Assets Inventory Index
Purpose
This page provides a canonical and structured inventory of all assets within the Scheol Security Lab.
It is used to:
- maintain a consistent view of the environment
- support risk modeling and scenario construction
- ensure traceability across risks, controls, validation and evidence
- reflect the actual and planned state of the lab
Each asset is documented individually and serves as a reference point across the documentation.
Structure Overview
Assets are organized using the following dimensions:
- Asset Type (Business / Infrastructure / Platform / Information)
- Trust Zone (Hell / Heaven / Hybrid)
- Status (Active / Planned / Transitional)
- Exposure Level (Internal / Restricted / Public / Isolated)
- Sensitivity (Low / Medium / High / Critical)
Business Assets
| Asset ID | Name | Status | Description | Link |
|---|---|---|---|---|
| A-001 | Administrative Access | Planned | Secure and controlled administrative access to systems and infrastructure | View |
| A-002 | Identity & Access Management | Planned | Authentication, identity management and access control mechanisms | View |
| A-003 | Network Security & Segmentation | Active | Network filtering, segmentation and exposure control across environments | View |
| A-004 | Infrastructure Hosting | Active | Underlying compute, virtualization and hosting environments (Hell & Heaven) | View |
| A-005 | Application Security | Active | Security of exposed applications, services and data processing layers | View |
| A-006 | Monitoring & Detection | Planned | Security visibility, logging and detection of abnormal activity | View |
| A-007 | Backup & Recovery | Planned | Data protection, backup and restoration capabilities | View |
| A-008 | Incident Response Capability | Planned | Detection, analysis and response to security incidents | View |
| A-009 | Documentation & Governance | Active | Documentation structure, traceability and security reasoning support | View |
Infrastructure Assets
| Asset ID | Name | Zone | Type | Status | Exposure | Sensitivity | Role | Link |
|---|---|---|---|---|---|---|---|---|
| A-020 | Hypervisor | Hell | Physical | Active | Internal | Critical | Virtualization host | View |
| A-021 | Firewall / IDS | Hell | VM | Active | Restricted | Critical | Network segmentation & filtering | View |
| A-022 | Bastion | Hell | VM | Planned | Restricted | Critical | Secure administrative access | |
| A-023 | Admin Workstation | Hell | VM | Planned | Internal | High | Administrative operations | |
| A-024 | Domain Controller (AD/LDAP) | Hell | VM | Planned | Internal | Critical | Identity management | |
| A-025 | DNS Filtering | Hell | CT | Planned | Internal | High | DNS security and filtering | |
| A-026 | Backup System | Hell | CT | Planned | Internal | Critical | Backup management | |
| A-027 | NAS | Hell | Physical | Planned | Internal | Critical | Storage and cold backups | |
| A-028 | Internal Network Segmentation | Hell | Network | Active | Internal | High | VLAN segmentation | View |
| A-029 | Reverse Proxy | Hell | CT | Planned | Exposed | High | TLS termination & traffic routing | |
| A-030 | Static Web Server | Hell | CT | Planned | Exposed | Low | Static content hosting | |
| A-031 | Dynamic Web Server | Hell | VM | Planned | Exposed | High | Application hosting & backend logic | |
| A-032 | Ansible Control Node | Hell | VM | Planned | Internal | High | Automation & configuration management | |
| A-033 | Gitea Server | Hell | VM | Planned | Restricted | High | Source code management & CI/CD | |
| A-034 | Gitea Runner | Hell | CT | Planned | Internal | Medium | CI/CD job execution | |
| A-035 | Wazuh | Hell | VM | Planned | Internal | High | SIEM & threat detection | |
| A-036 | TheHive + Cortex | Hell | VM | Planned | Internal | High | Incident response & analysis | |
