WRKLOG-2026-04-01
Summary
Wednesday. Critical work day. MSCHAPv2 migration surfaced in team meeting — leadership asking for netapi-driven endpoint reports with pandas graphs showing auth trends and next migration wave (Chromebooks + Wyse = ~2,000 of ~8,000 endpoints). Got Sentinel access in Azure, ran first KQL queries with Copilot — need to rapidly build proficiency since this is net-new for the team. Vocera/Wyse iTrack RCA still open — Cisco TAC found RabbitMQ CPU spike on primary MnT but no definitive root cause. Late-night session: Ollama API doc endpoints, reusable tracking partials, 471→0 build warning cleanup.
URGENT - All Domains
Carryover Backlog (CRITICAL)
| Task | Details | Origin | Days | Status |
|---|---|---|---|---|
k3s NAT verification |
NAT rule 170 for 10.42.0.0/16 pod network - test internet connectivity |
2026-03-09 |
29 |
P0 - BLOCKING |
Wazuh indexer recovery |
Restart pod after NAT confirmed working - SIEM visibility blocked |
2026-03-09 |
29 |
P0 - Blocked by k3s |
Strongline Gateway VLAN fix |
8 devices in wrong identity group (David Rukiza assigned) |
2026-03-16 |
22 |
P0 - TODO |
Monad Pipeline Evaluation |
Test pipeline creation, input sources, transforms (LEAD ROLE) |
2026-03-11 |
27 |
P1 - TODO |
Vocera EAP-TLS Supplicant Fix |
~10 phones failing 802.1X, missing supplicant config |
2026-03-12 |
26 |
P1 - TODO |
ISE MnT Messaging Service |
Enable "Use ISE Messaging Service for UDP syslogs delivery" |
2026-03-12 |
26 |
P2 - TODO |
ISE Patch 9 upgrade |
ISE 3.2 Patch 9 addresses known replication issues |
2026-03-12 |
26 |
P2 - TODO |
| Professional backlog remains critical. Check Days column for priorities. |
BLOCKERS — Fix Immediately
| Task | Details | Origin | Days | Impact |
|---|---|---|---|---|
Z Fold 7 Termux |
gopass and SSH not working |
2026-03-10 |
25 |
BLOCKER — Cannot access passwords on mobile |
gopass v3 organization |
Inconsistent structure, poor key-value usage |
2026-03-20 |
15 |
Inefficient password management, no aggregation |
URGENT - Requires Immediate Action
| Item | Details | Deadline | Status | Impact |
|---|---|---|---|---|
Housing Search |
Granada Hills area - apartments/rooms |
TBD |
In Progress |
Quality of life, commute |
URGENT — Performance Review Deadline (June 1, 2026)
| Certification | Provider | Deadline | Status | Impact |
|---|---|---|---|---|
CISSP |
ISC² — Certified Information Systems Security Professional |
June 1, 2026 |
ACTIVE — Phase 0 (Project) |
Required for performance review |
RHCSA 9 |
Red Hat Certified System Administrator |
June 1, 2026 |
ACTIVE — 21-phase curriculum (Project) |
Required for performance review |
| 55 days remaining until June 1st deadline. |
Early Morning - 5:30am
Regex Training (CRITICAL CARRYOVER)
-
Session 3 - Character classes, word boundaries
-
Practice drills from regex-mastery curriculum
-
Status: 7 days carried over - DO THIS TODAY
| Regex training continues to slip. This is the foundation for all CLI mastery. |
Work (CHLA)
| CHARGE TIME IN PEOPLESOFT - CRITICAL. Do this NOW before anything else. |
Critical (P0)
| Project | Description | Owner | Status | Due | Blocker |
|---|---|---|---|---|---|
Linux Research (Xianming Ding) |
EAP-TLS for Linux workstations, dACL, UFW |
Evan |
BEHIND |
02-24 |
Certificate "password required" - nmcli fix documented |
iPSK Manager |
Pre-shared key automation |
Ben Castillo |
BEHIND |
— |
DB replication issues |
MSCHAPv2 Migration |
Legacy auth deprecation |
Evan |
BEHIND |
— |
No progress on planning |
Research Segmentation |
All endpoints to Untrusted VLAN |
Evan |
BLOCKED |
— |
CISO decision pending |
High Priority (P1)
| Project | Description | Owner | Status | Target |
|---|---|---|---|---|
ISE 3.4 Migration |
Upgrade from 3.2p9 |
Evan |
Blocked |
Q1 2026 |
Switch Upgrades |
IOS-XE fleet update (C9300, 3560CX) |
Evan |
Pending |
Q1 2026 |
Spikewell BYOD VPN |
dACL SQL, AD group integration |
Evan |
Active |
— |
Strongline Gateway |
MAC capture, Identity Group setup |
Evan |
Active |
— |
QRadar → Sentinel Migration |
Full SIEM platform transition, Monad evaluation |
Evan |
Active |
Q2 2026 |
Strategic (P2)
| Project | Description | Owner | Status |
|---|---|---|---|
HHS Regulatory Compliance |
New HHS security policies implementation |
TBD |
NOT STARTED |
InfoSec Reporting Dashboard |
PowerBI metrics for executives |
TBD |
NOT STARTED |
EDR Migration (AMP → Defender) |
Endpoint protection consolidation |
TBD |
NOT STARTED |
Azure Legacy Migration |
Modern landing zone |
Team |
In Progress |
ChromeOS EAP-TLS |
SCEP + Victor, Paul testing |
Victor |
In Progress |
Today’s Priorities
-
P0 - MSCHAPv2 Migration: Run netapi endpoint report + pandas graph for team (URGENT — team meeting)
-
P0 - Enterprise Linux 802.1X: Standardize Shahab/Ding deployment (CISO priority)
-
P0 - Strongline Gateway VLAN fix (17 days - blocking Arin)
-
P0 - k3s NAT verification (24 days - CRITICAL)
-
P1 - Abnormal Security: ESA → API migration (Cisco→Microsoft shift)
-
P1 - DMZ Migration: External services audit behind NetScaler
-
