Skip to content

feat: add SEC0045 OWASP security event logging#208

Draft
tonyandrewmeyer wants to merge 2 commits into
canonical:mainfrom
tonyandrewmeyer:sec0045-security-event-logging
Draft

feat: add SEC0045 OWASP security event logging#208
tonyandrewmeyer wants to merge 2 commits into
canonical:mainfrom
tonyandrewmeyer:sec0045-security-event-logging

Conversation

@tonyandrewmeyer

@tonyandrewmeyer tonyandrewmeyer commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Concierge runs as root to provision charm dev/test machines, so it performs security-relevant actions: executing privileged commands, installing snaps and debs, writing cloud credentials, and changing filesystem ownership. SEC0045 requires these to be recorded using the OWASP Application Logging Vocabulary.

The PR adds an internal/securitylog package that emits security events as structured JSON to stderr, with the vocabulary's recommended fields (datetime, level, type=security, appid, event, description), mirroring the approach taken for the operator framework in canonical/operator#1905.

Instrument the events concierge produces:

  • sys_startup / sys_shutdown: machine provisioning start and restore.
  • authz_admin: every privileged (non-read-only) command execution, and writing the Juju cloud credentials file.
  • privilege_permissions_changed: recursive filesystem ownership changes.

Structured JSON is used rather than OTLP via owasp-logger because concierge is a short-lived CLI with no existing telemetry pipeline.

claude and others added 2 commits June 9, 2026 11:08
@claude
feat: add SEC0045 OWASP security event logging
c4ee176 
Concierge runs as root to provision charm dev/test machines, so it
performs security-relevant actions: executing privileged commands,
installing snaps and debs, writing cloud credentials, and changing
filesystem ownership. SEC0045 requires these to be recorded using the
OWASP Application Logging Vocabulary.

Add an internal/securitylog package that emits security events as
structured JSON to stderr, with the vocabulary's recommended fields
(datetime, level, type=security, appid, event, description), mirroring
the approach taken for the operator framework in canonical/operator#1905.

Instrument the events concierge produces:

- sys_startup / sys_shutdown: machine provisioning start and restore.
- authz_admin: every privileged (non-read-only) command execution, and
  writing the Juju cloud credentials file.
- privilege_permissions_changed: recursive filesystem ownership changes.

Structured JSON is used rather than OTLP via owasp-logger because
concierge is a short-lived CLI with no existing telemetry pipeline.

Jira: CHARMTECH-875
@tonyandrewmeyer
Merge branch 'main' into sec0045-security-event-logging
b9e3e8f
@tonyandrewmeyer

tonyandrewmeyer commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

I hate this 😂:

ubuntu@test-concierge-seclog:~/concierge$ sudo go run ./main.go prepare -p dev
time=2026-06-15T18:57:43.280+12:00 level=INFO msg="Preset selected" preset=dev
{"datetime":"2026-06-15T18:57:43.280568919+12:00","level":"INFO","description":"machine provisioning started","type":"security","appid":"concierge@dev","event":"sys_startup","action":"prepare","user":"ubuntu"}
{"datetime":"2026-06-15T18:57:43.281100453+12:00","level":"INFO","description":"filesystem ownership changed","type":"security","appid":"concierge@dev","event":"privilege_permissions_changed","path":"/home/ubuntu/.cache","user":"ubuntu","uid":"1000","gid":"1000"}
{"datetime":"2026-06-15T18:57:43.281191588+12:00","level":"INFO","description":"filesystem ownership changed","type":"security","appid":"concierge@dev","event":"privilege_permissions_changed","path":"/home/ubuntu/.cache/concierge/concierge.yaml","user":"ubuntu","uid":"1000","gid":"1000"}
{"datetime":"2026-06-15T18:57:45.444228184+12:00","level":"INFO","description":"privileged command executed","type":"security","appid":"concierge@dev","event":"authz_admin","command":"apt-get update","run_as":"root","outcome":"success","elapsed":"2.16293674s"}

I need to figure out how to get this out of the regular output but still be compliant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonyandrewmeyer @claude