Add SOC2/ISO 27001 compliance documentation suite: - incident-response.md: P1-P4 severity, 5-phase response, templates - access-control-policy.md: RBAC governance, provisioning/revocation - readiness-checklist.md: Self-assessment for all SOC2 TSC criteria - change-management.md: Standard/normal/emergency change workflows - vulnerability-disclosure.md: Safe harbor, reporting channels - security-metrics.md: KPIs, Prometheus alerts, Grafana dashboard - index.md: Navigation hub with control mapping Documents reference existing technical controls (audit-log.ts, rbac.ts) and provide practical audit log queries and alerting configurations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
399 lines
11 KiB
Markdown
399 lines
11 KiB
Markdown
---
|
|
title: Incident Response Procedure
|
|
summary: Security incident detection, classification, response, and recovery procedures for Clawdbot deployments.
|
|
permalink: /compliance/incident-response/
|
|
---
|
|
|
|
# Incident Response Procedure
|
|
|
|
This document defines the procedures for detecting, classifying, responding to, and recovering from security incidents in Clawdbot deployments.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to:
|
|
- Unauthorized access attempts to the Clawdbot gateway
|
|
- Compromise of messaging channel credentials
|
|
- Malicious command execution via connected channels
|
|
- Data exfiltration or unauthorized data access
|
|
- Denial of service attacks against the gateway
|
|
- Prompt injection attacks that bypass controls
|
|
|
|
## Incident Classification
|
|
|
|
### Severity Levels
|
|
|
|
| Severity | Code | Description | Response Time | Examples |
|
|
|----------|------|-------------|---------------|----------|
|
|
| Critical | P1 | Active compromise or data breach | Immediate (15 min) | Credential theft, unauthorized admin access, active data exfiltration |
|
|
| High | P2 | Attempted compromise or security control failure | 1 hour | Repeated auth failures from unknown sources, RBAC bypass, successful prompt injection |
|
|
| Medium | P3 | Policy violation or anomalous behavior | 4 hours | Elevated exec usage outside normal hours, unusual channel activity patterns |
|
|
| Low | P4 | Security event requiring review | 24 hours | Failed pairing attempts, rate limit triggers, configuration warnings |
|
|
|
|
### Classification Criteria
|
|
|
|
Use these indicators to classify incidents:
|
|
|
|
**P1 (Critical)**
|
|
- Evidence of successful unauthorized access
|
|
- Credentials confirmed compromised
|
|
- Active malicious command execution
|
|
- Data confirmed exfiltrated
|
|
- Gateway integrity compromised
|
|
|
|
**P2 (High)**
|
|
- Multiple failed authentication attempts from single source
|
|
- Blocked malicious commands attempted
|
|
- Prompt injection detected with high confidence
|
|
- Security control bypassed but no confirmed impact
|
|
- Unauthorized configuration changes attempted
|
|
|
|
**P3 (Medium)**
|
|
- Single failed authentication from unknown source
|
|
- Elevated command execution outside policy
|
|
- Rate limit exceeded repeatedly
|
|
- Security audit findings unresolved
|
|
|
|
**P4 (Low)**
|
|
- Pairing request from unknown device
|
|