P1 - Sentinel KQL: Build proficiency, distinguish from team
-
P1 - Monad Pipeline Evaluation (22 days - lead role assigned)
-
P1 - Vocera/Wyse iTrack RCA: Complete root cause report
-
P1 - GCC ISE Support: 3/4 nodes restored, PSN-04 deferred (NE-Systems)
-
P1 - Wazuh indexer recovery (blocked by NAT)
-
P1 - Vocera EAP-TLS Supplicant Fix (21 days)
Service Requests (SR)
| SR# | Request | Requestor | Opened | Status |
|---|---|---|---|---|
3508542 |
Zoll cards connection issue |
TBD |
TBD |
TODO |
3508524 |
Disable dot1x on (2) network ports - 5th floor 3250 Wilshire (PXE-boot imaging issues) |
TBD |
TBD |
Follow-up: Issues persisted after disable - plan to test re-enable |
Incidents (INC)
| INC# | Priority | Description | Opened | SLA | Status |
|---|---|---|---|---|---|
1911859 |
TBD |
Strongline Gateways in Miscellaneous Subnet |
TBD |
TBD |
TODO |
Change Requests - Emergency (ECAB)
| CR# | Description | Opened | Scheduled | Status |
|---|---|---|---|---|
No emergency changes |
Change Requests - Normal
| CR# | Description | Opened | Scheduled | Status |
|---|---|---|---|---|
No normal changes |
Change Requests - Scheduled/Standard
| CR# | Description | Opened | Window | Status |
|---|---|---|---|---|
No scheduled changes |
Change Requests - Root Cause / Post-Incident
| CR# | Description | Related INC | Opened | Status |
|---|---|---|---|---|
100451 |
Vocera Phones and Wyse devices went off network |
TBD |
TBD |
TODO |
Session Accomplishments (Claude Code)
Session 1: Ollama API Documentation Endpoints (overnight Mar 31)
-
Added 5 documentation endpoints to FastAPI service (
/docs/md-to-asciidoc,/docs/notes-to-doc,/docs/lint,/docs/session-to-worklog,/docs/summarize) -
Total API: 17 endpoints across security, infrastructure, and documentation
-
Committed to ollama-local repo
Session 2: domus-captures Build Cleanup (Mar 31 morning)
-
Eliminated all 471 Antora build warnings/errors → 0 warnings
-
Fixed pre-commit hook (was grepping wrong case, never caught warnings)
-
Escaped curly braces in 36 regex/awk/vim/python files
-
Fixed section headings in Python crash course ch14, ch19
-
Commented out 60+ cross-component xrefs to unbuilt spoke repos
-
Fixed broken tables, unterminated blocks, template nesting
-
Added
person-evan,vault-01-ip,vault-01-hostnameto antora.yml
Session 3: Organization & Reusable Tracking System
-
Created
TEMPLATE-rca.adocandTEMPLATE-incident.adoc -
Renamed
CHG-prefix toCR-(standardization) -
Added orphaned Feb REF/PLAN files to nav
-
Built 4 reusable table partials:
-
tables/project-summary.adoc— unified work + personal projects (tag-filtered by priority) -
tables/quarterly-roadmap.adoc— Q2 2026 cross-domain roadmap -
tables/blocker-dashboard.adoc— cross-domain blocker aggregation -
tables/itsm-summary.adoc— SRs, INCs, CRs with counts
-
-
Created
trackers/quarterly-q2-2026.adocdashboard page -
Updated master-index.adoc with usage guide
Work Priorities (CHLA)
P0: MSCHAPv2 to EAP-TLS Migration (CRITICAL)
Team meeting surfaced urgency. Leadership needs:
-
Endpoint report — run netapi DataConnect queries to pull all MSCHAPv2-authenticating endpoints
-
Pandas graph — authentication trends, counts by device type, migration wave identification
-
Next migration wave — Chromebooks (~medigate-laptop-google-chromebook-policy, ChromeBook-Workstation) + Wyse thin clients = ~2,000 of ~8,000 endpoints
Existing tools ready to run:
| Script | Purpose |
|---|---|
|
Identify all MSCHAPv2-authenticating endpoints |
|
Enhanced migration analysis with device types |
|
Extract Chromebook devices using legacy protocols |
|
Excel workbook with protocol distribution + migration recommendations |
|
All auth protocols in use, categorized by security level |
|
HTML reports with styled pandas tables |
Action: Run ise-mschapv2-audit.py → feed to profiler-migration-analytics.py → generate executive dashboard showing Chromebook + Wyse as Wave 2 targets.
P0: Enterprise Linux 802.1X Standardization
CISO concerned about central management of Linux research endpoints. The Dr. Shahab / Xianming Ding deployment runbook is assembled and positioned as the standard. Open items:
-
DACL/VLAN assignment — missing because EAP-TLS auth not yet implemented for these endpoints
-
Posture assessment — not configured
-
Central endpoint management strategy for research-requested Linux machines
Runbook location: xref:ise-linux:: (domus-ise-linux spoke repo)
P1: Microsoft Sentinel Onboarding
Got Azure portal access. Ran first KQL queries using Copilot.
Current state:
-
Portal access acquired
-
First KQL queries executed (Copilot-assisted)
-
Build independent KQL proficiency (no experience with this tool)
-
Differentiate myself from team — bring something new to the table
-
Understand log source schema, table structure, analytics rules
Strategic opportunity: Lead the QRadar → Sentinel log source migration. Blocker: Monad ETL pipeline transformer not yet available. Was told to lead and be in charge of this — excellent opportunity combining big data, information security, and Linux expertise.
P1: Vocera/Wyse iTrack RCA (Open)
Cisco TAC findings so far:
-
Primary MnT RabbitMQ CPU spiked
-
After reboot: CPU normalized, RADIUS live logs and sessions restored in ISE
-
No definitive root cause
What happened: endpoints stopped conducting 802.1X authentication during the Stryker incident window. Vocera (JAMF-pushed supplicant) and Wyse (Wyse Manager configuration) — unclear why they dropped dot1x when supplicant was configured.
Actions needed:
-
Run authentication report for affected Vocera + Wyse endpoints (post-incident)
-
Verify current auth state — are they hitting correct policies or still in onboard identity group?
-
Build knowledge on endpoint-side log gathering (supplicant logs, EAP transaction traces)
-
Document triage methodology: endpoint logs → ISE RADIUS logs → correlate transaction
-
Fill out iTrack RCA report
Mitigation in place: Endpoints added to onboard identity group in ISE with catch-all authorization policy. Global CoA configured — profiling change or reauth will move them to correct policy without manual intervention.
P1: Abnormal Security (NEW — Cisco ESA → API)
Assigned to ESA → Abnormal Security migration project. CHLA moving from Cisco to Microsoft security stack across the board:
-
Cisco ESA (inline email gateway) → Abnormal Security (API-based behavioral AI)
-
Cisco XDR → Microsoft Defender XDR
-
QRadar → Microsoft Sentinel
-
Cisco ISE → stays (no Microsoft NAC equivalent)
-
Understand Abnormal Security API integration model
-
Assess ESA decommission timeline
-
Map ESA log sources to Sentinel ingestion
P1: Monad ETL Pipeline
-
Leading evaluation and deployment
-
Blocker for QRadar → Sentinel log source migration
-
Opportunity: big data + infosec + Linux convergence
Carryover Items
Work Blockers
| Domain | Blocker | Impact | Days | Blocked By | Action Required |
|---|---|---|---|---|---|
Work P0 |
k3s NAT verification |
Blocks Wazuh recovery, SIEM visibility |
21 |
VyOS NAT rule 170 |
Test NAT rule, verify pod internet access |
Work P0 |
Wazuh indexer recovery |
Security monitoring offline |
21 |
k3s NAT fix |
Restart pod after NAT confirmed |
Work P0 |
Strongline Gateway VLAN fix |
8 devices in wrong identity group |
14 |
David Rukiza assignment |
Follow up with David, verify identity group reassignment |
Work P0 |
Research Segmentation |
Research endpoints on trusted VLAN |
— |
CISO decision |
Escalate to CISO |
Work P0 |
Linux Research (overdue) |
EAP-TLS project behind schedule |
34 |
Certificate password issue |
Apply nmcli fix, test with Xianming Ding |
Work P0 |
iPSK Manager |
Pre-shared key automation stalled |
— |
DB replication |
Follow up with Ben Castillo on replication fix |
Work P0 |
MSCHAPv2 Migration |
Legacy auth deprecation not started |
— |
No planning initiated |
Schedule planning session, define wave strategy |
Work P1 |
Monad Pipeline Evaluation |
QRadar to Sentinel migration blocked on pipeline testing |
19 |
Lab environment setup |
Set up test pipeline, evaluate input sources and transforms |
Work P1 |
Vocera EAP-TLS Supplicant Fix |
~10 phones failing 802.1X |
18 |
Missing supplicant config |
Configure supplicant on affected Vocera phones |
Work P1 |
ISE 3.4 Migration |
Running outdated ISE 3.2 |
— |
ISE Patch 9 prerequisite |
Complete Patch 9 first, then plan 3.4 migration |
Personal
ThinkPad T16g Gen 3
-
Lenovo Legion returned to Micro Center
-
ThinkPad T16g Gen 3 ordered directly from Lenovo ($4,226.98)
-
Anticipated delivery: Thursday Apr 2
-
Specs: Core Ultra 9 275HX, RTX 5090 24GB GDDR7, 64GB DDR5, 2TB Gen5 NVMe, 16" 3.2K Tandem OLED
Ollama API Service (ongoing)
-
17 endpoints live (security audit, firewall, certificates, logs, errors, runbooks, incidents, changes, docs)
-
Next: web UI, fine-tuning pipeline, productization
Education
Claude Code Mastery
| Resource | Details | Progress | Status |
|---|---|---|---|
Claude Code Full Course (4 hrs) |
Nick Saraev - YouTube comprehensive course |
26:49 / 4:00:00 |
IN PROGRESS |
Claude Code Certification |
Anthropic official certification (newly released) |
Not started |
GOAL |
Active Tracks (Focus)
-
Don Quijote - Primera Parte
Skills Mastery (Critical)
-
Regex Mastery - 10-module curriculum
-
AsciiDoc Docs - Documentation format
-
Antora Docs - Documentation pipeline
Certification Deadlines
-
CISSP - Before June 1, 2026 (performance review)
-
RHCSA 9 - Before June 1, 2026 (performance review)
-
LPIC-1 - Renewal required (blocks LPIC-2)
Spanish C1 Certification Goals
| Certification | Provider | Target | Status | Strategy |
|---|---|---|---|---|
Instituto Cervantes / UNAM / Salamanca |
Q2 2026 |
ACTIVE |
Computer-based, faster results - take FIRST |
|
Q3/Q4 2026 |
PLANNED |
After SIELE success, harder exam |
||
2027 |
FUTURE |
Mastery level - requires extensive immersion |
| SIELE is computer-adaptive, results in 3 weeks. DELE is paper-based, results in 3-4 months. Do SIELE first to validate readiness. |
Don Quijote Writing Practice - DELE C1/C2 Initiative
Method:
-
Read chapter in original Spanish
-
Write personal analysis/understanding en espanol
-
AI review for grammar, vocabulary, register
-
Build comprehensive understanding of literary elements
Today’s Study
-
Focus: CISSP study (55 days to June 1), domus-api Phase 3 prep
-
Secondary: RHCSA curriculum, Spanish DELE/SIELE
-
