feat(v3): DNS live probe + config-hash baselines (Sprint 1 PR 1) #1

Merged
andre merged 3 commits from a1/sentinel-v3-dns-hash into main 2026-06-12 19:43:25 +00:00
Owner

Sprint 1 — PR 1: Ground Truth Layer

Änderungen

src/dns-dhcp-probe.js (neu)

  • resolveLive(hostname) — Forward-DNS via node:dns/promises, timeout-safe
  • reverseResolveLive(ip) — Reverse-DNS
  • checkDnsConsistency(hostname, ip) — Prüft ob Forward+Reverse übereinstimmen; gibt { consistent, delta, forward_ips, reverse_names, latency_ms } zurück
  • ENVs: DNS_SERVER, DNS_PROBE_ENABLED, DNS_PROBE_TIMEOUT_MS
  • Kein npm-Package nötig (node:dns built-in)

src/config-hash.js (neu)

  • Baseline-Speicherung für Config-File-Hashes (SHA256)
  • checkHash() — First-Run speichert Baseline, Folgeläufe vergleichen
  • Severity-aware: hosts_file / scheduled_tasks / sshd_config / authorized_keys = CRITICAL
  • approveHashChange() — Hash nach genehmigtem Change-Ticket aktualisieren

src/db.js

  • Neue Tabelle config_hash_baselines (additive Migration, UNIQUE asset_id+artifact)

src/snapshot-manager.js

  • DNS-Probe nach Source-Fetches; dns_live Source bei Mismatch
  • MOCK_SOURCES-Gate (kein DNS in Tests)

Tests

  • 28 neue Tests, 200 gesamt (alle grün)
  • CRA RFC-A921C3F0 APPROVED (Score 0)

ENVs (neu)

DNS_PROBE_ENABLED=true
DNS_SERVER=          # optional: IP des internen DNS-Servers
DNS_PROBE_TIMEOUT_MS=3000

Nächste PRs

  • PR 2: Source Trust Weighting
  • PR 3: NinjaOne Live PowerShell + SNMP Probing
  • PR 4: PSA Integration
## Sprint 1 — PR 1: Ground Truth Layer ### Änderungen **`src/dns-dhcp-probe.js`** (neu) - `resolveLive(hostname)` — Forward-DNS via `node:dns/promises`, timeout-safe - `reverseResolveLive(ip)` — Reverse-DNS - `checkDnsConsistency(hostname, ip)` — Prüft ob Forward+Reverse übereinstimmen; gibt `{ consistent, delta, forward_ips, reverse_names, latency_ms }` zurück - ENVs: `DNS_SERVER`, `DNS_PROBE_ENABLED`, `DNS_PROBE_TIMEOUT_MS` - Kein npm-Package nötig (node:dns built-in) **`src/config-hash.js`** (neu) - Baseline-Speicherung für Config-File-Hashes (SHA256) - `checkHash()` — First-Run speichert Baseline, Folgeläufe vergleichen - Severity-aware: `hosts_file` / `scheduled_tasks` / `sshd_config` / `authorized_keys` = CRITICAL - `approveHashChange()` — Hash nach genehmigtem Change-Ticket aktualisieren **`src/db.js`** - Neue Tabelle `config_hash_baselines` (additive Migration, UNIQUE asset_id+artifact) **`src/snapshot-manager.js`** - DNS-Probe nach Source-Fetches; `dns_live` Source bei Mismatch - MOCK_SOURCES-Gate (kein DNS in Tests) ### Tests - 28 neue Tests, 200 gesamt (alle grün) - CRA RFC-A921C3F0 APPROVED (Score 0) ### ENVs (neu) ``` DNS_PROBE_ENABLED=true DNS_SERVER= # optional: IP des internen DNS-Servers DNS_PROBE_TIMEOUT_MS=3000 ``` ### Nächste PRs - PR 2: Source Trust Weighting - PR 3: NinjaOne Live PowerShell + SNMP Probing - PR 4: PSA Integration
- src/dns-dhcp-probe.js: forward/reverse DNS consistency check via node:dns/promises, timeout-safe, DNS_SERVER/DNS_PROBE_ENABLED/DNS_PROBE_TIMEOUT_MS ENVs
- src/config-hash.js: config-file hash baseline storage + comparison, severity-aware (CRITICAL: hosts_file/scheduled_tasks/sshd_config/authorized_keys), approveHashChange für post-Change-Ticket Update
- src/db.js: config_hash_baselines Tabelle (additive Migration, UNIQUE asset_id+artifact)
- src/snapshot-manager.js: DNS-Probe nach Source-Fetch, dns_live Source bei Mismatch, MOCK_SOURCES-Gate
- 28 neue Tests (200 gesamt), CRA RFC-A921C3F0 APPROVED

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: apply ultra-review fixes — dns-dhcp-probe refactor, config-hash null guard, integrity-validator dns_live exclusion
Some checks failed
CI / test (pull_request) Failing after 604h57m44s
CI / test (push) Failing after 604h57m44s
bd4fb6af87
- dns-dhcp-probe: extract dnsQuery helper eliminating copy-paste; TIMEOUT_MS read per-call with NaN guard; setServers inside try/catch; clearTimeout in finally; MOCK_SOURCES guard in checkDnsConsistency
- config-hash: null/undefined guard on hashSha256 in setBaseline (TypeError on bad input)
- integrity-validator: skip dns_live source rows in both Mode A + Mode B snapshot checks (prevents diagnostic rows poisoning foundInOwn / foundInOwnSnapshot)
- snapshot-manager: remove ip field from dns_live snapshot; simplify probe guard (checkDnsConsistency owns MOCK_SOURCES+DNS_PROBE_ENABLED); skip store if forward_ips empty
- tests: fix timeout test with fake timers; add MOCK_SOURCES coverage; add null-hash guard tests

CRA RFC-B785DE44 APPROVED (score 5)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docs: commit v3 Sprint 1 specs + roadmap (previously untracked)
Some checks failed
CI / test (pull_request) Failing after 604h52m32s
CI / test (push) Failing after 604h52m32s
14f04f4846
Specs: impl-sprint1-direct-observation (IST-Stand nach Ultra-Review-Fixes),
impl-sprint1-psa-integration, impl-sprint1-source-trust,
sentinel-v3-direct-observation, sentinel-v3-ground-truth-engine,
sentinel-v3-msp-scale-roadmap, roadmap.html, prerequisites.html

CRA RFC-436244CA APPROVED (score 0)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
andre merged commit 5c57f65fa1 into main 2026-06-12 19:43:25 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
andre/ticketflow-sentinel!1
No description provided.