- Informational security warnings
|
|
- Minor policy deviations
|
|
|
|
## Detection
|
|
|
|
### Audit Log Monitoring
|
|
|
|
Security events are logged to `~/.clawdbot/audit.jsonl`. Monitor these event types:
|
|
|
|
| Event Type | Severity Indicator | Description |
|
|
|------------|-------------------|-------------|
|
|
| `auth.failure` | P2/P3 | Failed authentication attempt |
|
|
| `rbac.denied` | P3 | Permission check failed |
|
|
| `exec.reject` | P3 | Command blocked by policy |
|
|
| `pairing.reject` | P4 | Pairing request denied |
|
|
| `config.change` | P3/P4 | Configuration modified |
|
|
|
|
**Detection Query Examples**
|
|
|
|
```bash
|
|
# Find failed authentication attempts in last hour
|
|
cat ~/.clawdbot/audit.jsonl | jq -c 'select(.type == "auth.failure" and .ts > (now - 3600 | todate))'
|
|
|
|
# Find RBAC denials by actor
|
|
cat ~/.clawdbot/audit.jsonl | jq -c 'select(.type == "rbac.denied")' | jq -s 'group_by(.actor.id) | map({actor: .[0].actor.id, count: length})'
|
|
|
|
# Find command rejections
|
|
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "exec.reject")'
|
|
|
|
# Correlate events by trace ID
|
|
cat ~/.clawdbot/audit.jsonl | jq 'select(.traceId == "TRACE_ID_HERE")'
|
|
```
|
|
|
|
### Prometheus Alerts
|
|
|
|
Configure these alerts for automated detection (see [Observability Guide](/enterprise/observability#alerting)):
|
|
|
|
```yaml
|
|
groups:
|
|
- name: clawdbot-security
|
|
rules:
|
|
# P2: High rate of authentication failures
|
|
- alert: HighAuthFailureRate
|
|
expr: increase(clawdbot_auth_failure_total[5m]) > 10
|
|
for: 1m
|
|
labels:
|
|
severity: high
|
|
incident_type: auth_failure
|
|
annotations:
|
|
summary: "High authentication failure rate detected"
|
|
runbook: "Check audit logs for auth.failure events"
|
|
|
|
# P2: RBAC denials spike
|
|
- alert: RbacDenialSpike
|
|
expr: increase(clawdbot_rbac_denied_total[5m]) > 5
|
|
for: 1m
|
|
labels:
|
|
severity: high
|
|
incident_type: rbac_denial
|
|
annotations:
|
|
summary: "Unusual RBAC denial rate"
|
|
|
|
# P3: Rate limiting activated
|
|
- alert: RateLimitExceeded
|
|
expr: clawdbot_rate_limit_exceeded_total > 0
|
|
for: 5m
|
|
labels:
|
|
severity: medium
|
|
incident_type: rate_limit
|
|
annotations:
|
|
summary: "Rate limiting is actively blocking requests"
|
|
```
|
|
|
|
### Manual Detection Indicators
|
|
|
|
Watch for these patterns:
|
|
- Unexpected gateway restarts
|
|
- New devices in pairing store
|
|
- Configuration file modifications
|
|
- Unusual message patterns in connected channels
|
|
- Performance degradation
|
|
|
|
## Response Phases
|
|
|
|
### Phase 1: Triage (P1: 15 min, P2: 30 min, P3: 2 hr, P4: 24 hr)
|
|
|
|
**Objectives**: Confirm incident, assess scope, assign severity
|
|
|
|
1. **Verify the alert**
|
|
```bash
|
|
# Check recent audit events
|
|
tail -100 ~/.clawdbot/audit.jsonl | jq -c 'select(.outcome == "failure" or .outcome == "denied")'
|
|
|
|
# Check gateway status
|
|
clawdbot status --all
|
|
|
|
# Run security audit
|
|
clawdbot security audit --deep
|
|
```
|
|
|
|
2. **Identify affected components**
|
|
- Which channels are involved?
|
|
- Which users/actors are affected?
|
|
- What data or functionality is at risk?
