Skip to content

feat(signal): expose privilege auth audit signals#99

Merged
stacknil merged 1 commit into
mainfrom
stacknil/privilege-auth-signals
Jul 12, 2026
Merged

feat(signal): expose privilege auth audit signals#99
stacknil merged 1 commit into
mainfrom
stacknil/privilege-auth-signals

Conversation

@stacknil

Copy link
Copy Markdown
Owner

Summary

  • expose parsed sudo auth failure, sudo policy denied, and su auth failure events as audit-only auth signals
  • keep all detector-counting flags false for these privilege auth signals
  • add a detector/signal regression test proving visibility without new findings

Tests

  • cmake --build build --config Debug --target test_detector
  • ctest --test-dir build -C Debug --output-on-failure -R "^detector$"
  • cmake --build build --config Debug
  • ctest --test-dir build -C Debug --output-on-failure
  • git diff --check
  • privacy/security string scan on touched files

@stacknil

Copy link
Copy Markdown
Owner Author

Post-CI maintainer note:

  • Design decision: expose parsed sudo auth failure, sudo policy denied, and su auth failure as audit-only AuthSignal kinds instead of feeding them into existing detector counters.
  • Main risk: downstream code that assumed these parsed events produced no signal may now see additional non-counting signals; detector findings remain unchanged by test coverage.
  • Compatibility impact: no CLI/report schema change and no rule-threshold behavior change.
  • Rollback path: revert commit a4b6aaa to remove the three signal mappings and their regression test.

@stacknil stacknil merged commit a1781a9 into main Jul 12, 2026
11 checks passed
@stacknil stacknil deleted the stacknil/privilege-auth-signals branch July 12, 2026 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant