# Audit Module Integration Guide ## Overview The audit module integrates with other prov-ecosystem crates to provide comprehensive security auditing across your infrastructure. ## Integration Architecture ``` ┌─────────────────────────────────────────────────────┐ │ Audit Module │ │ SBOM │ Scanners │ Policy Engine │ Reporting │ └────────┬────────┬────────┬────────┬──────────────────┘ │ │ │ │ ┌────┴──┬─────┴─┐ ┌───┴──┬────┴──┬───────┐ │ │ │ │ │ │ │ valida gitops runtime encrypt observ backup (rules) (events) (SBOM) (secrets) (metrics) ``` ## 1. Valida Integration ### Converting Vulnerabilities to Validation Rules The audit module automatically converts CVE findings to valida rules: ```rust #[cfg(feature = "valida-integration")] use audit::integration::valida::vulnerability_to_rule; // Vulnerability from CVE scan let vuln = Vulnerability { cve_id: "CVE-2024-12345".into(), package: "tokio".into(), installed_version: "1.0.0".into(), severity: VulnerabilitySeverity::Critical, // ... }; // Convert to valida rule condition let rule_condition = vulnerability_to_rule(&vuln)?; // Result: package == "tokio" && version == "1.0.0" && cve_severity == "critical" ``` ### Audit Rule Definition Define audit rules in your KCL configuration: ```kcl import valida audit_rules = valida.RuleSet { name = "Security Audit Rules" rules = [ valida.SecurityRule { id = "audit-critical-cve" name = "No Critical CVEs in Production" category = "security" severity = "error" contexts = ["deploy", "production"] mandatory_contexts = ["production"] condition = "cve_severity != 'critical'" message = "Critical CVEs must be remediated before production deployment" } ] } ``` ## 2. GitOps Integration ### Event-Driven Audits Trigger audits from GitOps events: ```rust #[cfg(feature = "gitops-integration")] use audit::integration::gitops::AuditEvent; use gitops::Event; // On git push Event::GitPush { repo: "prov-ecosystem", branch: "main", // Trigger audit... }; // Emit audit events let audit_event = AuditEvent::AuditCompleted { status: "passed".into(), }; // Emit vulnerability event let vuln_event = AuditEvent::VulnerabilityDetected { cve_id: "CVE-2024-12345".into(), }; ``` ### Automated Remediation Create GitOps workflows for audit failures: ```yaml # .gitops/audit-remediation.yaml apiVersion: gitops.prov-ecosystem.io/v1 kind: Workflow metadata: name: audit-remediation spec: triggers: - type: audit event: vulnerability-detected severity: critical steps: - name: create-issue action: github.CreateIssue inputs: title: "Critical CVE Detected" body: "{{ .event.message }}" - name: notify-slack action: slack.Notify inputs: channel: "#security-alerts" ``` ## 3. Observability Integration ### Audit Metrics Register audit metrics with observability module: ```rust #[cfg(feature = "observability-integration")] { use observability::metrics; // Track vulnerabilities metrics::gauge!("audit_vulnerabilities_total").set(report.summary.total_vulnerabilities as f64); metrics::gauge!("audit_critical_count").set(report.summary.critical_count as f64); // Track scan duration metrics::histogram!("audit_scanner_duration_seconds").record(scan_result.duration_seconds); // Track policy violations metrics::gauge!("audit_policy_violations_total").set(report.summary.total_policy_violations as f64); } ``` ### Health Checks Register audit health checks: ```rust #[cfg(feature = "observability-integration")] { use observability::health::checks::HealthCheckRegistry; let registry = HealthCheckRegistry::new(); // Check if scanners are available registry.register("audit_scanners_available", || { if TrivyScanner::new().is_available().await.unwrap() { HealthStatus::Healthy } else { HealthStatus::Degraded } }); // Check last audit result registry.register("audit_last_scan_status", || { if last_audit_passed { HealthStatus::Healthy } else { HealthStatus::Unhealthy } }); } ``` ### Dashboard Integration The observability module displays audit data in Grafana: ```json { "dashboard": { "title": "Security Audit Dashboard", "panels": [ { "title": "Vulnerabilities by Severity", "targets": [ {"expr": "audit_vulnerabilities{severity='critical'}"}, {"expr": "audit_vulnerabilities{severity='high'}"} ] }, { "title": "Policy Violations Trend", "targets": [ {"expr": "rate(audit_policy_violations_total[1h])"} ] } ] } } ``` ## 4. Runtime Integration ### SBOM Enforcement for Containers Enforce SBOM generation when building containers: ```rust #[cfg(feature = "runtime-integration")] { use runtime::Container; let container = Container::build("my-app:latest")?; // Enforce SBOM requirement if container.is_production() && !container.has_sbom() { return Err(AuditError::sbom_required( "my-app:latest", "Production containers must include SBOM" )); } // Add SBOM to container metadata let sbom = runner.run_sbom().await?; container.attach_sbom(sbom)?; } ``` ### Container Scanning Scan container images for vulnerabilities: ```rust use audit::{ScanTarget, ScanRunner}; let scan_target = ScanTarget::Container("registry.example.com/my-app:latest".into()); let scan_result = runner.run_scan(&scan_target).await?; if scan_result.critical_count() > 0 { println!