Skip to content

Commit 5557556

Browse files
committed
docs: polish v0.1.0 release materials
1 parent 56b5e14 commit 5557556

3 files changed

Lines changed: 115 additions & 25 deletions

File tree

README.md

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,17 @@
11
# systems-foundations
22

3-
Training ground for Linux and systems foundations projects.
3+
`systems-foundations` is a training repository for small, reviewable labs around Linux and systems fundamentals.
44

5-
## Projects
5+
The goal is to keep each lab narrow, deterministic, and easy to inspect end to end: input evidence, normalization, filtering, reporting, and notes that explain the basics without pretending to be a full platform.
66

7-
- `projects/linux-auth-observe`: deterministic mini-lab for normalizing and reviewing Linux auth evidence.
7+
## Current Mini-Lab
8+
9+
- `projects/linux-auth-observe`
10+
11+
`linux-auth-observe` is the first mini-lab in the repository. It focuses on Linux auth evidence from exported journald JSON lines plus distro auth syslog files, normalizes them into JSONL, supports simple filtering, and produces a Markdown summary report.
12+
13+
## Repository Shape
14+
15+
- `projects/`: focused mini-labs
16+
- `notes/`: short learning notes and schemas that support the labs
17+
- `.codex/`: local assistant configuration for this repository

docs/release-v0.1.0.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# v0.1.0 Release Notes
2+
3+
## Title
4+
5+
First Credible Mini-Lab
6+
7+
## Summary
8+
9+
`systems-foundations` now has its first focused mini-lab: `projects/linux-auth-observe`.
10+
11+
This release packages a narrow, tested workflow for Linux auth evidence review:
12+
13+
- normalize supported journald and auth syslog fixtures into JSONL
14+
- filter normalized rows by `user`, `IP`, and `service`
15+
- generate a Markdown summary report
16+
- optionally emit structured parse failures as JSONL during normalization
17+
18+
## Included in v0.1.0
19+
20+
- support for exported journald JSON lines
21+
- support for Ubuntu or Debian `auth.log`
22+
- support for RHEL or CentOS `secure`
23+
- normalized JSONL output with preserved raw evidence
24+
- CLI workflow for `normalize`, `filter`, and `summary`
25+
- pytest coverage for parsing, CLI behavior, summary generation, golden regression, and syslog year rollover
26+
27+
## Validation Snapshot
28+
29+
- `pytest -q` passes in the current repository state
30+
- current tests cover all three supported fixture families
31+
- current tests cover `Dec 31 -> Jan 1` syslog rollover behavior
32+
- current tests cover optional `--error-output` generation for malformed lines
33+
34+
## Not in Scope
35+
36+
- `audit.log`
37+
- real-time monitoring or tailing
38+
- databases or storage backends
39+
- packaging or publishing workflows
40+
41+
## Notes
42+
43+
- Syslog timestamps are yearless and timezone-less in the source files, so v0.1.0 documents and tests the current year inference and rollover rules explicitly
44+
- `_PID` is preserved as contextual metadata when present, not as a standalone identity guarantee

projects/linux-auth-observe/README.md

Lines changed: 58 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -2,33 +2,69 @@
22

33
`linux-auth-observe` is a small deterministic mini-lab for normalizing Linux auth evidence into JSONL, filtering it, and generating a short Markdown report.
44

5-
## Scope
6-
7-
- Supported inputs in v0.1:
8-
- `journalctl --output=json` line-delimited exports
9-
- Ubuntu or Debian `auth.log`
10-
- RHEL or CentOS `secure`
11-
- Supported outputs:
12-
- normalized JSONL
13-
- filtered JSONL to stdout
14-
- Markdown summary report
15-
- Not included in v0.1:
16-
- `audit.log`
17-
- real-time tailing
18-
- databases
19-
- packaging or publishing workflows
20-
21-
## Quickstart
5+
## Supported Inputs
6+
7+
- `journalctl --output=json` line-delimited exports
8+
- Ubuntu or Debian `auth.log`
9+
- RHEL or CentOS `secure`
10+
11+
## Non-Goals
12+
13+
- `audit.log`
14+
- real-time tailing or monitoring
15+
- databases or storage layers
16+
- packaging or publishing workflows
17+
18+
## Validation Status
19+
20+
- `pytest -q` currently passes for parser behavior, filtering, summary generation, CLI workflow, golden regression checks, and syslog year-rollover coverage
21+
- `normalize` is covered against the three supported fixture families
22+
- `filter` is covered for `user`, `IP`, and `service` constraints
23+
- `summary` is covered for readable Markdown output
24+
- `error-output` is covered as an optional JSONL artifact for parse failures during batch normalization
25+
26+
## Assumptions
27+
28+
- Syslog inputs are line-oriented and follow a standard auth/syslog prefix with no embedded year
29+
- Syslog timestamps are interpreted in a chosen timezone, defaulting to `local`
30+
- If `--year` is provided, it anchors the first syslog record and later `Dec -> Jan` transitions roll forward into the next year
31+
- If `--year` is omitted, the parser infers the starting year from the first syslog record relative to the current time in the chosen timezone; if the first record would land more than about half a year in the future, it is treated as the previous year
32+
- Journal inputs are one JSON object per line and map from `MESSAGE`, `_PID`, `_COMM`, and `_SYSTEMD_UNIT` when available
33+
- `_PID` is preserved as contextual process metadata when present; it should not be read as a guaranteed identity anchor on its own
34+
- Unsupported or malformed records fail clearly per line without stopping the full batch
35+
36+
## End-to-End Workflow
2237

2338
```bash
2439
python -m pip install -e .[dev]
25-
python -m linux_auth_observe normalize --input tests/fixtures/ubuntu_auth.log --source auto --year 2026 --timezone Asia/Shanghai --output output/events.jsonl
26-
python -m linux_auth_observe filter --input output/events.jsonl --user alice --ip 192.0.2.10 --service sshd
27-
python -m linux_auth_observe summary --input output/events.jsonl --output output/summary.md
28-
python -m pytest -q
40+
41+
python -m linux_auth_observe normalize \
42+
--input tests/fixtures/ubuntu_auth.log \
43+
--source auto \
44+
--year 2026 \
45+
--timezone Asia/Shanghai \
46+
--output output/events.jsonl
47+
48+
python -m linux_auth_observe filter \
49+
--input output/events.jsonl \
50+
--user alice \
51+
--ip 192.0.2.10 \
52+
--service sshd
53+
54+
python -m linux_auth_observe summary \
55+
--input output/events.jsonl \
56+
--output output/summary.md
57+
58+
python -m linux_auth_observe normalize \
59+
--input tests/fixtures/ubuntu_auth_with_error.log \
60+
--source auto \
61+
--year 2026 \
62+
--timezone Asia/Shanghai \
63+
--output output/events.jsonl \
64+
--error-output output/parse-errors.jsonl
2965
```
3066

31-
`normalize` defaults to the current UTC year and the local system timezone when parsing yearless syslog timestamps. Pass `--year` and `--timezone` to replay fixtures deterministically.
67+
The intended flow is `normalize -> filter -> summary`, with `--error-output` available when you want a structured JSONL artifact for parse failures while the batch continues.
3268

3369
## Event Schema
3470

0 commit comments

Comments
 (0)