From 30c6a93c2858e3e866998d20653c5068ce39ba82 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 07:02:32 +0200 Subject: [PATCH] ADR-002: make central-logging + alerting controls concrete (ADR-018) --- docs/decisions/002-security.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/decisions/002-security.md b/docs/decisions/002-security.md index d3174de..3c57674 100644 --- a/docs/decisions/002-security.md +++ b/docs/decisions/002-security.md @@ -87,7 +87,9 @@ time. Each heading tags the threat(s) it primarily serves. ### Audit trail — *agent error, blast radius* - `auditd` installed and running with a baseline ruleset -- Logs shipped to a central location if a log aggregation service is available +- Logs shipped to a central location in near-real-time — all logs to an on-cluster + Loki, plus a security-relevant subset write-only off-site to `askari` so the audit + trail survives host (and full-cluster) compromise (ADR-018) ### Mandatory access control — *blast radius* @@ -102,8 +104,9 @@ time. Each heading tags the threat(s) it primarily serves. - **AIDE** file-integrity monitoring (required by the CIS Debian benchmark) — detects unexpected changes to system files - **Network IDS** — Suricata on OPNsense (planned; see STATUS.md / TODO) -- **Active alerting** wires AIDE, `auditd`, `fail2ban`, and Suricata into the - monitoring/alerting stack (planned; ties to the Loki/Grafana effort) +- **Active alerting** wires AIDE, `auditd`, `fail2ban`, and Suricata — plus + log-source-silence (a host that stops shipping) — into Grafana alerting on the + Loki/Grafana stack (ADR-018; planned) ## Secrets management — *agent error, opportunistic*