- compose-service.shuffle-opensearch.json is the authored docker-compose.yml service block (yq-extracted); a profile-filtered docker compose config could not be used because soc-profile services depend_on wazuh.manager and profile filtering invalidates the project.
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=StrongPassword123! is a committed scenario fixture and is retained verbatim in evidence and SDL because it is TechVault scenario content.
- Capture used the already-running aptl project (soc profile up) per operator direction and did not run aptl lab stop -v && aptl lab start; this bundle is a steady-state observation of that local lab, not a clean-reset rebuild proof.
- shuffle-opensearch joins aptl-security with a DHCP address (the compose service declares no static ipv4_address) and publishes NO host ports; its current network identity is recorded in docker-inspect.container.json and docker-network.aptl-security.json.
- The shuffle_opensearch_data volume contents (/usr/share/opensearch/data) are runtime index state and out of manifest scope; only top-level directory rows are recorded in filesystem-tree.txt. Index-level state (indices, counts, mappings) is captured via the OpenSearch REST API in opensearch-state.txt and shuffle-opensearch-index-mappings.json instead.
- source-checksums.txt covers only docker-compose.yml; the shuffle-opensearch service has no repo-authored bind files (configuration is upstream-image defaults plus compose environment).
- filesystem-tree.txt.gz scopes the manifest to the application surfaces (/usr/share/opensearch config, bin, and modules/plugins listings, /etc/os-release) plus top-level directory rows for the volume-backed data tree.
- The Amazon Linux 2023 OpenSearch image ships no find(1) or xargs(1); the filesystem manifest and checksums are enumerated with the in-container python3 os.walk and computed with the in-container stat/sha256sum, producing the same column format as the precedents.
- filesystem-checksums.txt.xz covers the OpenSearch config and bin trees only; modules and plugins are recorded as manifest listing rows in filesystem-tree.txt.gz (no per-file checksums) and their integrity is evidenced by the registry image digest and the SBOMs.
- The OpenSearch (Amazon Linux 2023) image does not include ss or netstat; listener and outbound-connection evidence in runtime-baseline.txt falls back to raw /proc/net/tcp,tcp6,udp,udp6 tables, complemented by docker top and osquery namespace-sharing evidence. The REST/transport/perf-analyzer listeners are confirmed via the OpenSearch API in opensearch-state.txt.
- opensearch-state.txt captures the Security-plugin internal user database (_plugins/_security/api/internalusers) and roles mappings from the operator-credentialed REST vantage; bcrypt password hashes of the committed fixture credential are scenario content and retained per the repo secret-fixture policy.
- shuffle-opensearch-index-mappings.json captures per-index _mapping bodies for every index returned by _cat/indices, tagging each with the vantage used (_mapping for accessible indices; the operator _cluster/state/metadata vantage as a fallback for any reserved/system index whose _mapping returns a security_exception). The structured field schemas are encoded as ACES datastore mapping manifests (field counts, type census, schema digest per aces#468-470); the raw _mapping bodies remain evidence-only.
- Syft CycloneDX output was deterministically normalized by stripping syft:location:* properties; component identity remains and filesystem provenance is captured in filesystem-tree.txt.gz and filesystem-checksums.txt.xz.
- Trivy and Syft CycloneDX SBOM evidence is committed as deterministic gzip-compressed minified JSON to satisfy the repository's added-file size gate; compression is lossless.
- osquery apt_sources is Debian/Ubuntu-specific and does not describe the Amazon Linux 2023 OpenSearch target; RPM package state is captured in os-packages.txt and the SBOMs. Recorded as unavailable.
- osquery installed_applications table unavailable in the digest-pinned Linux scanner image.
- osquery programs table unavailable in the digest-pinned Linux scanner image.
