audit

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package audit provides security audit functionality for OPNsense configurations against industry-standard compliance frameworks through a plugin-based architecture.

Package audit provides security audit functionality for OPNsense configurations against industry-standard compliance frameworks through a plugin-based architecture.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrModeConfigNil is returned when the mode configuration is nil.
	ErrModeConfigNil = errors.New("mode config cannot be nil")
	// ErrUnsupportedMode is returned when an unsupported report mode is specified.
	ErrUnsupportedMode = errors.New("unsupported report mode")
	// ErrPluginNotFound is returned when a requested compliance plugin cannot be found.
	ErrPluginNotFound = errors.New("plugin not found")
	// ErrConfigurationNil is returned when the OPNsense configuration is nil.
	ErrConfigurationNil = errors.New("configuration cannot be nil")
)

Static errors for better error handling.

Functions

func GetGlobalPlugin 

func GetGlobalPlugin(name string) (plugin.CompliancePlugin, error)

GetGlobalPlugin retrieves a plugin from the global registry.

func ListGlobalPlugins 

func ListGlobalPlugins() []string

ListGlobalPlugins returns all plugins in the global registry.

func RegisterGlobalPlugin 

func RegisterGlobalPlugin(p plugin.CompliancePlugin) error

RegisterGlobalPlugin registers a plugin with the global registry.

Types

type AttackSurface 

type AttackSurface struct {
	Type            string   `json:"type"`
	Ports           []int    `json:"ports"`
	Services        []string `json:"services"`
	Vulnerabilities []string `json:"vulnerabilities"`
}

AttackSurface represents attack surface information for red team findings.

type ComplianceResult 

type ComplianceResult struct {
	Findings   []plugin.Finding           `json:"findings"`
	Compliance map[string]map[string]bool `json:"compliance"`
	Summary    *ComplianceSummary         `json:"summary"`
	PluginInfo map[string]PluginInfo      `json:"pluginInfo"`
}

ComplianceResult represents the complete result of compliance checks.

type ComplianceSummary 

type ComplianceSummary struct {
	TotalFindings    int                         `json:"totalFindings"`
	CriticalFindings int                         `json:"criticalFindings"`
	HighFindings     int                         `json:"highFindings"`
	MediumFindings   int                         `json:"mediumFindings"`
	LowFindings      int                         `json:"lowFindings"`
	PluginCount      int                         `json:"pluginCount"`
	Compliance       map[string]PluginCompliance `json:"compliance"`
}

ComplianceSummary provides summary statistics.

type Finding 

type Finding struct {
	Title          string             `json:"title"`
	Severity       processor.Severity `json:"severity"`
	Description    string             `json:"description"`
	Recommendation string             `json:"recommendation"`
	Tags           []string           `json:"tags"`
	AttackSurface  *AttackSurface     `json:"attackSurface,omitempty"`
	ExploitNotes   string             `json:"exploitNotes,omitempty"`
	Component      string             `json:"component"`
	Control        string             `json:"control,omitempty"`
}

Finding represents a security finding or audit result.

type ModeConfig 

type ModeConfig struct {
	Mode            ReportMode
	BlackhatMode    bool
	Comprehensive   bool
	SelectedPlugins []string
	TemplateDir     string
}

ModeConfig holds configuration options for report generation.

type ModeController 

type ModeController struct {
	// contains filtered or unexported fields
}

ModeController manages the generation of different types of audit reports based on the selected mode and configuration.

func NewModeController 

func NewModeController(registry *PluginRegistry, logger *log.Logger) *ModeController

NewModeController creates a new mode controller with the given plugin registry and logger.

func (*ModeController) GenerateReport 

func (mc *ModeController) GenerateReport(
	ctx context.Context,
	cfg *model.OpnSenseDocument,
	config *ModeConfig,
) (*Report, error)

GenerateReport generates an audit report based on the specified mode and configuration.

func (*ModeController) ValidateModeConfig 

func (mc *ModeController) ValidateModeConfig(config *ModeConfig) error

ValidateModeConfig validates the mode configuration.

type PluginCompliance 

type PluginCompliance struct {
	Compliant    int `json:"compliant"`
	NonCompliant int `json:"nonCompliant"`
	Total        int `json:"total"`
}

PluginCompliance represents compliance statistics for a single plugin.

type PluginInfo 

type PluginInfo struct {
	Name        string           `json:"name"`
	Version     string           `json:"version"`
	Description string           `json:"description"`
	Controls    []plugin.Control `json:"controls"`
}

PluginInfo contains metadata about a plugin.

