396 lines
8.5 KiB
Markdown
396 lines
8.5 KiB
Markdown
|
|
# Audit Module
|
||
|
|
|
||
|
|
Automated security audit framework for comprehensive vulnerability scanning, SBOM generation, policy enforcement, and compliance checking.
|
||
|
|
|
||
|
|
## Features
|
||
|
|
|
||
|
|
- **SBOM Generation**: CycloneDX and SPDX format support
|
||
|
|
- **Multi-Backend CVE Scanning**: Trivy, cargo-audit, Grype, OSV-scanner
|
||
|
|
- **Policy Enforcement**: OPA/Rego and Kyverno integration
|
||
|
|
- **SBOM Requirements**: Enforce SBOM for containers (production-ready)
|
||
|
|
- **Compliance Checking**: PCI-DSS, HIPAA aware rules
|
||
|
|
- **Chaos Engineering**: Fault injection testing (optional)
|
||
|
|
- **Comprehensive Reporting**: JSON, SARIF, HTML, Markdown formats
|
||
|
|
- **Integrated Metrics**: Prometheus integration with observability module
|
||
|
|
- **Event-Driven**: GitOps integration for automated workflows
|
||
|
|
|
||
|
|
## Quick Start
|
||
|
|
|
||
|
|
### Basic Audit
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use audit::{AuditCoordinator, AuditRunner};
|
||
|
|
|
||
|
|
#[tokio::main]
|
||
|
|
async fn main() -> Result<(), Box<dyn std::error::Error>> {
|
||
|
|
// Create coordinator with default config
|
||
|
|
let coordinator = AuditCoordinator::new(audit::AuditConfig::default())?;
|
||
|
|
|
||
|
|
// Create runner
|
||
|
|
let runner = AuditRunner::new(coordinator);
|
||
|
|
|
||
|
|
// Run full audit
|
||
|
|
let report = runner.run().await?;
|
||
|
|
println!("Audit report: {:?}", report.summary);
|
||
|
|
|
||
|
|
Ok(())
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
### From Configuration File
|
||
|
|
|
||
|
|
```rust
|
||
|
|
// Load from TOML
|
||
|
|
let coordinator = AuditCoordinator::from_toml("audit.toml")?;
|
||
|
|
let runner = AuditRunner::new(coordinator);
|
||
|
|
let report = runner.run().await?;
|
||
|
|
```
|
||
|
|
|
||
|
|
## Configuration
|
||
|
|
|
||
|
|
### Minimal Configuration
|
||
|
|
|
||
|
|
```toml
|
||
|
|
[audit]
|
||
|
|
name = "my-app-audit"
|
||
|
|
enabled = true
|
||
|
|
|
||
|
|
[audit.sbom]
|
||
|
|
format = "cyclonedx"
|
||
|
|
required_for_containers = true
|
||
|
|
|
||
|
|
[audit.scanners]
|
||
|
|
enabled = ["trivy"]
|
||
|
|
fail_on_severity = "high"
|
||
|
|
|
||
|
|
[audit.policy]
|
||
|
|
enabled = true
|
||
|
|
engine = "opa"
|
||
|
|
rules_path = "./policies"
|
||
|
|
```
|
||
|
|
|
||
|
|
### Complete Configuration
|
||
|
|
|
||
|
|
```toml
|
||
|
|
[audit]
|
||
|
|
name = "comprehensive-audit"
|
||
|
|
enabled = true
|
||
|
|
|
||
|
|
[audit.sbom]
|
||
|
|
format = "cyclonedx"
|
||
|
|
cyclonedx_version = "1.6"
|
||
|
|
required_for_containers = true
|
||
|
|
output_dir = "./sbom"
|
||
|
|
retention_days = 90
|
||
|
|
|
||
|
|
[audit.scanners]
|
||
|
|
enabled = ["trivy", "cargo-audit"]
|
||
|
|
fail_on_severity = "high"
|
||
|
|
ignore_cves = ["CVE-2024-XXXX"]
|
||
|
|
ignore_unfixed = false
|
||
|
|
|
||
|
|