CISSP — begin Phase 0 domain review
-
RHCSA — continue curriculum phase
-
Spanish — Don Quijote reading + analysis
-
domus-api — evaluate Ollama RAG architecture for Phase 3
Regex Training (CRITICAL)
-
Status: 7 days carried over
-
Priority: After PeopleSoft, before Quijote
-
Session: Character classes, word boundaries
Infrastructure
Documentation Sites
| Site | URL | Status | Actions Needed |
|---|---|---|---|
Domus Digitalis |
Active |
Validate, harden, improve |
|
Architectus |
Active |
Public portfolio site - maintain |
HA Deployment Status
| System | Description | Status | Notes |
|---|---|---|---|
VyOS HA |
vyos-01 (kvm-01) + vyos-02 (kvm-02) with VRRP VIP |
✅ COMPLETE |
2026-03-07 - pfSense decommissioned |
BIND DNS HA |
bind-01 (kvm-01) + bind-02 (kvm-02) with AXFR |
✅ COMPLETE |
Zone transfer operational |
Vault HA |
Raft cluster (vault-01/02/03) |
✅ COMPLETE |
Integrated with PKI |
Keycloak Rebuild |
keycloak-01 corrupted, rebuild from scratch |
🔄 NEXT |
Priority P3 - SSO broken |
FreeIPA HA |
ipa-02 replica planned |
📋 PLANNED |
Linux auth redundancy |
AD DC HA |
home-dc02 replication |
📋 PLANNED |
Windows auth redundancy |
iPSK Manager HA |
ipsk-mgr-02 with MySQL replication |
📋 PLANNED |
PSK portal redundancy |
ISE HA |
PAN HA (ise-01 reconfigure) |
⏳ DEFERRED |
Wait until ise-02 stable |
ISE 3.5 Migration |
Upgrade path: 3.2p9 → 3.4 (P1) → 3.5 (target) |
📋 PLANNED |
After 3.4 Migration completes (Q2 2026) |
Single Points of Failure (CRITICAL)
| These systems have NO redundancy - outage impacts production. |
| System | Impact if Down | Mitigation |
|---|---|---|
ISE (ise-02) |
All 802.1X stops - wired and wireless auth fails |
ise-01 reconfiguration deferred until ise-02 stable |
Keycloak (keycloak-01) |
SAML/OIDC SSO broken (ISE admin, Grafana, etc.) |
NEXT PRIORITY - Rebuild runbook |
FreeIPA (ipa-01) |
Linux auth, sudo rules, HBAC fails |
ipa-02 replica planned |
AD DC (home-dc01) |
Windows auth, Kerberos, GPO fails |
home-dc02 replica planned |
iPSK Manager |
Self-service PSK portal unavailable |
ipsk-mgr-02 with MySQL replication planned |
Validation Tasks
| Task | Details | Status |
|---|---|---|
docs.domusdigitalis.dev validation |
Test all cross-references, search, rendering |
TODO |
docs.domusdigitalis.dev hardening |
HTTPS, CSP headers, security review |
TODO |
docs.architectus.dev validation |
Public site content review |
TODO |
Hub-spoke sync verification |
All components building correctly |
Ongoing |
Quick Commands
gopass-personal-docs Usage
\# Interactive entry creation gopass-personal-docs \# Categories: 1) Bills 2) Subscriptions 3) Housing 4) Vehicles 5) Insurance
gopass-query Usage
\# List all recurring bills with totals gopass-query bills \# List storage units with gate codes gopass-query storage \# Export category to JSON gopass-query export bills
API: domus-api — Documentation System REST API
Source: 2026-04-06 — First domus-api session, querying 2,928 .adoc files via REST endpoints
\# Start the API server (localhost:8080, Tailscale accessible)
cd ~/atelier/_projects/personal/domus-api && uv run uvicorn domus_api.main:app --host 0.0.0.0 --port 8080
\# Health check — document counts
curl -s localhost:8080/ | jq
\# Full repository stats by category
curl -s localhost:8080/stats | jq
\# All 20+ standards as JSON
curl -s localhost:8080/standards | jq
\# Standards — extract just ID and title (awk-style with jq)
curl -s localhost:8080/standards | jq -r '.standards[] | "\(.id)\t\(.title)"'
\# Full-text search across all files
curl -s 'localhost:8080/search?q=mandiant' | jq
\# Search — extract just path, title, match count
curl -s 'localhost:8080/search?q=mandiant' | jq '.results[] | {path, title, match_count}'
\# Scoped search (standards only)
curl -s 'localhost:8080/search?q=RFC+2119&scope=standards' | jq
\# Get specific page with full content + metadata
curl -s localhost:8080/pages/standards/operations/change-control | jq
\# List pages filtered by category
curl -s 'localhost:8080/pages?category=standards' | jq
curl -s 'localhost:8080/pages?category=codex&limit=10' | jq
\# All antora.yml attributes (127)
curl -s localhost:8080/attributes | jq
\# Swagger UI (open in browser)
\# http://localhost:8080/docs
\# Kill server on port 8080
kill $(lsof -ti:8080)
API: Incident & Change Record Queries
Source: 2026-04-07 — Querying incidents and CRs via domus-api for work reporting
\# ─── INCIDENT QUERIES ───
\# Get incident title
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.title'
\# Read incident content as plain text (jq -r unescapes \n)
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.content' | head -50
\# List all incidents
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | "\(.title)\t\(.path)"'
\# Search incidents by keyword
curl -s 'localhost:8080/search?q=IOT_WAN' | jq -r '.results[] | "\(.title)\t\(.path)"'
\# Search for all VPN-related content
curl -s 'localhost:8080/search?q=GlobalProtect' | jq -r '.results[] | "\(.title)\t\(.path)"'
\# ─── CHANGE RECORD QUERIES ───
\# Get CR title
curl -s localhost:8080/pages/case-studies/changes/CR-2026-04-07-iot-wan-vpn-passthrough | jq -r '.title'
\# Read CR content
curl -s localhost:8080/pages/case-studies/changes/CR-2026-04-07-iot-wan-vpn-passthrough | jq -r '.content' | head -80
\# List all change records
