Goal
Add a verification mode that cross-checks the local hash-chained audit log against an external append-only sink or anchoring source.
Context
v4.1.0 added a best-effort HTTP audit sink. The next step is making remote audit forwarding useful for tamper evidence instead of only delivery.
Scope
- Define a sink reconciliation interface.
- Support comparing local entry hashes with a remote append-only record source.
- Report missing, reordered, or mismatched hashes.
- Keep local
linuxagent audit verify behavior unchanged.
- Add a CLI mode such as
linuxagent audit reconcile if the interface is implemented.
Non-goals
- Do not claim local-only signatures protect against root compromise.
- Do not require a specific SaaS backend.
- Do not upload secrets or raw config values.
Acceptance Criteria
- Local-only verification remains backward compatible.
- Reconciliation detects local tampering when the remote sink still has original hashes.
- Reconciliation detects missing remote entries after sink failures.
- Tests cover success, missing remote hash, local tamper, and remote mismatch cases.
- Threat model documentation explains the protection boundary.
Goal
Add a verification mode that cross-checks the local hash-chained audit log against an external append-only sink or anchoring source.
Context
v4.1.0 added a best-effort HTTP audit sink. The next step is making remote audit forwarding useful for tamper evidence instead of only delivery.
Scope
linuxagent audit verifybehavior unchanged.linuxagent audit reconcileif the interface is implemented.Non-goals
Acceptance Criteria