Documentation
¶
Overview ¶
Package auditx defines durable audit recording contracts.
auditx is separate from logx. logx emits operational telemetry; auditx writes append-only security records for authentication, authorization and privileged business mutations. Implementations can write to PostgreSQL, Kafka, ClickHouse, object storage or another compliance pipeline.
Package auditx defines Kernel's durable security audit contracts.
Index ¶
- Constants
- func ErrInvalidRecord(message string) error
- func ErrStoreFailed(message string, cause error) error
- func Validate(record Record) error
- type Actor
- type AttributeSet
- type AuditLogModel
- type MemoryStore
- type PostgresStore
- type QueryFilter
- type Queryer
- type Record
- type Recorder
- type Resource
- type Store
Constants ¶
const ( CodeInvalidRecord = errorx.Code("AUDITX_INVALID_RECORD") CodeStoreFailed = errorx.Code("AUDITX_STORE_FAILED") )
const ( ResultSuccess = "success" ResultDenied = "denied" ResultFailure = "failure" )
const ( SeverityInfo = "info" SeverityWarning = "warning" SeverityCritical = "critical" )
Variables ¶
This section is empty.
Functions ¶
func ErrInvalidRecord ¶
func ErrStoreFailed ¶
Types ¶
type AttributeSet ¶
type AuditLogModel ¶ added in v0.4.4
type AuditLogModel struct {
ID string `gorm:"column:id;primaryKey"`
ActorType string `gorm:"column:actor_type;not null"`
ActorID string `gorm:"column:actor_id;not null"`
TechnicalActor string `gorm:"column:technical_actor"`
Action string `gorm:"column:action;not null"`
ResourceType string `gorm:"column:resource_type"`
ResourceID string `gorm:"column:resource_id"`
Result string `gorm:"column:result;not null"`
Reason string `gorm:"column:reason"`
RequestID string `gorm:"column:request_id"`
TraceID string `gorm:"column:trace_id"`
IP string `gorm:"column:ip"`
UserAgent string `gorm:"column:user_agent"`
Metadata json.RawMessage `gorm:"column:metadata;type:jsonb"`
CreatedAt time.Time `gorm:"column:created_at;autoCreateTime"`
}
AuditLogModel is the GORM model for the iam_audit_logs table.
func (AuditLogModel) TableName ¶ added in v0.4.4
func (AuditLogModel) TableName() string
type MemoryStore ¶
type MemoryStore struct {
// contains filtered or unexported fields
}
func NewMemoryStore ¶
func NewMemoryStore() *MemoryStore
func (*MemoryStore) Query ¶
func (s *MemoryStore) Query(ctx context.Context, filter QueryFilter) ([]Record, error)
type PostgresStore ¶ added in v0.4.4
type PostgresStore struct {
// contains filtered or unexported fields
}
PostgresStore implements auditx.Store backed by PostgreSQL via dbx.
func NewPostgresStore ¶ added in v0.4.4
func NewPostgresStore(db dbx.DB) *PostgresStore
NewPostgresStore creates a new PostgresStore.
func (*PostgresStore) EnsureTable ¶ added in v0.4.4
func (s *PostgresStore) EnsureTable(ctx context.Context) error
EnsureTable creates the audit_logs table if it does not exist.
func (*PostgresStore) Query ¶ added in v0.4.4
func (s *PostgresStore) Query(ctx context.Context, filter QueryFilter) ([]Record, error)
type QueryFilter ¶
type Queryer ¶
type Queryer interface {
Query(ctx context.Context, filter QueryFilter) ([]Record, error)
}
type Record ¶
type Record struct {
ID string
Time time.Time
Action string
Result string
Severity string
Reason string
Actor Actor
Resource Resource
RequestID string
TraceID string
ClientIP string
UserAgent string
Metadata AttributeSet
}
Record is append-only security evidence. Updates/deletes should create new records rather than mutating previous ones.
type Recorder ¶
Recorder writes durable audit records. Implementations must be safe for concurrent use. Hot-path code should depend on this interface only.