ "retention_period": "7_years",
641
+ "framework_satisfied": [
642
+ "nist-800-53-SI-2",
643
+ "iso-27001-2022-A.8.8",
644
+ "soc2-cc7.1",
645
+ "nis2-art21-2c"
646
+ ]
647
+ },
648
+ {
649
+ "evidence_type": "exploit_replay_negative",
650
+ "description": "Sandbox replay of the CVE's primitive-trigger step showing it now fails post-remediation. Distinguishes patch_applied=true from actually_exploit_broken=true.",
651
+ "retention_period": "1_year",
652
+ "framework_satisfied": [
653
+ "soc2-cc7.1",
654
+ "iso-27001-2022-A.8.8"
655
+ ]
656
+ },
657
+ {
658
+ "evidence_type": "config_diff",
659
+ "description": "For hardening-compensation path: diff of sysctl values before and after remediation, plus the change-management approval reference.",
660
+ "retention_period": "audit_cycle",
661
+ "framework_satisfied": [
662
+ "nist-800-53-CM-3",
663
+ "iso-27001-2022-A.8.32"
664
+ ]
665
+ },
666
+ {
667
+ "evidence_type": "attestation",
668
+ "description": "Signed exceptd attestation file with evidence_hash, RWEP at detection, RWEP post-remediation, residual risk acceptance.",
669
+ "retention_period": "7_years",
670
+ "framework_satisfied": [
671
+ "nist-800-53-CA-7",
672
+ "iso-27001-2022-A.5.36",
673
+ "nis2-art21-2c"
674
+ ]
675
+ }
676
+ ],
677
+ "regression_trigger": [
678
+ {
679
+ "condition": "new_cve_in_class == true",
680
+ "interval": "on_event"
681
+ },
682
+ {
683
+ "condition": "kernel_upgrade == true",
684
+ "interval": "on_event"
685
+ },
686
+ {
687
+ "condition": "monthly",
688
+ "interval": "30d"
689
+ },
690
+ {
691
+ "condition": "post_major_deploy",
692
+ "interval": "on_event"
693
+ }
694
+ ]
695
+ },
696
+ "close": {
697
+ "evidence_package": {
698
+ "bundle_format": "csaf-2.0",
699
+ "contents": [
700
+ "all_validation_tests_passed",
701
+ "patch_records",
702
+ "exploit_replay_negative",
703
+ "residual_risk_statement",
704
+ "framework_gap_mapping",
705
+ "compliance_theater_verdict",
706
+ "attestation"
707
+ ],
708
+ "destination": "local_only",
709
+ "signed": true
710
+ },
711
+ "learning_loop": {
712
+ "enabled": true,
713
+ "lesson_template": {
714
+ "attack_vector": "Kernel LPE via $matched_cve_vector (e.g. page-cache CoW, unprivileged BPF, userns clone).",
715
+ "control_gap": "Patch-cadence-only control (SI-2 / A.8.8 / Art.21(2)(c)) did not catch the gap between weaponization (hours) and SLA-permitted patching (days). Compensating controls (live-patch, hardening) were not part of the control specification.",
716
+ "framework_gap": "NIST 800-53 + ISO 27001 + NIS2 vulnerability-handling controls specify process not tempo, and do not require KEV-aware fast-path. Frameworks lag real-world weaponization by ~28 days.",
717
+ "new_control_requirement": "Add a KEV-fast-path variant to vulnerability-handling controls: KEV-listed flaws must be patched within max(KEV due_date, 72h post public-PoC). Live-patch deployment satisfies the variant. Hardening-only compensation requires CISO-level risk acceptance and time-bound exception."
