Skip to content

Commit 03b1602

Browse files
authored
Merge branch 'main' into dependabot/github_actions/actions/checkout-7.0.0
2 parents f2cd930 + a65be8a commit 03b1602

31 files changed

Lines changed: 1113 additions & 43 deletions

.gitattributes

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
*.h text eol=lf
66
*.md text eol=lf
77
*.json text eol=lf
8+
*.toml text eol=lf
89
*.yml text eol=lf
910
*.yaml text eol=lf
1011
*.txt text eol=lf

.github/workflows/codeql.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2424

2525
- name: Initialize CodeQL
26-
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
26+
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
2727
with:
2828
languages: c-cpp
2929

@@ -34,4 +34,4 @@ jobs:
3434
run: cmake --build build --config Release
3535

3636
- name: Analyze
37-
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
37+
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
name: Repo Sentinel
2+
3+
on:
4+
push:
5+
pull_request:
6+
workflow_dispatch:
7+
8+
permissions:
9+
contents: read
10+
11+
jobs:
12+
repo-sentinel:
13+
name: Repo Sentinel
14+
runs-on: ubuntu-latest
15+
16+
steps:
17+
- name: Checkout
18+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19+
20+
- name: Set up Python
21+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
22+
with:
23+
python-version: "3.14"
24+
25+
- name: Install repo-sentinel-lite
26+
run: |
27+
python -m venv "$RUNNER_TEMP/repo-sentinel-venv"
28+
"$RUNNER_TEMP/repo-sentinel-venv/bin/python" -m pip install --upgrade pip
29+
"$RUNNER_TEMP/repo-sentinel-venv/bin/python" -m pip install repo-sentinel-lite
30+
31+
- name: Run repository hygiene gate
32+
run: |
33+
"$RUNNER_TEMP/repo-sentinel-venv/bin/repo-sentinel" scan \
34+
--fail-on-severity error \
35+
--format text \
36+
.

.reposentinel.toml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
# LogLens uses repo-sentinel-lite as a narrow hygiene gate:
2+
# required repository files plus accidental sensitive filenames.
3+
#
4+
# High-entropy content scanning is intentionally disabled here so fixture logs
5+
# and C++ build outputs do not affect this gate.
6+
max_text_file_size = 0
7+
entropy_threshold = 999.0
8+
9+
ignore_globs = [
10+
"build/**",
11+
"build_manual*",
12+
"out/**",
13+
"report.md",
14+
"report.json",
15+
"*.exe",
16+
"CMakeFiles",
17+
"CMakeFiles/**",
18+
"CMakeCache.txt",
19+
"cmake_install.cmake",
20+
"compile_commands.json",
21+
"*.vcxproj.user",
22+
]

CHANGELOG.md

Lines changed: 42 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,7 @@ All notable user-visible changes should be recorded here.
66

77
### Added
88

9-
- Added sanitized golden `report.md` / `report.json` regression fixtures to lock report contracts.
10-
- Added `schema` and `schema_version` fields to `report.json` so downstream tooling can identify the report artifact contract.
11-
- Expanded parser coverage for `Accepted publickey` and selected `pam_faillock` / `pam_sss` variants.
12-
- Added compact host-level summaries for multi-host reports.
13-
- Added optional CSV export for findings and warnings when explicitly requested.
9+
- None yet.
1410

1511
### Changed
1612

@@ -24,6 +20,47 @@ All notable user-visible changes should be recorded here.
2420

2521
- None yet.
2622

23+
## v0.5.0
24+
25+
### Added
26+
27+
- Stabilized the JSON report artifact contract as `loglens.report.v2` with
28+
`schema_version` set to `2`.
29+
- Added finding explainability fields to JSON findings, including `rule_id`,
30+
`subject_kind`, `subject`, `grouping_key`, `window_start`, `window_end`,
31+
`threshold`, `observed_count`, `evidence_event_ids`, and `verdict_boundary`.
32+
- Added sanitized golden `report.md`, `report.json`, `findings.csv`, and
33+
`warnings.csv` regression fixtures to lock report contracts.
34+
- Added a 150-line sanitized mixed auth corpus fixture covering Ubuntu /
35+
Debian-style `auth.log`, RHEL-family `secure`-style syslog, unknown lines,
36+
malformed source IPs, and blank-line handling.
37+
- Added a reviewer-facing parser coverage JSON artifact for the mixed auth
38+
corpus.
39+
40+
### Changed
41+
42+
- Made parser coverage telemetry and finding explainability part of the
43+
release-facing review path instead of internal-only implementation detail.
44+
45+
### Fixed
46+
47+
- None.
48+
49+
### Docs
50+
51+
- Added release notes for the v0.5 Evidence Explainability Release.
52+
- Added a release readiness checklist that maps v0.5 requirements to reviewer
53+
evidence and stopping points.
54+
- Added a one-page incident-style case that traces raw SSH evidence through
55+
normalized events and finding fields to a bounded conclusion.
56+
- Added a rule-by-rule false-positive taxonomy for NAT, bastion, internal scanner,
57+
lab replay, scheduled admin task, and shared-account contexts.
58+
- Added forensic-style case-study coverage for Linux auth brute-force evidence
59+
interpretation.
60+
- Expanded the parser conformance matrix with explicit Ubuntu / Debian
61+
`auth.log`, RHEL-family `secure`, `journalctl --output=short-full`, `sshd`,
62+
`sudo`, `pam_unix`, `pam_faillock`, and `pam_sss` style coverage.
63+
2764
## v0.4.0
2865

