a981e89005
Implement comprehensive audit and security infrastructure: - Immutable audit logs with platform-specific backends (Linux/Other) - Sealed log entries with tamper-evident checksums - Audit alert system for real-time security notifications - Log rotation with retention policies - Checkpoint-based audit verification Add multi-tenant security features: - Tenant manager with quota enforcement - Middleware for tenant authentication/authorization - Per-tenant cryptographic key isolation - Supply chain security for container verification - Cross-platform secure file utilities (Unix/Windows) Add test coverage: - Unit tests for audit alerts and sealed logs - Platform-specific audit backend tests
58 lines
1.6 KiB
Go
58 lines
1.6 KiB
Go
//go:build linux
|
|
// +build linux
|
|
|
|
// Package platform provides platform-specific utilities for the audit system
|
|
package platform
|
|
|
|
import (
|
|
"fmt"
|
|
"os/exec"
|
|
)
|
|
|
|
// MakeImmutable sets the immutable flag on a file using chattr +i.
|
|
// This prevents any modification or deletion of the file, even by root,
|
|
// until the flag is cleared.
|
|
//
|
|
// Requirements:
|
|
// - Linux kernel with immutable flag support
|
|
// - Root access or CAP_LINUX_IMMUTABLE capability
|
|
// - chattr binary available in PATH
|
|
//
|
|
// Container environments need:
|
|
//
|
|
// securityContext:
|
|
// capabilities:
|
|
// add: ["CAP_LINUX_IMMUTABLE"]
|
|
func MakeImmutable(path string) error {
|
|
cmd := exec.Command("chattr", "+i", path)
|
|
if output, err := cmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("chattr +i failed: %w (output: %s)", err, output)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// MakeAppendOnly sets the append-only flag using chattr +a.
|
|
// The file can only be opened in append mode for writing.
|
|
func MakeAppendOnly(path string) error {
|
|
cmd := exec.Command("chattr", "+a", path)
|
|
if output, err := cmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("chattr +a failed: %w (output: %s)", err, output)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ClearImmutable removes the immutable flag from a file
|
|
func ClearImmutable(path string) error {
|
|
cmd := exec.Command("chattr", "-i", path)
|
|
if output, err := cmd.CombinedOutput(); err != nil {
|
|
return fmt.Errorf("chattr -i failed: %w (output: %s)", err, output)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// IsSupported returns true if this platform supports immutable flags
|
|
func IsSupported() bool {
|
|
// Check if chattr is available
|
|
_, err := exec.LookPath("chattr")
|
|
return err == nil
|
|
}
|