Skip to content

Add audit sink reconciliation mode #12

Description

@Eilen6316

Goal

Add a verification mode that cross-checks the local hash-chained audit log against an external append-only sink or anchoring source.

Context

v4.1.0 added a best-effort HTTP audit sink. The next step is making remote audit forwarding useful for tamper evidence instead of only delivery.

Scope

  • Define a sink reconciliation interface.
  • Support comparing local entry hashes with a remote append-only record source.
  • Report missing, reordered, or mismatched hashes.
  • Keep local linuxagent audit verify behavior unchanged.
  • Add a CLI mode such as linuxagent audit reconcile if the interface is implemented.

Non-goals

  • Do not claim local-only signatures protect against root compromise.
  • Do not require a specific SaaS backend.
  • Do not upload secrets or raw config values.

Acceptance Criteria

  • Local-only verification remains backward compatible.
  • Reconciliation detects local tampering when the remote sink still has original hashes.
  • Reconciliation detects missing remote entries after sink failures.
  • Tests cover success, missing remote hash, local tamper, and remote mismatch cases.
  • Threat model documentation explains the protection boundary.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions