Context
LogLens currently keeps authentication evidence, privilege command evidence, and parser uncertainty as separate review surfaces. For example, an accepted login, a sudo burst, and a sudo/su authentication failure can all be parsed and reported, but the tool does not infer that one caused another.
This matches the rule catalog boundary: findings are triage signals, not compromise verdicts or session-causality claims.
Implementation surfaces related to this boundary:
src/detector.cpp
src/signal.cpp
docs/rule-catalog.md
docs/case-study-linux-auth-bruteforce.md
Short-term stance
Do not implement login-to-sudo, login-to-su, or SSH-to-privilege causality correlation in the short term.
Decision question
Should LogLens ever introduce a session-correlation layer that links accepted logins, TTY/session records, sudo commands, and privilege auth failures into one higher-level episode?
Why not now
The current normalized events do not provide enough stable evidence to claim causality safely across distributions and log formats. A robust design would need to reason about at least:
- host identity
- username normalization
- TTY/session tokens
- timestamps and idle gaps
- accepted login source IPs
- sudo/su actor and target user semantics
- missing or unsupported session-close records
Without that, correlation could overstate what the logs prove.
Future acceptance bar
Before implementation, require:
- a design note that separates correlation from incident verdicts
- sanitized multi-event fixtures with both positive and negative examples
- report fields that expose correlation evidence and uncertainty explicitly
- tests proving unsupported lines do not silently bridge causality gaps
- rollback path that can disable correlation without changing parser behavior
Non-goals
- No compromise verdicts
- No attribution
- No cross-host incident reconstruction
- No SIEM replacement behavior
Context
LogLens currently keeps authentication evidence, privilege command evidence, and parser uncertainty as separate review surfaces. For example, an accepted login, a sudo burst, and a sudo/su authentication failure can all be parsed and reported, but the tool does not infer that one caused another.
This matches the rule catalog boundary: findings are triage signals, not compromise verdicts or session-causality claims.
Implementation surfaces related to this boundary:
src/detector.cppsrc/signal.cppdocs/rule-catalog.mddocs/case-study-linux-auth-bruteforce.mdShort-term stance
Do not implement login-to-sudo, login-to-su, or SSH-to-privilege causality correlation in the short term.
Decision question
Should LogLens ever introduce a session-correlation layer that links accepted logins, TTY/session records, sudo commands, and privilege auth failures into one higher-level episode?
Why not now
The current normalized events do not provide enough stable evidence to claim causality safely across distributions and log formats. A robust design would need to reason about at least:
Without that, correlation could overstate what the logs prove.
Future acceptance bar
Before implementation, require:
Non-goals