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("changes")) | "\(.title)\t\(.path)"'
\# ─── WORKFLOW: INCIDENT TO CR TRACEABILITY ───
\# Find all documents related to an incident
curl -s 'localhost:8080/search?q=INC-2026-04-06-001' | jq -r '.results[] | "\(.path)"'
\# Find the CR linked to an incident
curl -s 'localhost:8080/search?q=CR-2026-04-07-iot-wan' | jq -r '.results[] | {title, path}'
\# ─── FORMAT FOR REPORTING ───
\# Incident summary as TSV (paste into spreadsheet)
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | [.title, .path] | @tsv'
\# Pipe to column for terminal table
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | [.title, .path] | @tsv' | column -t -s $'\t'
\# Export incident as markdown (basic conversion)
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.content' > /tmp/incident-report.txt
Security: Mandiant Vulnerability Assessment Discovery
Source: 2026-04-06 — Searching domus-captures + Principia for pentest findings, dACLs, and remediation content
\# Search for Mandiant references across domus-captures
grep -ri 'mandiant' docs/modules/ROOT/ | awk 'NR<=30'
\# Find dACL / downloadable ACL content
grep -ri 'dacl\|downloadable.acl' docs/modules/ROOT/ | awk 'NR<=30'
\# Search Principia vault (legacy PKM) for Mandiant data
grep -ri 'mandiant' ~/atelier/_bibliotheca/Principia/ 2>/dev/null | awk 'NR<=30'
\# Find files with security assessment terms in the name
find docs/ -name '*mandiant*' -o -name '*vuln*' -o -name '*dacl*'
\# Find dACL diagram source files
find docs/modules/ROOT/images/diagrams -name 'dacl*'
\# Posture redirect ACL references (the critical finding)
grep -ri 'posture.*redirect\|redirect.*acl\|pre.auth.*acl' docs/modules/ROOT/ | awk 'NR<=20'
\# Cross-repo vulnerability search
grep -ri 'vulnerability.assess\|pentest\|penetration.test' docs/modules/ROOT/pages/2026/ | awk 'NR<=20'
\# Principia asset directory discovery (OPS-* and PRJ-* directories)
find ~/atelier/_bibliotheca/Principia/02_Assets -maxdepth 1 -type d \( -name 'OPS-*' -o -name 'PRJ-*' \)
\# Raspberry Pi OUI detection (from pentest findings)
\# netapi ise mnt --format json sessions | jq -r '.[] | select(.calling_station_id | startswith("B8:27:EB") or startswith("DC:A6:32") or startswith("E4:5F:01")) | [.calling_station_id, .framed_ip_address, .nas_ip_address] | @tsv'
Audio: PipeWire Validation (Post-Reboot)
Source: 2026-04-06 — P16g audio testing after sof-firmware install
\# PipeWire status (replaces pulseaudio pavucontrol for status) wpctl status \# List all audio sinks (short format) pactl list sinks short \# Play audio through default sink (native PipeWire — no alsa-utils needed) pw-play /usr/share/sounds/freedesktop/stereo/bell.oga \# Play through specific sink by ID pw-play --target 65 /usr/share/sounds/freedesktop/stereo/bell.oga \# Kernel audio firmware messages (Intel SOF) journalctl -b --grep='sof|cs35l56|cs42l43' --no-pager | tail -20 \# ALSA sound cards cat /proc/asound/cards
Git: Cross-Repo Activity Audit
Source: 2026-04-06 — Reconstructing daily AI session history across all domus repos
\# All commits on a specific date across all domus repos
for repo in ~/atelier/_bibliotheca/domus-*/ ~/atelier/_projects/personal/domus-*/; do
[ -d "$repo/.git" ] || continue
name=$(basename "$repo")
git -C "$repo" log --since="2026-04-06" --until="2026-04-07" --format="%h %aI %s" 2>/dev/null |
awk -v r="$name" '{print r, $0}'
done
\# Structured commit log as JSON (pipe to jq)
git -C ~/atelier/_bibliotheca/domus-captures log --pretty=format:'{"hash":"%h","date":"%aI","subject":"%s"}' -20 |
jq -s 'sort_by(.date) | reverse'
\# Commits per month (aggregation)
git -C ~/atelier/_bibliotheca/domus-captures log --pretty=format:'{"date":"%aI"}' -100 |
jq -s 'map(.date | split("T")[0] | split("-")[0:2] | join("-")) | group_by(.) | map({month: .[0], count: length}) | sort_by(.month)'
\# Cross-repo search via GitHub API (quote URL for zsh)
gh search code "vault seal" --owner EvanusModestus --json repository,path,textMatches |
jq '.[] | {repo: .repository.full_name, file: .path, match: .textMatches[].fragment}'
\# List .adoc files in a repo via GitHub API
gh api 'repos/EvanusModestus/domus-captures/git/trees/main?recursive=1' |
jq '[.tree[] | select(.path | endswith(".adoc"))] | length'
\# Cross-repo activity dashboard (last 5 per repo)
for repo in domus-captures domus-infra-ops domus-ise-linux domus-netapi-docs domus-secrets-ops; do
git -C ~/atelier/_bibliotheca/$repo log --pretty=format:"{\"repo\":\"$repo\",\"date\":\"%aI\",\"subject\":\"%s\"}" -5 2>/dev/null
done | jq -s 'sort_by(.date) | reverse | .[:15] | .[] | "\(.date | split("T")[0]) [\(.repo)] \(.subject)"' -r
\# Antora attribute comparison across repos
for f in ~/atelier/_bibliotheca/domus-*/docs/asciidoc/antora.yml; do
repo=$(basename "$(dirname "$(dirname "$(dirname "$f")")")")
count=$(yq '.asciidoc.attributes | length // 0' "$f")
printf "%-30s %s attributes\n" "$repo" "$count"
done
Attribute Includes
// Home documents
// ========================================================================
// SHARED ATTRIBUTES -- Home & Personal
// ========================================================================
// Source of truth for personal identity, home infrastructure, and
// document defaults used across daily worklogs and captures.