[audit.scanners.trivy]
|
||
|
|
endpoint = "http://localhost:8080"
|
||
|
|
timeout_secs = 30
|
||
|
|
|
||
|
|
[audit.policy]
|
||
|
|
enabled = true
|
||
|
|
engine = "opa"
|
||
|
|
rules_path = "./policies"
|
||
|
|
fail_on_violation = true
|
||
|
|
|
||
|
|
[audit.schedule]
|
||
|
|
enabled = true
|
||
|
|
cron = "0 6 * * *" # Daily at 6 AM
|
||
|
|
|
||
|
|
[audit.report]
|
||
|
|
formats = ["json", "sarif", "html"]
|
||
|
|
output_dir = "./audit-reports"
|
||
|
|
detailed = true
|
||
|
|
retention_days = 90
|
||
|
|
```
|
||
|
|
|
||
|
|
## Features and Cargo
|
||
|
|
|
||
|
|
```toml
|
||
|
|
# Default features
|
||
|
|
audit = { version = "0.1", features = ["default"] }
|
||
|
|
|
||
|
|
# With all scanners
|
||
|
|
audit = { version = "0.1", features = ["scanner-full"] }
|
||
|
|
|
||
|
|
# With policy engine
|
||
|
|
audit = { version = "0.1", features = ["policy-opa"] }
|
||
|
|
|
||
|
|
# With chaos engineering
|
||
|
|
audit = { version = "0.1", features = ["chaos"] }
|
||
|
|
|
||
|
|
# Full integration
|
||
|
|
audit = { version = "0.1", features = ["full"] }
|
||
|
|
```
|
||
|
|
|
||
|
|
## SBOM Generation
|
||
|
|
|
||
|
|
### CycloneDX Format
|
||
|
|
|
||
|
|
```rust
|
||
|
|
let sbom = runner.run_sbom().await?;
|
||
|
|
// Generated SBOM with:
|
||
|
|
// - Component inventory
|
||
|
|
// - Licenses
|
||
|
|
// - Hashes (SHA-256)
|
||
|
|
// - Metadata
|
||
|
|
// - Tool information
|
||
|
|
```
|
||
|
|
|
||
|
|
### SBOM Requirements for Containers
|
||
|
|
|
||
|
|
Production containers automatically require SBOM:
|
||
|
|
|
||
|
|
```rego
|
||
|
|
# In sbom_required.rego
|
||
|
|
deny[msg] {
|
||
|
|
input.container_type == "production"
|
||
|
|
not input.sbom_present
|
||
|
|
msg = "Production container requires SBOM"
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
## Vulnerability Scanning
|
||
|
|
|
||
|
|
### Supported Scanners
|
||
|
|
|
||
|
|
1. **Trivy** (recommended, default)
|
||
|
|
- Container and package scanning
|
||
|
|
- Large vulnerability database
|
||
|
|
|
||
|
|
2. **cargo-audit**
|
||
|
|
- RustSec advisory database
|
||
|
|
- Fast, Rust-specific
|
||
|
|
|
||
|
|
3. **Grype**
|
||
|
|
- Multi-language support
|
||
|
|
- Container and dependency scanning
|
||
|
|
|
||
|
|
4. **OSV-scanner**
|
||
|
|
- Google's OSV database
|
||
|
|
- No code execution required
|
||
|
|
|
||
|
|
### Running Scans
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use audit::{ScanTarget, VulnerabilityScanner};
|
||
|
|
|
||
|
|
// Scan workspace
|
||
|
|
let target = ScanTarget::Workspace(Path::new("/path/to/project"));
|
||
|
|
let result = runner.run_scan(&target).await?;
|
||
|
|
println!("Found {} vulnerabilities", result.vulnerability_count());
|
||
|
|
```
|
||
|
|
|
||
|
|
## Policy Enforcement with OPA
|
||
|
|
|
||
|
|
### Policy Rules Location
|
||
|
|
|
||
|
|
```
|
||
|
|
crates/audit/policies/
|
||
|
|
├── sbom_required.rego # SBOM mandatory for containers
|
||
|
|
├── cve_severity.rego # CVE severity thresholds
|
||
|
|
└── secret_exposure.rego # Detect exposed secrets
|
||
|
|
```
|
||
|
|
|
||
|
|
### Custom Policies
|
||
|
|
|
||
|
|
Create custom Rego rules in `./policies/`:
|
||
|
|
|
||
|
|
```rego
|
||
|
|
package audit.custom
|
||
|
|
|
||
|
|
# Example: Deny specific packages in production
|
||
|
|
deny[msg] {
|
||
|
|
input.environment == "production"
|
||
|
|
pkg := input.dependencies[_]
|
||
|
|
pkg.name == "unsafe-package"
|
||
|
|
msg = sprintf("Package %s not allowed in production", [pkg.name])
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
### Policy Evaluation
|
||
|
|
|
||
|
|
```rust
|
||
|
|
let evaluation = policy_engine.evaluate(input).await?;
|
||
|
|
if !evaluation.is_passed() {
|
||
|
|
println!("Policy violations: {}", evaluation.violations.len());
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
## Integration with Other Crates
|
||
|
|
|
||
|
|
### Valida Integration
|
||
|
|
|
||
|
|
Convert vulnerabilities to validation rules:
|
||
|
|
|
||
|
|
```rust
|
||
|
|
#[cfg(feature = "valida-integration")]
|
||
|
|
use audit::integration::valida::vulnerability_to_rule;
|
||
|
|
|
||
|
|
let rule_condition = vulnerability_to_rule(&vuln)?;
|
||
|
|
// Creates: package == "tokio" && version == "1.0.0" && cve_severity == "critical"
|
||
|
|
```
|
||
|
|
|
||
|
|
### Observability Integration
|
||
|
|
|
||
|
|
Register audit metrics and health checks:
|
||
|
|
|
||
|
|
```rust
|
||
|
|
#[cfg(feature = "observability-integration")]
|
||
|
|
use audit::integration::observability::{
|
||
|
|
register_audit_metrics,
|
||
|
|
register_audit_health_checks,
|
||
|
|
};
|
||
|
|
|
||
|
|
register_audit_metrics();
|
||
|
|
register_audit_health_checks();
|
||
|
|
```
|
||
|
|
|
||
|
|
Metrics exported:
|
||
|
|
- `audit_vulnerabilities_total`
|
||
|
|
- `audit_sbom_generation_duration_seconds`
|
||
|
|
- `audit_policy_violations_total`
|
||
|
|
- `audit_scanner_duration_seconds`
|
||
|
|
|
||
|
|
### GitOps Integration
|
||
|
|
|
||
|
|
Trigger audits from GitOps events:
|
||
|
|
|
||
|
|
```rust
|
||
|
|
#[cfg(feature = "gitops-integration")]
|
||
|
|
use audit::integration::gitops::AuditEvent;
|
||
|
|
|
||
|
|
// Event-driven audit execution
|
||
|
|
// Triggers when code is pushed, alerts firing, or on schedule
|
||
|
|
```
|
||
|
|
|
||
|
|
## Reporting
|
||
|
|
|
||
|
|
### Report Formats
|
||
|
|
|
||
|
|
1. **JSON**: Machine-readable, detailed
|
||
|
|
2. **SARIF**: Static Analysis Results Format (GitHub Security tab)
|
||
|
|
3. **HTML**: Interactive dashboard
|
||
|
|
4. **Markdown**: Human-readable, shareable
|
||
|
|
|
||
|
|
### Generating Reports
|
||
|
|
|
||
|
|
```rust
|
||
|
|
let mut report = AuditReport::new("Security Audit");
|
||
|
|
report.add_scan_result(scan_result);
|
||
|
|
report.add_policy_evaluation(policy_eval);
|
||
|
|
|
||
|
|
// Save in multiple formats
|
||
|
|
report.write_to_file("report.json", ReportFormat::Json).await?;