|
|
|
|
3. **Assign severity** using classification criteria above
|
|
|
|
4. **Document initial findings** in incident record (see template below)
|
|
|
|
5. **Notify stakeholders** per escalation matrix
|
|
|
|
### Phase 2: Containment (P1: 30 min, P2: 2 hr, P3: 8 hr)
|
|
|
|
**Objectives**: Stop active threat, prevent further damage
|
|
|
|
**Immediate containment actions by incident type:**
|
|
|
|
**Unauthorized Access**
|
|
```bash
|
|
# Rotate gateway authentication token
|
|
clawdbot config set gateway.auth.token "$(openssl rand -base64 32)"
|
|
|
|
# Restart gateway to force reconnection
|
|
clawdbot gateway stop && clawdbot gateway run
|
|
|
|
# Revoke specific device pairing
|
|
clawdbot pairing revoke --device-id DEVICE_ID
|
|
```
|
|
|
|
**Compromised Channel Credentials**
|
|
```bash
|
|
# Disable affected channel
|
|
clawdbot config set channels.CHANNEL.enabled false
|
|
|
|
# Rotate channel credentials
|
|
# (Provider-specific: regenerate bot token in provider dashboard)
|
|
clawdbot config set channels.CHANNEL.token "NEW_TOKEN"
|
|
```
|
|
|
|
**Malicious Command Execution**
|
|
```bash
|
|
# Enable strict approval mode
|
|
clawdbot config set approvals.exec.enabled true
|
|
clawdbot config set approvals.exec.requireApproval '["elevated","destructive"]'
|
|
|
|
# Restrict user permissions via RBAC
|
|
clawdbot config set rbac.assignments.SENDER_ID "viewer"
|
|
```
|
|
|
|
**Prompt Injection Attack**
|
|
```bash
|
|
# Block specific sender
|
|
clawdbot pairing revoke --channel CHANNEL --sender SENDER_ID
|
|
|
|
# Enable stricter input validation
|
|
clawdbot config set security.promptInjection.mode "strict"
|
|
```
|
|
|
|
### Phase 3: Eradication (P1: 2 hr, P2: 24 hr, P3: 72 hr)
|
|
|
|
**Objectives**: Remove threat, identify root cause
|
|
|
|
1. **Analyze attack vector**
|
|
```bash
|
|
# Export relevant audit logs
|
|
cat ~/.clawdbot/audit.jsonl | jq 'select(.ts >= "START_TIME" and .ts <= "END_TIME")' > incident-logs.json
|
|
|
|
# Trace full attack path using trace IDs
|
|
cat incident-logs.json | jq -s 'group_by(.traceId) | .[]'
|
|
```
|
|
|
|
2. **Identify root cause**
|
|
- Misconfiguration?
|
|
- Credential exposure?
|
|
- Software vulnerability?
|
|
- Social engineering?
|
|
|
|
3. **Remove malicious artifacts**
|
|
- Clear compromised sessions: `clawdbot session clear --agent AGENT_ID`
|
|
- Remove unauthorized pairings: `clawdbot pairing list && clawdbot pairing revoke`
|
|
- Reset modified configurations
|
|
|
|
4. **Patch vulnerabilities**
|
|
- Update Clawdbot if applicable: `clawdbot update`
|
|
- Apply configuration hardening per security audit recommendations
|
|
|
|
### Phase 4: Recovery (P1: 4 hr, P2: 48 hr, P3: 1 week)
|
|
|
|
**Objectives**: Restore normal operations, verify security
|
|
|
|
1. **Verify clean state**
|
|
```bash
|
|
# Run full security audit
|
|
clawdbot security audit --deep
|
|
|
|
# Verify no critical findings
|
|
clawdbot security audit --summary
|
|
```
|
|
|
|
2. **Restore services gradually**
|
|
- Re-enable channels one at a time
|
|
- Monitor for anomalies after each restoration
|
|
- Verify authorized users can access
|
|
|
|
3. **Confirm recovery**
|
|
- All channels operational
|
|
- Authentication working
|
|
- No security audit warnings
|
|
- Normal message processing
|
|
|
|
4. **Update monitoring**
|
|
- Add new detection rules if needed
|
|
- Adjust alert thresholds based on incident
|
|
|
|
### Phase 5: Post-Incident Review
|
|
|
|
**Objectives**: Document lessons learned, improve procedures
|
|
|
|
Conduct review within 5 business days of incident closure.