("Container has critical vulnerabilities!"); } ``` ## 5. Encrypt Integration ### Secret Detection Integration Extend encrypt module's secret detection for audit: ```rust #[cfg(feature = "encrypt-integration")] { use encrypt::detect_secrets; // Detect secrets in codebase let secrets = detect_secrets(&source_code)?; // Check if secrets are encrypted for secret in secrets { if !secret.is_encrypted() { audit_violations.push(format!("Unencrypted {} found at {}", secret.secret_type, secret.location)); } } } ``` ### Encryption Policy Define encryption requirements in policies: ```rego package audit.encryption # All secrets must be encrypted deny[msg] { secret := input.secrets[_] secret.encrypted == false msg = sprintf("Unencrypted secret %s in %s", [secret.type, secret.location]) } # Require strong encryption algorithms deny[msg] { secret := input.secrets[_] secret.algorithm in ["DES", "RC4", "MD5"] msg = sprintf("Weak encryption algorithm %s for secret %s", [secret.algorithm, secret.name]) } ``` ## 6. Backup Module Integration ### Audit Backup Configuration Ensure backup configurations are audited: ```toml # audit.toml [audit.policy.rules.backup-audit] id = "backup-configuration-audit" name = "Backup Configuration Security Check" engine = "opa" rules_path = "./policies/backup" # policies/backup/retention.rego package audit.backup deny[msg] { backup := input.backups[_] backup.retention_days < 30 msg = sprintf("Backup %s retention too short: %d days", [backup.name, backup.retention_days]) } ``` ## 7. N8N Integration ### Workflow Audit Audit n8n workflow configurations: ```rust #[cfg(feature = "n8n-integration")] { use n8n::Workflow; let workflow = Workflow::load("workflows/data-processing.json")?; // Audit workflow security // Check for hardcoded credentials let secrets_found = detect_workflow_secrets(&workflow)?; if !secrets_found.is_empty() { for secret in secrets_found { violations.push(format!("Hardcoded {} in workflow", secret.secret_type)); } } } ``` ## Deployment Architecture ### Docker/Kubernetes ```dockerfile # Dockerfile with audit FROM rust:latest WORKDIR /app COPY . . # Generate SBOM before building RUN cargo install cargo-sbom RUN cargo sbom --output sbom/app.xml # Scan for vulnerabilities RUN cargo install trivy RUN trivy fs /app RUN cargo build --release # Attach SBOM to final image COPY sbom/app.xml /app/sbom.xml ``` ### Kubernetes Admission Controller Use Kyverno to enforce audit policies: ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-sbom spec: validationFailureAction: audit rules: - name: check-sbom match: resources: kinds: - Pod validate: message: "SBOM annotation required" pattern: metadata: annotations: sbom: "?*" ``` ## CI/CD Pipeline Integration ### GitHub Actions ```yaml name: Security Audit on: push: branches: [main] schedule: - cron: '0 6 * * *' jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Generate SBOM run: | cargo install cargo-sbom cargo sbom --output sbom.xml - name: Scan for vulnerabilities run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh ./trivy fs /github/workspace - name: Run audit policies run: cargo run --bin audit-cli -- --config audit.toml - name: Upload SARIF uses: github/codeql-action/upload-sarif@v2 with: sarif_file: audit-report.sarif ``` ## Monitoring and Alerting ### Alert Rules Define alerts based on audit metrics: ```yaml # prometheus-alerts.yaml groups: - name: audit-alerts interval: 30s rules: - alert: CriticalVulnerabilityDetected expr: audit_vulnerabilities{severity='critical'} > 0 for: 5m annotations: summary: "Critical vulnerability detected" - alert: PolicyViolation expr: rate(audit_policy_violations_total[1h]) > 0 for: 10m annotations: summary: "Policy violation detected" - alert: SBOMMissing expr: audit_sbom_missing_containers > 0 for: 30m annotations: summary: "Production container missing SBOM" ``` ## Performance Tuning ### Parallel Scanning ```rust let scanners = vec![ Box::new(TrivyScanner::new()), Box::new(CargoAuditScanner::new()), ]; // Run scans in parallel let results: Vec<_> = futures::future::join_all( scanners.iter().map(|s| s.scan(&target)) ).await; ``` ### Caching ```toml [audit.cache] enabled = true ttl_hours = 24 path = ".audit-cache" ``` ## Security Best Practices 1. **Store audit reports securely** - Encrypt sensitive findings - Restrict access to reports - Maintain audit trail 2. **Regular policy updates** - Review and update policies monthly - Test policy changes in non-prod first - Document policy decisions 3. **Vulnerability response SLA** - Critical: 24 hours - High: 72 hours - Medium: 1 week - Low: 30 days 4. **SBOM management** - Version control SBOMs - Sign SBOMs with certificates - Maintain for 2+ years ## Troubleshooting ### Integration Issues Check feature flags: ```toml # Cargo.toml audit = { path = "../audit", features = ["full-integration"] } ``` ### Policy Not Applying Verify policy path: ```bash ls -la ./policies/ cat ./policies/*.rego ``` ### Scanner Integration Issues Test scanner directly: ```bash trivy fs . cargo audit ``` ## References - [OPA/Rego Documentation](https://www.openpolicyagent.org/docs/latest/) - [Kyverno Policies](https://kyverno.io/policies/) - [SBOM Standards](https://cyclonedx.org/) - [CVE Database](https://nvd.nist.gov/)