|
||
|
|
report.write_to_file("report.sarif", ReportFormat::Sarif).await?;
|
||
|
|
report.write_to_file("report.html", ReportFormat::Html).await?;
|
||
|
|
```
|
||
|
|
|
||
|
|
### Grafana Dashboard
|
||
|
|
|
||
|
|
Pre-built dashboard available at `dashboards/audit_overview.json`:
|
||
|
|
- Vulnerability counts by severity
|
||
|
|
- Policy violation trends
|
||
|
|
- SBOM generation status
|
||
|
|
- Scan duration metrics
|
||
|
|
- Top affected packages
|
||
|
|
|
||
|
|
## Chaos Engineering (Optional)
|
||
|
|
|
||
|
|
Test application resilience to vulnerabilities and failures:
|
||
|
|
|
||
|
|
```toml
|
||
|
|
[audit.chaos]
|
||
|
|
enabled = true
|
||
|
|
platform = "chaos-mesh"
|
||
|
|
scenarios = ["network-latency", "resource-stress", "pod-failure"]
|
||
|
|
max_duration_minutes = 30
|
||
|
|
```
|
||
|
|
|
||
|
|
## Security Best Practices
|
||
|
|
|
||
|
|
1. **SBOM Management**
|
||
|
|
- Store SBOMs in version control
|
||
|
|
- Sign SBOM files
|
||
|
|
- Retain for minimum 2 years
|
||
|
|
|
||
|
|
2. **Vulnerability Handling**
|
||
|
|
- Act on critical/high within 24h
|
||
|
|
- Document accepted risks
|
||
|
|
- Track remediation progress
|
||
|
|
|
||
|
|
3. **Policy Enforcement**
|
||
|
|
- Start in audit mode
|
||
|
|
- Enforce in CI/CD pipeline
|
||
|
|
- Regular policy reviews
|
||
|
|
|
||
|
|
4. **Secret Detection**
|
||
|
|
- Scan for hardcoded credentials
|
||
|
|
- Use encryption for secrets at rest
|
||
|
|
- Rotate secrets regularly
|
||
|
|
|
||
|
|
## Troubleshooting
|
||
|
|
|
||
|
|
### Scanner Not Available
|
||
|
|
|
||
|
|
```
|
||
|
|
Error: Scanner not available: trivy. Install from...
|
||
|
|
```
|
||
|
|
|
||
|
|
Install the scanner:
|
||
|
|
```bash
|
||
|
|
# Trivy
|
||
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
|
||
|
|
|
||
|
|
# cargo-audit
|
||
|
|
cargo install cargo-audit
|
||
|
|
|
||
|
|
# Grype
|
||
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
|
||
|
|
```
|
||
|
|
|
||
|
|
### Policy Violations
|
||
|
|
|
||
|
|
Check policy rules at configured `rules_path`:
|
||
|
|
```bash
|
||
|
|
ls -la ./policies/
|
||
|
|
```
|
||
|
|
|
||
|
|
### SBOM Generation Issues
|
||
|
|
|
||
|
|
Ensure write permissions to `sbom.output_dir`:
|
||
|
|
```bash
|
||
|
|
chmod 755 ./sbom
|
||
|
|
```
|
||
|
|
|
||
|
|
## Performance
|
||
|
|
|
||
|
|
- SBOM generation: < 5 seconds for typical projects
|
||
|
|
- CVE scanning: 10-60 seconds depending on scanner
|
||
|
|
- Policy evaluation: < 1 second for typical rule sets
|
||
|
|
- Report generation: < 2 seconds
|
||
|
|
|
||
|
|
## Architecture
|
||
|
|
|
||
|
|
```
|
||
|
|
Audit Workflow:
|
||
|
|
┌─────────────────┐
|
||
|
|
│ AuditRunner │
|
||
|
|
└────────┬────────┘
|
||
|
|
│
|
||
|
|
┌────┴────┬─────────┬──────────┐
|
||
|
|
▼ ▼ ▼ ▼
|
||
|
|
SBOM Scanner Policy Report
|
||
|
|
Gen Engine Engine Generator
|
||
|
|
```
|
||
|
|
|
||
|
|
## License
|
||
|
|
|
||
|
|
MIT
|