|
|
|
|
**Review agenda:**
|
|
1. Incident timeline reconstruction
|
|
2. Detection effectiveness assessment
|
|
3. Response procedure evaluation
|
|
4. Root cause analysis
|
|
5. Improvement recommendations
|
|
|
|
## Incident Record Template
|
|
|
|
```markdown
|
|
# Incident Record: [INC-YYYY-NNN]
|
|
|
|
## Summary
|
|
- **Severity**: P1/P2/P3/P4
|
|
- **Status**: Open/Contained/Eradicated/Recovered/Closed
|
|
- **Detected**: YYYY-MM-DD HH:MM UTC
|
|
- **Resolved**: YYYY-MM-DD HH:MM UTC
|
|
- **Duration**: X hours
|
|
|
|
## Description
|
|
[Brief description of the incident]
|
|
|
|
## Impact
|
|
- **Users affected**: N
|
|
- **Channels affected**: [list]
|
|
- **Data impact**: None/Exposed/Exfiltrated
|
|
- **Service impact**: None/Degraded/Unavailable
|
|
|
|
## Timeline
|
|
| Time (UTC) | Event | Actor |
|
|
|------------|-------|-------|
|
|
| HH:MM | Detection triggered | System |
|
|
| HH:MM | Triage started | [Name] |
|
|
| HH:MM | Containment action taken | [Name] |
|
|
| HH:MM | Root cause identified | [Name] |
|
|
| HH:MM | Recovery complete | [Name] |
|
|
|
|
## Root Cause
|
|
[Description of what caused the incident]
|
|
|
|
## Actions Taken
|
|
1. [Containment action]
|
|
2. [Eradication action]
|
|
3. [Recovery action]
|
|
|
|
## Evidence
|
|
- Audit logs: [location]
|
|
- Screenshots: [location]
|
|
- Configuration snapshots: [location]
|
|
|
|
## Lessons Learned
|
|
[What worked, what did not, what to improve]
|
|
|
|
## Follow-up Actions
|
|
| Action | Owner | Due Date | Status |
|
|
|--------|-------|----------|--------|
|
|
| [Action item] | [Name] | YYYY-MM-DD | Open |
|
|
```
|
|
|
|
## Escalation Matrix
|
|
|
|
| Severity | Primary Contact | Secondary Contact | Executive Notification |
|
|
|----------|-----------------|-------------------|------------------------|
|
|
| P1 | On-call engineer | Security lead | Yes (within 1 hour) |
|
|
| P2 | On-call engineer | Security lead | Yes (within 4 hours) |
|
|
| P3 | Security team | - | No |
|
|
| P4 | Security team | - | No |
|
|
|
|
## Communication Templates
|
|
|
|
### Internal Notification (P1/P2)
|
|
|
|
```
|
|
Subject: [SECURITY INCIDENT] P[N] - [Brief description]
|
|
|
|
A security incident has been detected in the Clawdbot deployment.
|
|
|
|
Severity: P[N]
|
|
Status: [Triage/Containment/Eradication/Recovery]
|
|
Detected: [timestamp]
|
|
|
|
Impact:
|
|
- [Summary of impact]
|
|
|
|
Current Actions:
|
|
- [What is being done]
|
|
|
|
Next Update: [timestamp]
|
|
|
|
Incident Commander: [name]
|
|
```
|
|
|
|
### Status Update
|
|
|
|
```
|
|
Subject: [UPDATE] [INC-YYYY-NNN] - [Brief description]
|
|
|
|
Status: [Current status]
|
|
Update Time: [timestamp]
|
|
|
|
Progress since last update:
|
|
- [Actions completed]
|
|
|
|
Current focus:
|
|
- [What is being worked on]
|
|
|
|
Next update: [timestamp]
|
|
```
|
|
|
|
## Related Documentation
|
|
|
|
- [Threat Model](/security/threat-model) - Attack surface and mitigations
|
|
- [Security Hardening](/enterprise/security-hardening) - Security configuration
|
|
- [Observability Guide](/enterprise/observability) - Monitoring setup
|
|
- [Security Metrics](/compliance/security-metrics) - Incident KPIs
|
|
|
|
---
|
|
|
|
*Procedure owner: Security Team*
|
|
*Last reviewed: 2026-01-27*
|
|
*Next review: 2026-07-27*
|