Skip to content

Backlog: defer login-to-privilege session causality correlation #101

Description

@stacknil

Context

LogLens currently keeps authentication evidence, privilege command evidence, and parser uncertainty as separate review surfaces. For example, an accepted login, a sudo burst, and a sudo/su authentication failure can all be parsed and reported, but the tool does not infer that one caused another.

This matches the rule catalog boundary: findings are triage signals, not compromise verdicts or session-causality claims.

Implementation surfaces related to this boundary:

  • src/detector.cpp
  • src/signal.cpp
  • docs/rule-catalog.md
  • docs/case-study-linux-auth-bruteforce.md

Short-term stance

Do not implement login-to-sudo, login-to-su, or SSH-to-privilege causality correlation in the short term.

Decision question

Should LogLens ever introduce a session-correlation layer that links accepted logins, TTY/session records, sudo commands, and privilege auth failures into one higher-level episode?

Why not now

The current normalized events do not provide enough stable evidence to claim causality safely across distributions and log formats. A robust design would need to reason about at least:

  • host identity
  • username normalization
  • TTY/session tokens
  • timestamps and idle gaps
  • accepted login source IPs
  • sudo/su actor and target user semantics
  • missing or unsupported session-close records

Without that, correlation could overstate what the logs prove.

Future acceptance bar

Before implementation, require:

  • a design note that separates correlation from incident verdicts
  • sanitized multi-event fixtures with both positive and negative examples
  • report fields that expose correlation evidence and uncertainty explicitly
  • tests proving unsupported lines do not silently bridge causality gaps
  • rollback path that can disable correlation without changing parser behavior

Non-goals

  • No compromise verdicts
  • No attribution
  • No cross-host incident reconstruction
  • No SIEM replacement behavior

Metadata

Metadata

Assignees

No one assigned

    Labels

    detectorDetector semantics and analysis logicenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions