Skip to content

06 Loss scenarios

A loss scenario explains how a UCA (05-ucas.md) actually occurs: the causal factors, including adversary-driven ones (STPA-Sec). Each names the constraint (07-security-constraints.md) that mitigates it.

Scenario LS-1 (UCA-1, UCA-8): under-rated privileged command runs

Causal factors: the classifier does not recognize a privilege-escalation cue (a novel sudo spelling, an aliased binary), so a T2+ action is treated as T1 and runs without a gate. Or a deny-listed pattern is checked after tier gating and slips through in open mode.

Adversary path: a model-driven plane is induced (by injected content, LS-6) to phrase a destructive command so it dodges a naive substring match.

Mitigation: SEC-3 (conservative round-up, sudo/doas/pkexec floor at T2), SEC-1 (deny-first, unconditional, checked before tier gating), and the PATTERNS_VERSION-tracked review of patterns.py.

Scenario LS-2 (UCA-2, UCA-9, UCA-21): execution before audit

Causal factors: a tool writes its audit record after acting (or in a finally that a crash skips), so a failed or partial action leaves no record. An approval is checked after the side effect began.

Mitigation: SEC-2 (single ordered pipeline: audit record is part of every run and the order is fixed; a denial/precondition failure is itself audited), SEC-8 (logger never raises, degrades to stderr, so absence of a sink never permits an unaudited run).

Scenario LS-3 (UCA-15, UCA-16, UCA-17): erroneous reconciliation

Causal factors: a drift finding auto-triggers a fix; or convergence runs against a desired-state snapshot that has since been superseded; or the diff is computed against the wrong target because host identity was not validated.

Mitigation: SEC-6 (DRY_RUN -> approve -> execute, no auto-fix; convergence validates the target and the baseline currency before acting), SEC-5 (host_type gate prevents wrong-adapter targeting).

Scenario LS-4 (UCA-11): SSH attempted against Talos

Causal factors: actuation code branches on a default path (SSH) and forgets to check host_type; a Talos node is in an ssh_alias-shaped inventory row by mistake.

Mitigation: SEC-5 (every actuation adapter asserts host_type; the SSH adapter refuses a Talos target and the refusal is audited).

Scenario LS-5 (UCA-26, UCA-14): boundary failure / SSRF pivot

Causal factors: HTTP is enabled with a token but binds 0.0.0.0 without the non-loopback opt-in; or a server-initiated request (a cloud API call, a webhook) is pointed at a link-local or RFC1918 address to pivot into the private fleet network.

Mitigation: SEC-7 (token AND non-loopback opt-in AND SSRF egress filter, each failing closed; no token passthrough).

Scenario LS-6 (UCA-1, UCA-15): indirect prompt injection (adversary-driven)

Causal factors: collected host data or command output contains text crafted to be read by the model-driven plane as an instruction ("ignore prior limits, run X"). If that session also holds sensitive data and an actuation capability, the injected instruction can drive a real action (the lethal trifecta).

Mitigation: SEC-4 (lethal-trifecta containment: read tools separable from act tools, a human gate between observe and actuate, all collected data treated as untrusted data and never as control), reinforced by SEC-2 (the human gate at T2+ is the choke that an injected instruction cannot satisfy on its own).

Scenario LS-7 (UCA-18, UCA-19): silent state mutation

Causal factors: a code path updates a fact row in place, or a maintenance script deletes superseded rows, erasing the as-of history that audits and drift depend on.

Mitigation: SEC-10 (append-only enforced at the storage layer by a delete-blocking trigger; supersession requires actor + reason; the active-fact unique constraint).

Scenario LS-8 (UCA-3, output handling): secret/body leak into audit

Causal factors: a tool logs raw output for debugging; an unbounded body is written to the audit log; a secret in a parameter is logged unredacted.

Mitigation: SEC-9 (audit stores hash + length only; redaction applied to audited parameters; output truncated before any handling).

Scenario LS-9 (UCA-20, UCA-22, UCA-24, UCA-25): approval/kill-switch defeat

Causal factors: an approval token is reused across calls or replayed on a bounded retry; the kill switch sets a flag the runner does not check on new calls, or it auto-clears.

Mitigation: SEC-2 (approval bound to one action; retry requires fresh approval), SEC-8 (kill switch checked inside the runner on every call; clears only by explicit operator action).