type PluginManager 

type PluginManager struct {
	// contains filtered or unexported fields
}

PluginManager manages the lifecycle of compliance plugins.

func NewPluginManager 

func NewPluginManager(logger *slog.Logger) *PluginManager

NewPluginManager creates a new plugin manager.

func (*PluginManager) GetPluginControlInfo 

func (pm *PluginManager) GetPluginControlInfo(pluginName, controlID string) (*plugin.Control, error)

GetPluginControlInfo returns detailed information about a specific control.

func (*PluginManager) GetPluginStatistics 

func (pm *PluginManager) GetPluginStatistics() map[string]any

GetPluginStatistics returns statistics about plugin usage and compliance.

func (*PluginManager) GetRegistry 

func (pm *PluginManager) GetRegistry() *PluginRegistry

GetRegistry returns the plugin registry.

func (*PluginManager) InitializePlugins 

func (pm *PluginManager) InitializePlugins(ctx context.Context) error

InitializePlugins initializes and registers all available plugins.

func (*PluginManager) ListAvailablePlugins 

func (pm *PluginManager) ListAvailablePlugins(ctx context.Context) []PluginInfo

ListAvailablePlugins returns information about all available plugins.

func (*PluginManager) RunComplianceAudit 

func (pm *PluginManager) RunComplianceAudit(
	ctx context.Context,
	config *model.OpnSenseDocument,
	pluginNames []string,
) (*ComplianceResult, error)

RunComplianceAudit runs compliance checks using specified plugins.

func (*PluginManager) ValidatePluginConfiguration 

func (pm *PluginManager) ValidatePluginConfiguration(pluginName string) error

ValidatePluginConfiguration validates the configuration of a specific plugin.

type PluginRegistry 

type PluginRegistry struct {
	// contains filtered or unexported fields
}

PluginRegistry manages the registration and retrieval of compliance plugins.

func GetGlobalRegistry added in v1.1.0 

func GetGlobalRegistry() *PluginRegistry

GetGlobalRegistry returns the global plugin registry instance, initializing it on first access using sync.Once for thread safety.

func NewPluginRegistry 

func NewPluginRegistry() *PluginRegistry

NewPluginRegistry creates a new plugin registry.

func (*PluginRegistry) GetPlugin 

func (pr *PluginRegistry) GetPlugin(name string) (plugin.CompliancePlugin, error)

GetPlugin retrieves a plugin by name.

func (*PluginRegistry) ListPlugins 

func (pr *PluginRegistry) ListPlugins() []string

ListPlugins returns all registered plugin names.

func (*PluginRegistry) LoadDynamicPlugins 

func (pr *PluginRegistry) LoadDynamicPlugins(ctx context.Context, dir string, logger *slog.Logger) error

LoadDynamicPlugins loads .so plugins from the specified directory and registers them. It is safe to call even if the directory does not exist.

func (*PluginRegistry) RegisterPlugin 

func (pr *PluginRegistry) RegisterPlugin(p plugin.CompliancePlugin) error

RegisterPlugin registers a compliance plugin.

func (*PluginRegistry) RunComplianceChecks 

func (pr *PluginRegistry) RunComplianceChecks(
	config *model.OpnSenseDocument,
	pluginNames []string,
) (*ComplianceResult, error)

RunComplianceChecks runs compliance checks for specified plugins.

type Report 

type Report struct {
	Mode          ReportMode                  `json:"mode"`
	BlackhatMode  bool                        `json:"blackhatMode"`
	Comprehensive bool                        `json:"comprehensive"`
	Configuration *model.OpnSenseDocument     `json:"configuration"`
	Findings      []Finding                   `json:"findings"`
	Compliance    map[string]ComplianceResult `json:"compliance"`
	Metadata      map[string]any              `json:"metadata"`
}

Report represents a comprehensive audit report with findings and analysis.

type ReportMode 

type ReportMode string

ReportMode represents the different types of audit reports that can be generated. 

const (
	// ModeStandard represents a neutral, comprehensive documentation report.
	ModeStandard ReportMode = "standard"
	// ModeBlue represents a defensive audit report with security findings and recommendations.
	ModeBlue ReportMode = "blue"
	// ModeRed represents an attacker-focused recon report highlighting attack surfaces.
	ModeRed ReportMode = "red"
)

func ParseReportMode 

func ParseReportMode(s string) (ReportMode, error)

ParseReportMode parses a string into a ReportMode, returning an error if invalid.

func (ReportMode) String 

func (rm ReportMode) String() string

String returns the string representation of the ReportMode.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.