//
// Usage:
// include::partial$attributes.adoc[]
//
// For work-specific attributes (CHLA), also include:
// include::partial$attributes-work.adoc[]
//
// For HTML status styling, also include:
// include::partial$attributes-styles.adoc[]
//
// Per-document attributes (revdate, document-id, capture-date,
// focus-areas, etc.) remain in each file's header.
// ========================================================================
// ========================================================================
// DOCUMENT DEFAULTS
// ========================================================================
:id: UNSET
:document-id: {id}
// ========================================================================
// AUTHOR & IDENTITY
// ========================================================================
:author-name: Evan Rosado
:author-email-home: evan.rosado@domusdigitalis.dev
:author-email-work: erosado@chla.usc.edu
:author-email-personal: evan.rosado@outlook.com
// ========================================================================
// HOME ENTERPRISE DOMAINS
// ========================================================================
:home-domain: domusdigitalis.dev
:home-domain-internal: inside.domusdigitalis.dev
:home-domain-guest: guest.domusdigitalis.dev
:home-env-name: Home Enterprise ({home-domain})
// ========================================================================
// HOME ENTERPRISE INFRASTRUCTURE
// ========================================================================
// ISE Cluster (Home)
:home-ise-version: 3.3
:home-ise-pan-ip: 10.50.1.21
:home-ise-pan-host: ise-02.inside.domusdigitalis.dev
:home-ise-01-ip: 10.50.1.20
:home-ise-01-host: ise-01.inside.domusdigitalis.dev
:home-ise-02-ip: 10.50.1.21
:home-ise-02-host: ise-02.inside.domusdigitalis.dev
// DNS (BIND)
:home-dns-primary: 10.50.1.90
:home-dns-secondary: 10.50.1.1
:home-bind-ip: 10.50.1.90
:home-bind-host: bind-01.inside.domusdigitalis.dev
// Active Directory
:home-ad-server: HOME-DC01.inside.domusdigitalis.dev
:home-ad-ca: HOME-ROOT-CA
// Network (VyOS replaced pfSense 2026-03-07)
:home-vyos-ip: 10.50.1.2
:home-vyos-host: vyos-01.inside.domusdigitalis.dev
:home-switch-ip: 10.50.1.10
:home-wlc-ip: 10.50.1.40
:home-wlc-host: wlc.inside.domusdigitalis.dev
// Storage
:nas-ip: 10.50.1.70
:nas-name: nas-01
:nas-nfs-path: /volume1/ise_backups
// ========================================================================
// PERSONAL PROJECTS
// ========================================================================
:prj-ipsk-home: PRJ-ISE-IPSK-HOME-ANTORA
:prj-home-linux: PRJ-ISE-HOME-LINUX-ANTORA
:prj-home-lab: PRJ-ISE-HOME-LINUX-ANTORA
:prj-netapi: PRJ-NETAPI-ANTORA
:prj-secrets: PRJ-SECRETS
:prj-recovery: PRJ-RECOVERY
:prj-infra-ops: PRJ-INFRA-OPS-ANTORA
// ========================================================================
// PERSONAL TOOLS
// ========================================================================
:tool-netapi: netapi (Personal ISE automation CLI)
:tool-dsec: dsec (Secrets management)
:tool-ansible: Ansible
:tool-git: Git
// Work documents
// ========================================================================
// SHARED ATTRIBUTES -- Home & Personal
// ========================================================================
// Source of truth for personal identity, home infrastructure, and
// document defaults used across daily worklogs and captures.
//
// Usage:
// include::partial$attributes.adoc[]
//
// For work-specific attributes (CHLA), also include:
// include::partial$attributes-work.adoc[]
//
// For HTML status styling, also include:
// include::partial$attributes-styles.adoc[]
//
// Per-document attributes (revdate, document-id, capture-date,
// focus-areas, etc.) remain in each file's header.
// ========================================================================
// ========================================================================
// DOCUMENT DEFAULTS
// ========================================================================
:id: UNSET
:document-id: {id}
// ========================================================================
// AUTHOR & IDENTITY
// ========================================================================
:author-name: Evan Rosado
:author-email-home: evan.rosado@domusdigitalis.dev
:author-email-work: erosado@chla.usc.edu
:author-email-personal: evan.rosado@outlook.com
// ========================================================================
// HOME ENTERPRISE DOMAINS
// ========================================================================
:home-domain: domusdigitalis.dev
:home-domain-internal: inside.domusdigitalis.dev
:home-domain-guest: guest.domusdigitalis.dev
:home-env-name: Home Enterprise ({home-domain})
// ========================================================================
// HOME ENTERPRISE INFRASTRUCTURE
// ========================================================================
// ISE Cluster (Home)
:home-ise-version: 3.3
:home-ise-pan-ip: 10.50.1.21
:home-ise-pan-host: ise-02.inside.domusdigitalis.dev
:home-ise-01-ip: 10.50.1.20
:home-ise-01-host: ise-01.inside.domusdigitalis.dev
:home-ise-02-ip: 10.50.1.21
:home-ise-02-host: ise-02.inside.domusdigitalis.dev
// DNS (BIND)
:home-dns-primary: 10.50.1.90
:home-dns-secondary: 10.50.1.1
:home-bind-ip: 10.50.1.90
:home-bind-host: bind-01.inside.domusdigitalis.dev
// Active Directory
:home-ad-server: HOME-DC01.inside.domusdigitalis.dev
:home-ad-ca: HOME-ROOT-CA
// Network (VyOS replaced pfSense 2026-03-07)
:home-vyos-ip: 10.50.1.2
:home-vyos-host: vyos-01.inside.domusdigitalis.dev
:home-switch-ip: 10.50.1.10
:home-wlc-ip: 10.50.1.40
:home-wlc-host: wlc.inside.domusdigitalis.dev
// Storage
:nas-ip: 10.50.1.70
:nas-name: nas-01
:nas-nfs-path: /volume1/ise_backups
// ========================================================================
// PERSONAL PROJECTS
// ========================================================================
:prj-ipsk-home: PRJ-ISE-IPSK-HOME-ANTORA
:prj-home-linux: PRJ-ISE-HOME-LINUX-ANTORA
:prj-home-lab: PRJ-ISE-HOME-LINUX-ANTORA
:prj-netapi: PRJ-NETAPI-ANTORA
:prj-secrets: PRJ-SECRETS
:prj-recovery: PRJ-RECOVERY
:prj-infra-ops: PRJ-INFRA-OPS-ANTORA
// ========================================================================
// PERSONAL TOOLS
// ========================================================================
:tool-netapi: netapi (Personal ISE automation CLI)
:tool-dsec: dsec (Secrets management)
:tool-ansible: Ansible
:tool-git: Git
// ========================================================================
// WORK ATTRIBUTES -- CHLA Environment
// ========================================================================
// Contains sensitive work-specific infrastructure, personnel, and project
// attributes. Include only in work-related documents.
//
// Usage:
// include::partial$attributes-work.adoc[]
// ========================================================================
// ========================================================================
// DOMAINS (Work)
// ========================================================================
:domain: chla.usc.edu
:ad-domain: la.ad.chla.org
:krb5-realm: LA.AD.CHLA.ORG
:ise-domain: ise.chla.org
:work-env-name: Enterprise (CHLA)
// ========================================================================
// ISE CLUSTER (CHLA Production)
// ========================================================================
// Primary PAN
:ise-ppan-ip: 10.101.2.121
:ise-ppan-host: ppan.ise.chla.org
// Secondary PAN
:ise-span-ip: 10.101.2.122
:ise-span-host: span.ise.chla.org
:ise-span: {ise-span-host}
// Primary MnT
:ise-pmnt-ip: 10.101.2.123
:ise-pmnt-host: pmnt.ise.chla.org
// Secondary MnT
:ise-smnt-ip: 10.101.2.124
:ise-smnt-host: smnt.ise.chla.org
// Policy Service Nodes -- Building 1
:ise-psn-1-ip: 10.101.2.131
:ise-psn-2-ip: 10.101.2.132
// Policy Service Nodes -- Building 2
:ise-psn-3-ip: 10.248.11.134
:ise-psn-4-ip: 10.248.11.135
:ise-version: 3.2 Patch 6
// ========================================================================
// DNS SERVERS (CHLA)
// ========================================================================
:dns-primary: 10.112.142.41
:dns-secondary: 10.192.142.41
:dns-backup: 10.112.142.42
// ========================================================================
// ACTIVE DIRECTORY DOMAIN CONTROLLERS (CHLA)
// ========================================================================
// Building 1
:ad-dc-1: 10.112.118.141
:ad-dc-2: 10.112.118.143
// Building 2
:ad-pdc: 10.100.11.28
:ad-dc-3: 10.100.11.27
// ========================================================================
// NETWORK INFRASTRUCTURE (CHLA)
// ========================================================================
:nas-research: 10.134.144.109
:remediation-server: remediation.chla.org
// ========================================================================
// PERSONNEL
// ========================================================================
:user-ben: Ben Castillo (SysEng)
:user-shahab: Dr. Shahab Asgharzadeh
:user-shahab-dept: Spatial Biology and Genomics Core (TSRI SBG)
:user-shahab-mac: b4:e9:b8:f6:c8:17
:user-samuel: Samuel John (Database Architect, Digital Dev & Solutions Architecture)
:user-argam: Argam Darbinian (Endpoint Engineer I)
:user-levitt: Dr. Pat Levitt
:user-levitt-email: plevit@chla.usc.edu
:user-carlos: Carlos (InfoSec)
:user-victor: Victor (Cloud/AD)
// Person shorthand
:person-sarah: Sarah Clizer (CISO)
:person-shahab: {user-shahab}
:person-ben: {user-ben}