2966
### Added

README.md

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -9,25 +9,32 @@ It parses `auth.log` / `secure`-style syslog input and `journalctl --output=shor
99

1010
## Example Finding
1111

12-
A compact finding summary is a bounded triage signal, not attribution:
12+
A compact finding summary is a bounded triage signal, not a compromise verdict
13+
or attribution:
1314

1415
```json
1516
{
1617
"rule_id": "brute_force",
1718
"subject_kind": "source_ip",
18-
"subject": "198.51.100.23",
19-
"window": "10m",
19+
"subject": "203.0.113.10",
20+
"grouping_key": "source_ip",
21+
"window_start": "2026-03-10 08:11:22",
22+
"window_end": "2026-03-10 08:18:05",
2023
"threshold": 5,
21-
"observed": 8,
22-
"verdict_boundary": "triage_signal_not_attribution"
24+
"observed_count": 5,
25+
"evidence_event_ids": ["line:1", "line:2", "line:3", "line:4", "line:5"],
26+
"verdict_boundary": "triage_signal_not_compromise_or_attribution"
2327
}
2428
```
2529

2630
## Project Status
2731

2832
LogLens is an MVP / early release. The repository is stable enough for public review, local experimentation, and extension, but the parser and detection coverage are intentionally narrow.
2933

30-
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md), [`docs/reviewer-brief.md`](./docs/reviewer-brief.md), and the [`quality gates map`](./docs/quality-gates.md). For detection reasoning, read the forensic-style [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md) and the [`rule catalog`](./docs/rule-catalog.md). For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
34+
Reviewing the project quickly? Start with [`docs/reviewer-path.md`](./docs/reviewer-path.md), [`docs/reviewer-brief.md`](./docs/reviewer-brief.md), and the [`v0.5 Evidence Explainability release note`](./docs/release-v0.5.0.md). The [`quality gates map`](./docs/quality-gates.md) links claims to tests and fixtures. For detection reasoning, follow the [`one-page incident-style case`](./docs/incident-style-case.md), then use the full [`Linux auth brute-force case study`](./docs/case-study-linux-auth-bruteforce.md), [`rule catalog`](./docs/rule-catalog.md), and [`false-positive taxonomy`](./docs/false-positive-taxonomy.md) for depth. For local scale expectations, see the [`performance envelope`](./docs/performance-envelope.md).
35+
36+
For a shorter external review entry point focused on uncertainty handling, read
37+
[How LogLens Treats Parser Uncertainty as Evidence](./docs/case-study-parser-uncertainty-as-evidence.md).
3138

3239
## Why This Project Exists
3340

@@ -54,7 +61,7 @@ LogLens includes two minimal GitHub Actions workflows:
5461
- `CI` builds and tests the project on `ubuntu-latest` and `windows-latest`
5562
- `CodeQL` runs GitHub code scanning for C/C++ on pushes, pull requests, and a weekly schedule
5663

57-
Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md).
64+
Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), [`docs/release-v0.5.0.md`](./docs/release-v0.5.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md).
5865

5966
## Threat Model
6067

@@ -111,7 +118,7 @@ classes: `unknown_timestamp`, `unknown_program`,
111118
`known_program_unknown_message`, `malformed_source_ip`, and
112119
`unsupported_pam_variant`.
113120

114-
For rule-by-rule semantics and signal boundaries, see [`docs/rule-catalog.md`](./docs/rule-catalog.md). For a forensic-style evidence walkthrough, see [`docs/case-study-linux-auth-bruteforce.md`](./docs/case-study-linux-auth-bruteforce.md). For the parser behavior contract, supported modes, and fixture map, see [`docs/parser-contract.md`](./docs/parser-contract.md). For the deliberately noisy parser-coverage sample, see [`docs/parser-coverage-notes.md`](./docs/parser-coverage-notes.md).
121+
For a compact raw-log-to-conclusion trace, see [`docs/incident-style-case.md`](./docs/incident-style-case.md). For rule-by-rule semantics and signal boundaries, see [`docs/rule-catalog.md`](./docs/rule-catalog.md). For benign-context hypotheses and the evidence needed to support them, see [`docs/false-positive-taxonomy.md`](./docs/false-positive-taxonomy.md). For a full forensic-style evidence walkthrough, see [`docs/case-study-linux-auth-bruteforce.md`](./docs/case-study-linux-auth-bruteforce.md). For the parser behavior contract, supported modes, and fixture map, see [`docs/parser-contract.md`](./docs/parser-contract.md). For the deliberately noisy parser-coverage sample, see [`docs/parser-coverage-notes.md`](./docs/parser-coverage-notes.md).
115122

116123
LogLens does not currently detect:
117124

0 commit comments

Comments
 (0)