Skip to content

Commit 376f960

Browse files
authored
Merge pull request #2 from ncode/juliano/development
update readme and update development setup
2 parents 5a9a746 + c92b324 commit 376f960

12 files changed

Lines changed: 285 additions & 139 deletions

File tree

.github/workflows/ci.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: Test and coverage
2+
3+
on: [push, pull_request]
4+
5+
jobs:
6+
build:
7+
runs-on: ubuntu-latest
8+
steps:
9+
- uses: actions/checkout@v4
10+
with:
11+
fetch-depth: 2
12+
- uses: actions/setup-go@v4
13+
with:
14+
go-version: '1.23'
15+
- name: Run coverage
16+
run: go test -coverpkg=./... ./... -race -coverprofile=coverage.out -covermode=atomic
17+
- name: Upload coverage to Codecov
18+
uses: codecov/codecov-action@v4
19+
with:
20+
verbose: true
21+
env:
22+
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/codeql.yml

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
# For most projects, this workflow file will not need changing; you simply need
2+
# to commit it to your repository.
3+
#
4+
# You may wish to alter this file to override the set of languages analyzed,
5+
# or to provide custom queries or build logic.
6+
#
7+
# ******** NOTE ********
8+
# We have attempted to detect the languages in your repository. Please check
9+
# the `language` matrix defined below to confirm you have the correct set of
10+
# supported CodeQL languages.
11+
#
12+
name: "CodeQL"
13+
14+
on:
15+
push:
16+
branches: [ "main" ]
17+
pull_request:
18+
# The branches below must be a subset of the branches above
19+
branches: [ "main" ]
20+
schedule:
21+
- cron: '35 15 * * 3'
22+
23+
jobs:
24+
analyze:
25+
name: Analyze
26+
runs-on: ubuntu-latest
27+
permissions:
28+
actions: read
29+
contents: read
30+
security-events: write
31+
32+
strategy:
33+
fail-fast: false
34+
matrix:
35+
language: [ 'go' ]
36+
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
37+
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
38+
39+
steps:
40+
- name: Checkout repository
41+
uses: actions/checkout@v4
42+
43+
# Initializes the CodeQL tools for scanning.
44+
- name: Initialize CodeQL
45+
uses: github/codeql-action/init@v3
46+
with:
47+
languages: ${{ matrix.language }}
48+
# If you wish to specify custom queries, you can do so here or in a config file.
49+
# By default, queries listed here will override any specified in a config file.
50+
# Prefix the list here with "+" to use these queries and those in the config file.
51+
52+
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
53+
# queries: security-extended,security-and-quality
54+
55+
56+
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
57+
# If this step fails, then you should remove it and run the build manually (see below)
58+
- name: Autobuild
59+
uses: github/codeql-action/autobuild@v3
60+
61+
# ℹ️ Command-line programs to run using the OS shell.
62+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
63+
64+
# If the Autobuild fails above, remove it and uncomment the following three lines.
65+
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
66+
67+
# - run: |
68+
# echo "Run, Build Application using script"
69+
# ./location_of_script_within_repo/buildscript.sh
70+
71+
- name: Perform CodeQL Analysis
72+
uses: github/codeql-action/analyze@v3
73+
with:
74+
category: "/language:${{matrix.language}}"

.github/workflows/go.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# This workflow will build a golang project
2+
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
3+
4+
name: Go
5+
6+
on:
7+
push:
8+
branches: [ "main" ]
9+
pull_request:
10+
branches: [ "main" ]
11+
12+
jobs:
13+
14+
build:
15+
runs-on: ubuntu-latest
16+
steps:
17+
- uses: actions/checkout@v4
18+
19+
- name: Set up Go
20+
uses: actions/setup-go@v4
21+
with:
22+
go-version: '1.23'
23+
24+
- name: Build
25+
run: go build -v ./...
26+
27+
- name: Test
28+
run: go test -v ./...

.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,3 +26,7 @@ go.work.sum
2626

2727
# idea
2828
.idea
29+
30+
# ignore the log directory
31+
32+
configs/development/logs/