| A-037 | Velociraptor | Hell | CT | Planned | Internal | High | DFIR & endpoint visibility | |
| A-038 | Monitoring Stack | Hell | CT | Planned | Internal | Medium | System monitoring & alerting | |
| A-039 | Honeypot | Hell | VM | Planned | Exposed (isolated) | Medium | Threat deception & analysis | |
| A-050 | VPS-01 Public Hosting | Heaven | VPS | Active (Transitional) | Public | High | Mixed hosting (Gitea + web + proxy) | View |
| A-051 | VPS-02 Business Application | Heaven | VPS | Active (Transitional) | Public | Critical | ERP hosting (Dolibarr + DB) | View |
Platform Assets
| Asset ID | Name | Zone | Status | Exposure | Sensitivity | Role | Link |
|---|---|---|---|---|---|---|---|
| A-060 | Gitea (Internal) | Hell | Planned | Internal | High | SCM & CI/CD | |
| A-061 | Gitea (VPS-01) | Heaven | Transitional | Public | High | SCM exposed | View |
| A-062 | Reverse Proxy (VPS-01) | Heaven | Transitional | Public | High | Traffic routing & TLS | View |
| A-063 | Documentation Site | Heaven | Active | Public | Low | Public documentation | View |
| A-064 | Dolibarr | Heaven | Transitional | Public | Critical | Business application | View |
| A-065 | Database (MariaDB - VPS-02) | Heaven | Transitional | Restricted | Critical | Data storage | View |
| A-066 | Wazuh (SIEM) | Hybrid | Planned | Internal | High | Detection & logging | View |
| A-067 | TheHive / Cortex | Hell | Planned | Internal | High | Incident response | |
| A-068 | Velociraptor | Hell | Planned | Internal | High | DFIR / Threat hunting | |
| A-069 | Monitoring Stack | Hell | Planned | Internal | Medium | Observability | |
| A-070 | Honeypot | Hell | Planned | Isolated | Medium | Threat analysis | |
| A-071 | Ansible Control Node | Hell | Planned | Internal | High | Automation | |
| A-072 | Gitea Runner | Hell | Planned | Internal | Medium | CI/CD execution | |
| A-073 | Internal Reverse Proxy | Hell | Planned | Restricted | High | Internal routing | |
| A-074 | Static Web Server | Hell | Planned | Internal | Low | Static hosting | |
| A-075 | Dynamic Web Server | Hell | Planned | Internal | High | Application hosting |
Information Assets
| Asset ID | Name | Sensitivity | Exposure | Description | Link |
|---|---|---|---|---|---|
| A-090 | Credentials & Secrets | Critical | Internal | SSH keys, passwords, tokens | View |
| A-091 | Configuration Data | High | Internal | System and service configurations | View |
| A-092 | Backup Data | Critical | Internal | Backup archives and snapshots | |
| A-093 | Log Data | Medium / High | Internal | Security and system logs | View |
| A-094 | Business Data (Dolibarr) | Critical | Restricted | Customer and financial data | View |
Key Observations
- Heaven assets are intentionally exposed and transitional
- Hell assets represent the target secure architecture
- Several critical capabilities (IAM, SIEM, Bastion) are not yet deployed
- Current posture includes known and accepted risk exposure
Governance Rules
-
All assets must be registered here before being used in:
-
Each asset should be linked to:
- at least one scenario
- one or more risk entries
- relevant controls
Current Status
Established
- Core infrastructure (Hypervisor, Firewall, VPS)
- Public exposure model (Heaven)
- Documentation platform
In Progress
- Internal architecture deployment (Hell)
- Identity, monitoring and backup capabilities
- Asset-to-risk traceability
Planned
- Full SOC stack (Wazuh, TheHive, Velociraptor)
- Secure administrative model (Bastion, IAM)
- Improved isolation and segmentation
Strategic Note
The current architecture reflects a controlled transitional state:
- exposure is intentional and documented
- risks are identified and tracked
- target architecture is defined but not fully implemented
This approach supports both:
- realistic risk modeling
- progressive security maturity