718
+ },
719
+ "feeds_back_to_skills": [
720
+ "kernel-lpe-triage",
721
+ "framework-gap-analysis",
722
+ "compliance-theater",
723
+ "zeroday-gap-learn"
724
+ ]
725
+ },
726
+ "notification_actions": [
727
+ {
728
+ "obligation_ref": "EU/NIS2 Art.23 24h",
729
+ "deadline": "computed_at_runtime",
730
+ "recipient": "internal_legal",
731
+ "evidence_attached": [
732
+ "affected_host_inventory",
733
+ "exploitation_status_assessment",
734
+ "interim_mitigation_record"
735
+ ],
736
+ "draft_notification": "Initial NIS2 Art.23 24-hour early-warning notification: Kernel LPE matched against catalogued CVE(s) ${matched_cve_ids} on ${affected_host_count} host(s). KEV-listed: ${kev_listed_count}. Active exploitation status: ${active_exploitation}. Interim mitigation in place: ${interim_mitigation}. Full incident assessment to follow within 72 hours per Art.23(4)."
737
+ },
738
+ {
739
+ "obligation_ref": "EU/DORA Art.19 4h",
740
+ "deadline": "computed_at_runtime",
741
+ "recipient": "internal_legal",
742
+ "evidence_attached": [
743
+ "initial_notification",
744
+ "ict_third_party_dependencies"
745
+ ],
746
+ "draft_notification": "DORA Art.19 initial notification: Major ICT-related incident — kernel LPE on financial-entity host(s). ${matched_cve_ids}. ICT third-party dependencies affected: ${ict_dependencies}. Full classification + impact assessment to follow within statutory windows."
747
+ }
748
+ ],
749
+ "exception_generation": {
750
+ "trigger_condition": "remediation_blocked == true OR (matched_cve.kev_due_date < remediation_eta AND livepatch_available == false)",
751
+ "exception_template": {
752
+ "scope": "Kernel LPE matched against ${matched_cve_ids} on ${affected_host_count} host(s); remediation paths 1-3 blocked.",
753
+ "duration": "until_vendor_patch",
754
+ "compensating_controls": [
755
+ "MAC_policy_active",
756
+ "sysctl_hardening_at_max",
757
+ "enhanced_LPE_indicator_logging",
758
+ "ssh_access_restricted_to_admins"
759
+ ],
760
+ "risk_acceptance_owner": "ciso",
761
+ "auditor_ready_language": "Pursuant to ${framework_id} ${control_id}, the organization documents a time-bound risk acceptance for kernel LPE ${matched_cve_ids} on ${affected_host_count} host(s). Vendor patch availability: ${patch_available_status}. Live-patch availability for this kernel+distro: ${livepatch_status}. Reboot window: ${reboot_window}. Compensating controls in place: ${compensating_controls}. Residual RWEP post-compensation: ${rwep_post_compensation}. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry}. Detection coverage for exploitation attempts during the exception window is provided by ${detection_controls}. The exception will be re-evaluated on (a) vendor patch publication, (b) the listed expiry date, OR (c) a new exploitation indicator firing — whichever is first."
762
+ }
763
+ },
764
+ "regression_schedule": {
765
+ "next_run": "computed_at_runtime",
766
+ "trigger": "both",
767
+ "notify_on_skip": true
768
+ }
769
+ }
770
+ },
771
+ "directives": [
772
+ {
773
+ "id": "all-catalogued-kernel-cves",
774
+ "title": "Match running kernel against every catalogued kernel/LPE CVE",
775
+ "applies_to": {
776
+ "always": true
777
+ }
778
+ },
779
+ {
780
+ "id": "copy-fail-specific",
781
+ "title": "Targeted investigation for CVE-2026-31431 'Copy Fail' (KEV, AI-discovered, deterministic)",
782
+ "applies_to": {
783
+ "cve": "CVE-2026-31431"
784
+ },
785
+ "phase_overrides": {
786
+ "direct": {
787
+ "rwep_threshold": {
788
+ "escalate": 80,
789
+ "monitor": 60,
790
+ "close": 30
791
+ }
792
+ }
793
+ }
794
+ }
795
+ ]
796
+ }