README.md

Lines changed: 157 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,157 @@
1-
# vault-audit-filter
2-
A lightweight tool designed to receive audit events from the vault and apply filtering using a rule-based engine
1+
[![Go Report Card](https://goreportcard.com/badge/github.com/ncode/vault-audit-filter)](https://goreportcard.com/report/github.com/ncode/vault-audit-filter)
2+
[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
3+
[![codecov](https://codecov.io/gh/ncode/vault-audit-filter/graph/badge.svg?token=PTW9OYF19R)](https://codecov.io/gh/ncode/vault-audit-filter)
4+
5+
# Vault Audit Filter
6+
7+
`vault-audit-filter` is a Go-based tool designed to filter and log HashiCorp Vault audit logs based on configurable rules. It provides fine-grained control over how Vault audit events are processed and categorized, allowing you to capture critical events while reducing noise from routine operations.
8+
9+
## Features
10+
11+
- **Configurable Rule-Based Filtering**: Define rules to match specific audit events, such as read, write, delete, or specific paths in Vault.
12+
- **Multiple Rule Groups**: Organize rules into groups and log them to separate files.
13+
- **Dynamic Logging**: Log audit events to specified files with log rotation and size limits.
14+
- **Supports Multiple Operations**: Filters common Vault operations, including KV operations, metadata updates, and deletion events.
15+
- **Performance-Oriented**: Built with `gnet` to handle high concurrency.
16+
17+
## Table of Contents
18+
19+
- [Getting Started](#getting-started)
20+
- [Installation](#installation)
21+
- [Configuration](#configuration)
22+
- [Usage](#usage)
23+
- [Testing](#testing)
24+
- [Contributing](#contributing)
25+
- [License](#license)
26+
27+
## Getting Started
28+
29+
These instructions will help you set up and run `vault-audit-filter` on your local machine.
30+
31+
### Prerequisites
32+
33+
- **Go**: Ensure you have Go 1.21 or later installed. You can download it here: <https://golang.org/dl/>
34+
- **Vault**: You should have HashiCorp Vault installed and configured. Instructions can be found here: <https://www.vaultproject.io/docs/install>
35+
36+
### Installation
37+
38+
Clone the repository:
39+
40+
git clone https://github.com/ncode/vault-audit-filter.git
41+
cd vault-audit-filter
42+
43+
### Build the Project
44+
45+
To build the binary:
46+
47+
go build -o vault-audit-filter .
48+
49+
### Running the Application
50+
51+
Once you have built the project, you can run the `vault-audit-filter` executable:
52+
53+
./vault-audit-filter --config config.yaml
54+
55+
## Configuration
56+
57+
`vault-audit-filter` uses a YAML-based configuration file that allows you to define rule groups, specify logging files, and configure Vault settings.
58+
59+
### Sample Configuration (`config.yaml`)
60+
61+
vault:
62+
address: "http://127.0.0.1:8200"
63+
token: "your-vault-token"
64+
audit_path: "/vault-audit-filter"
65+
audit_address: "127.0.0.1:1269"
66+
audit_description: "Vault Audit Filter Device"
67+
68+
rule_groups:
69+
- name: "normal_operations"
70+
rules:
71+
- 'Request.Operation in ["read", "update"] && Request.Path startsWith "secret/data/" && Auth.PolicyResults.Allowed == true'
72+
log_file:
73+
file_path: "/var/log/vault_normal_operations.log"
74+
max_size: 100 # Max size in MB
75+
max_backups: 5 # Max number of backup files
76+
max_age: 30 # Max age in days
77+
compress: true # Compress rotated files
78+
79+
- name: "critical_events"
80+
rules:
81+
- 'Request.Operation == "delete" && Auth.PolicyResults.Allowed == true'
82+
- 'Request.Path startsWith "secret/metadata/" && Auth.PolicyResults.Allowed == true'
83+
log_file:
84+
file_path: "/var/log/vault_critical_events.log"
85+
max_size: 100
86+
max_backups: 5
87+
max_age: 30
88+
compress: true
89+
90+
### Configuration Parameters
91+
92+
- **Vault Settings**:
93+
- `vault.address`: The address of your Vault instance.
94+
- `vault.token`: Vault token for authentication.
95+
- `vault.audit_path`: The path for Vault's audit device.
96+
- `vault.audit_address`: The address for receiving audit logs.
97+
- `vault.audit_description`: Description for the Vault audit device.
98+
99+
- **Rule Groups**:
100+
- `rule_groups.name`: The name of the rule group.
101+
- `rule_groups.rules`: A list of expressions using `expr` to define rules for audit log filtering.
102+
- `log_file.file_path`: The file path where matching logs will be written.
103+
- `log_file.max_size`: The maximum size of the log file in MB before rotation.
104+
- `log_file.max_backups`: The number of backup logs to keep.
105+
- `log_file.max_age`: The maximum number of days to retain logs.
106+
- `log_file.compress`: Whether to compress the old log files.
107+
108+
### Rule Syntax
109+
110+
Rules are written using the `expr` language, a simple and safe expression language for Go. Rules can be based on the following properties of audit logs:
111+
112+
- `Request.Operation`: The type of operation (`read`, `update`, `delete`, etc.).
113+
- `Request.Path`: The Vault path being accessed.
114+
- `Auth.PolicyResults.Allowed`: Whether the operation was allowed.
115+
116+
**Example Rule**:
117+
118+
'Request.Operation == "update" && Request.Path startsWith "secret/data/" && Auth.PolicyResults.Allowed == true'
119+
120+
## Usage
121+
122+
To run `vault-audit-filter` with your configuration file, use:
123+
124+
```bash
125+
$ ./vault-audit-filter --config config.yaml
126+
```
127+
128+
### Command-Line Options
129+
130+
- `--config`: Specify the path to the configuration file (default is `config.yaml`).
131+
- `--log-level`: Set the logging level (`debug`, `info`, `warn`, `error`).
132+
133+
### Environment Variables
134+
135+
You can also define environment variables to override configuration file values. For example:
136+
137+
```bash
138+
$ export VAULT_ADDRESS="http://127.0.0.1:8200"
139+
$ export VAULT_TOKEN="your-vault-token"
140+
```
141+
142+
### Development
143+
144+
For development purposes, you can use the provided Makefile located at `configs/development/Makefile` to build and run the project using Docker and Docker Compose. This is how I test my changes and have a playground of sorts.
145+
146+
## Contributing
147+
148+
We welcome contributions from the community!
149+
Before submitting a pull request, ensure that:
150+
151+
- The code compiles without errors.
152+
- All tests pass.
153+
- Your changes are well-documented.
154+
155+
## License
156+
157+
This project is licensed under the Apache License, Version 2.0. See the `LICENSE` file for details.

0 commit comments

Comments
 (0)