System Inventory
Purpose
Provide a structured and operational view of all technical systems deployed in Scheol Security Lab.
This inventory reflects the actual implementation state of the environment and complements the asset model by mapping concrete systems to:
- infrastructure and platform assets
- exposure levels and trust zones
- associated risks and controls
Scope
The inventory covers both:
- Hell (on-premise infrastructure)
- Heaven (external / VPS infrastructure)
Each system is described with its role, exposure level and sensitivity.
Hell - On-Premise Infrastructure
Core Infrastructure
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Hypervisor (Proxmox) | Physical | Virtualization host | Internal | Critical | Active |
| Firewall / IDS (OPNsense) | VM | Network filtering, VLAN segmentation, intrusion detection | Edge | Critical | Active |
Related Risks - Hypervisor
- R-001 - Service co-location and weak isolation risk
- R-004 - Backup integrity or availability failure
Related Risks - Firewall / IDS
- R-002 - Network misconfiguration exposing internal services
- R-008 - Logging and detection blind spots
Administrative Layer
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Bastion | VM | Controlled administrative access (SSH jump host) | Restricted | Critical | Planned |
| Admin Workstation | VM | Dedicated administration environment | Internal | High | Planned |
Related Risks - Bastion
- R-003 - Compromise of administrative access path
- R-005 - Credential theft and privilege escalation
Identity & Core Services
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Domain Controller (AD/LDAP) | VM | Identity management, authentication, DNS | Internal | Critical | Planned |
| DNS Filtering | CT | Secure name resolution, threat filtering | Internal | High | Planned |
Related Risks - Domain Controller
- R-006 - Identity system compromise (AD/LDAP)
- R-005 - Credential theft and privilege escalation
Operations & Support Services
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Backup Platform | CT | Backup and restore operations | Internal | Critical | Planned |
| Ansible Control Node | VM | Configuration management and automation | Internal | High | Planned |
| Gitea (internal) | VM | Source code management | Internal | High | Planned |
| Gitea Runner | CT | CI/CD execution environment | Internal | Medium | Planned |
Related Risks - Backup Platform
- R-004 - Backup integrity or availability failure
Related Risks - Gitea
- R-009 - CI/CD pipeline compromise
- R-005 - Credential theft and privilege escalation
Application & Delivery Layer
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Reverse Proxy | CT | TLS termination, routing, access control | Internal / Edge | High | Planned |
| Static Web Server | CT | Documentation and static content hosting | Internal | Low | Planned |
| Dynamic App Server | VM | Application hosting (web apps, APIs, DB) | Internal | High | Planned |
Security & Monitoring
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Wazuh | VM | SIEM, detection, FIM | Internal | High | Planned |
| TheHive + Cortex | VM | Incident response and analysis | Internal | High | Planned |
| Velociraptor | CT | Endpoint forensics and threat hunting | Internal | High | Planned |
| Monitoring Stack | CT | Health monitoring and alerting | Internal | Medium | Planned |
| Honeypot | VM | Threat observation and deception | Isolated | Medium | Planned |
Related Risks - Wazuh
- R-008 - Logging and detection blind spots
Storage Layer
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| NAS | Physical | Backup storage and archives | Internal | Critical | Planned |
Heaven - External Infrastructure
VPS-01 - Public Services Platform
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Reverse Proxy (Nginx) | Service | Entry point for HTTP/HTTPS traffic | Internet | High | Active |
| Documentation Sites (Docusaurus) | Service | Public documentation hosting | Internet | Low | Active |
| Gitea | Service | Source code management | Internet | High | Active |
Related Risks
- R-001 - Service co-location and weak isolation risk
- R-009 - CI/CD pipeline compromise
- R-005 - Credential theft and privilege escalation
Notes
- Mixed exposure: public content + sensitive service (Gitea)
- Current co-location introduces lateral movement risk
- CI/CD pipelines trigger deployments from this system
VPS-02 - Business Application (Dolibarr)
| System | Type | Role | Exposure | Sensitivity | Status |
|---|---|---|---|---|---|
| Nginx | Service | Web server | Internet | High | Active |
| Dolibarr (PHP-FPM) | Service | ERP / business application | Internet | Critical | Active |
| MariaDB | Service | Application database | Local / Private | Critical | Active |
Related Risks
- R-007 - Web application compromise (RCE / SQLi)
- R-010 - Data exfiltration from business applications
- R-001 - Service co-location and weak isolation risk
Notes
- Single-host architecture (app + DB)
- No advanced network isolation at this stage
- Sensitive data concentration (clients, financial data)
Cross-Environment Relationships
Key interactions between systems include:
- Log forwarding: Heaven → Hell (planned via Wazuh)
- Administrative access: Admin workstation → Bastion → Targets
- CI/CD flows: Gitea → runners → deployment targets
- Backup flows: Systems → backup platform (Hell)
These relationships are further detailed in:
- Architecture Views
- Risk Scenarios
- Control Mapping
Relationship with Asset Model
Each system documented here maps to:
- Infrastructure assets (compute, network, storage)
- Platform assets (identity, monitoring, automation)
- Information assets (logs, credentials, configurations, data)
This mapping supports:
- risk scenario construction
- control definition
- monitoring and validation strategies
Current Maturity
At the current stage, system inventory is considered partially established.
Established
- clear identification of core infrastructure components (Hell / Heaven)
- initial classification of systems by role, exposure and sensitivity
- documentation of key externally exposed services
- high-level mapping of critical dependencies
In Progress
- deployment of planned internal services
- refinement of exposure levels and trust boundaries
- stronger linkage with asset catalogue and risk scenarios
- improved consistency across all system descriptions
Planned / Next Phase
- full alignment between system inventory and asset model
- integration with monitoring and control validation
- automated or version-controlled inventory updates
- improved traceability between systems, risks and controls
This inventory is expected to evolve alongside the infrastructure and its security maturity.