:person-victor: {user-victor}
:person-carlos: {user-carlos}
// Teams
:team-infosec: Information Security Team
:team-network: Network Engineering Team
:team-endpoint: Endpoint Engineering Team
// ========================================================================
// PROJECTS
// ========================================================================
:prj-ipsk-chla: PRJ-ISE-IPSK-CHLA-ANTORA
:prj-chla-linux: PRJ-ISE-CHLA-LINUX-ANTORA
:prj-sentinel-migration: PRJ-SENTINEL-MIGRATION
:prj-mschapv2-migration: PRJ-MSCHAPV2-TO-EAPTLS
// ========================================================================
// iPSK ATTRIBUTES
// ========================================================================
:ipsk-primary-hostname: ipsk-mgr-01
:ipsk-secondary-hostname: ipsk-mgr-02
:ssid-iot: CHLA_IoT
:policy-set-name: IoT WIFI iPSK
:odbc-source-name: iPSKManager
:mysql-port: 3306
:db-name: ipsk
// ========================================================================
// TOOLS & PLATFORMS (Security Stack)
// ========================================================================
// SIEM & Security Analytics
:tool-qradar: IBM QRadar SIEM (Legacy - migrating from)
:tool-sentinel: Microsoft Sentinel (Target SIEM)
:tool-defender: Microsoft Defender for Endpoint
:tool-xdr: Microsoft Defender XDR
// Threat Intelligence
:tool-abuseipdb: AbuseIPDB
:tool-virustotal: VirusTotal
:tool-urlscan: URLScan.io
:tool-talos: Cisco Talos Intelligence
// Infrastructure & Access
:tool-claroty: Claroty XDome (OT Security)
:tool-umbrella: Cisco Secure Umbrella (DNS Filtering)
:tool-posture: Cisco Secure Client Posture Module
:tool-ise: Cisco Identity Services Engine
:tool-adcs: Active Directory Certificate Services
// Collaboration & Ticketing
:tool-teams: Microsoft Teams
:tool-servicenow: ServiceNow
:tool-slack: Slack
// Development & Automation
:tool-azure-devops: Azure DevOps
// ========================================================================
// PEOPLESOFT TIME TRACKING
// ========================================================================
// Standard Admin Codes (CHLA InfoSec Engineering)
:ps-account: 605010
:ps-fund-code: 1010
:ps-department: 8492000
:ps-pc-unit: PC100
// ----------------------------------------------------------------------------
// Active Projects (Project # | Combo Code | Activity Code)
// Usage: {prj-<name>}, {combo-<name>}, {activity-<name>}
// ----------------------------------------------------------------------------
// EDR Migration (AMP to Defender)
:prj-edr-migration: 000017633
:combo-edr-migration: 000018546
:activity-edr-migration: 21
// Windows 11 Device Hardening
:prj-win11-hardening: 000017706
:combo-win11-hardening: 000018549
:activity-win11-hardening: 21
// iPad Refresh (Spectrum TV App & GetWell SSID)
:prj-ipad-refresh: 000016444
:combo-ipad-refresh: 000018551
:activity-ipad-refresh: 20
// Immunity Lab Move
:prj-immunity-lab: 000017481
:combo-immunity-lab:
:activity-immunity-lab: 21
// Mind DLP Proof of Value
:prj-mind-dlp: 000017956
:combo-mind-dlp: 000018452
:activity-mind-dlp: 21
// iSensix dACL + IoT VLAN Assignment
:prj-isensix-dacl:
:combo-isensix-dacl:
:activity-isensix-dacl: 21
// Cisco Catalyst Center (DNA Center Migration)
:prj-catalyst-center:
:combo-catalyst-center:
:activity-catalyst-center:
// ----------------------------------------------------------------------------
// Activity Hour Baselines (realistic end-to-end effort)
// ----------------------------------------------------------------------------
// Meetings & Collaboration
:hrs-meeting: 1.0
:hrs-stakeholder-meeting: 1.5
:hrs-workshop: 2.0
:hrs-vendor-call: 1.5
:hrs-cab-attendance: 1.0
// ISE / Network Policy
:hrs-ise-policy-mac: 3.0
:hrs-ise-policy-win: 4.5
:hrs-ise-policy-linux: 4.0
:hrs-dacl-design: 3.5
:hrs-authz-profile: 3.0
:hrs-policy-set: 4.0
// Change Management
:hrs-change-request: 3.5
:hrs-cab-prep: 2.0
:hrs-cutover: 4.0
:hrs-rollback-planning: 2.0
// Testing & Validation
:hrs-device-testing: 2.5
:hrs-pilot-validation: 4.0
:hrs-integration-testing: 3.5
// Support & Operations
:hrs-support: 2.0
:hrs-incident-response: 3.0
:hrs-troubleshooting: 2.5
:hrs-post-cutover-support: 2.5
// Discovery & Documentation
:hrs-discovery: 3.0
:hrs-documentation: 2.0
:hrs-architecture-design: 4.0
// ========================================================================
// STYLE ATTRIBUTES -- HTML Status Styling
// ========================================================================
// Contains CSS styling for status indicators and priority markers.
// Only applied when rendering to HTML (backend-html5).
//
// Usage:
// include::partial$attributes-styles.adoc[]
//
// Styling classes:
// .pass, .fail, .pending, .active
// .status-complete, .status-inprogress, .status-blocked, .status-pending, .status-notstarted
// .priority-critical, .priority-high, .priority-normal
// ========================================================================
++++
<style>
.pass { color: #22c55e; font-weight: bold; }
.fail { color: #ef4444; font-weight: bold; }
.pending { color: #f59e0b; font-weight: bold; }
.active { color: #3b82f6; font-weight: bold; }
.status-complete { color: #22c55e; font-weight: bold; }
.status-inprogress { color: #3b82f6; font-weight: bold; }
.status-blocked { color: #ef4444; font-weight: bold; }
.status-pending { color: #f59e0b; font-weight: bold; }
.status-notstarted { color: #94a3b8; font-weight: bold; font-style: italic; }
.priority-critical { background-color: #fef2f2; border-left: 4px solid #ef4444; padding: 0.5em; margin: 0.5em 0; }
.priority-high { background-color: #fef9c3; border-left: 4px solid #f59e0b; padding: 0.5em; margin: 0.5em 0; }
.priority-normal { background-color: #f0f9ff; border-left: 4px solid #3b82f6; padding: 0.5em; margin: 0.5em 0; }
</style>
++++