stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
2025-11-09 12:21:38 +02:00
parent ba4c935182
commit 75c2bcafce
385 changed files with 7354 additions and 7344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/security/authority-threat-model.md
View File

@@ -87,7 +87,7 @@ flowchart LR
| Token replay by stolen agent | Information Disclosure | TB5 | Med×High | Signed revocation bundles, device fingerprint heuristics, optional mTLS | Monitor revocation acknowledgement latency via Zastava and tune replay alerting thresholds | Security Guild + Zastava (follow-up: **SEC5.E**) |
| Privilege escalation via plug-in override | Elevation of Privilege | TB3 — Plug-in sandbox | Med×High | Signed plug-ins, restart-only loading, configuration validation | Add static analysis on manifest overrides + runtime warning when policy weaker than host | Security Guild + DevOps (follow-up: **SEC5.F**) |
| Offline bundle tampering | Tampering | Distribution | Low×High | SHA256 manifest, signed bundles (planned) | Add supply-chain attestation for Offline Kit, publish verification CLI in docs | Security Guild + Ops (follow-up: **SEC5.G**) |
| Failure to log denied tokens | Repudiation | TB2 — Authority ↔️ Mongo | Med×Med | Serilog structured events (partial), Mongo persistence path (planned) | Finalise audit schema (SEC2.A) and ensure `/token` denies include subject/client/IP fields | Security Guild + Authority Core (follow-up: **SEC5.H**) |
| Failure to log denied tokens | Repudiation | TB2 — Authority ↔️ Mongo | Med×Med | Serilog structured events (partial), Mongo persistence path (planned), Standard plug-in credential telemetry (`authority.plugin.standard.password_verification`) | Finalise audit schema (SEC2.A), require the same audit contract for third-party plug-ins, and ensure `/token` denies include subject/client/IP fields | Security Guild + Authority Core (follow-up: **SEC5.H**) |
Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mitigation priority follows High > Med > Low.
@@ -95,6 +95,7 @@ Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mit
| Backlog ID | Linked Threat | Summary | Target Owners |
|------------|---------------|---------|---------------|
| SEC5.PLG | TB3 — Plug-in sandbox | Standard plug-in mitigations documented: Argon2 bootstrap enforcement, password-policy warnings, and credential audit telemetry (`plugin.retry_after_seconds`, `plugin.lockout_until`) wired into SOC pipelines. | Security Guild + BE-Auth Plugin |
| SEC5.B | Spoofed revocation bundle | Complete libsodium/Core signing integration and ship revocation verification script. | Security Guild + Authority Core |
| SEC5.C | Parameter tampering on `/token` | Finalise audit contract (`SEC2.A`) and add request tamper logging. | Security Guild + Authority Core |
| SEC5.D | Bootstrap invite replay | Implement expiry enforcement + audit coverage for unused bootstrap invites. | Security Guild |
@@ -104,3 +105,9 @@ Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mit
| SEC5.H | Failure to log denied tokens | Ensure audit persistence for all `/token` denials with correlation IDs. | Security Guild + Authority Core |
Update `src/__Libraries/StellaOps.Cryptography/TASKS.md` (Security Guild board) with the above backlog entries to satisfy SEC5.A exit criteria.
### 5.1 Plugin telemetry status (SEC5.PLG — 2025-11-09)
- Standard plug-in password verification now emits `authority.plugin.standard.password_verification` with caller correlation IDs, client metadata, tenant IDs, and full network context sourced from `AuthorityCredentialAuditContext`. Events classify outcomes via the extended `AuthEventOutcome` set (`LockedOut`, `RequiresFreshAuth`, `RequiresMfa`) so SOC tooling can distinguish lockouts from MFA prompts.
- Audit properties were standardised: `plugin.failed_attempts`, `plugin.lockout_until`, `plugin.retry_after_seconds`, `plugin.rehashed`, and `plugin.failure_code` are present on both the plug-in event and the host-level `/token` record. `plugin.retry_after_seconds` is derived deterministically from the retry window, ensuring consistent rate-limit responses for air-gapped tenants.
- Bootstrap mitigations were documented in `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`: Argon2id hashing, enforced password policies, default `RequirePasswordReset`, and registrar warnings when an operator weakens the baseline policy. These measures close the SEC5.PLG action item and provide auditors with evidence hooks for Offline Kit reviews.