-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit ccf10b6
Showing
4 changed files
with
98 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Vim | ||
| *.swp | ||
|
|
||
| # Binary | ||
| rekorsidekick |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # π Rekor Sidekick | ||
|
|
||
| Rekor Sidekick monitors a Rekor signature transparency log and forwards | ||
| events of interest where ever you like. | ||
|
|
||
| > NB: π οΈ This software is prerelease! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| # Rekor Sidekick design | ||
|
|
||
| The basic design of Rekor sidekick is to continually pull entries from | ||
| a Rekor server, check if the entries are of interest using a configured set | ||
| of policies and to forward entries of interest a configured set of outputs | ||
|
|
||
| ``` | ||
| βββββββββββββββββββ | ||
| β Event Policies β | ||
| ββββββββ¬ββββ²βββββββ | ||
| β β | ||
| Decision β β Should forward entry? | ||
| β β | ||
| β β | ||
| β β Outputs | ||
| βββββββββββββββ ββββββββββΌββββ΄ββββββββ | ||
| β β β β ββββββββββββββ | ||
| β Rekor Log ββββββββββββββββΊ Rekor Sidekick β ββββββββββββββββΊ Pager Duty β | ||
| β β β β ββββββββββββββ | ||
| βββββββββββββββ Pull entries βββββββββββββββββ¬ββ¬ββ¬β | ||
| β β β ββββββββββββββ | ||
| β β βββββββββββββββββββΊ Stdout β | ||
| β β ββββββββββββββ | ||
| β β | ||
| β β ββββββββββββββ | ||
| β βββββββββββββββββββββΊ Loki β | ||
| β ββββββββββββββ | ||
| β | ||
| β ββββββββββββββ | ||
| βββββββββββββββββββββββΊ ... β | ||
| ββββββββββββββ | ||
| ``` | ||
|
|
||
| Each configured policy should have metadata that helps make the resulting alert | ||
| be as actionable as possible. Perhaps a name that is programmatically readable | ||
| along with description? | ||
|
|
||
| ## Event Policy Evaluation | ||
|
|
||
| Instead of creating a policy engine, we can an established policy evaluation | ||
| engine: Rego policies and Open Policy Agent! This keeps the complexity of | ||
| implementation low and we can lean on existing documentation for Rego policies | ||
| along with Rekor sidekick specific examples to help folks learn about writing | ||
| policies. This approaches keeps policies flexible as well and keeps our | ||
| coupling to the Rekor log formats fairly low and shifts that burden on to | ||
| policies writers. | ||
|
|
||
| ## Data structures | ||
|
|
||
| We need to define a policy and policy violation: | ||
|
|
||
| ```go | ||
| type Policy struct { | ||
| // short machine readable name | ||
| Name string | ||
|
|
||
| // Background on this policy. Meant for humans. Should help make a | ||
| // Policy Violation actionable | ||
| Description string | ||
|
|
||
| // Where is this policy defined? Could file:// for on disk or maybe | ||
| // https:// for remote? | ||
| PolicyURI string | ||
| } | ||
|
|
||
| type PolicyViolation struct { | ||
| // What policy was violated? | ||
| Policy Policy | ||
|
|
||
| // URI of the rekor entry that violates the policy | ||
| EntryURI string | ||
| } | ||
| ``` | ||
|
|
||
| ## Interfaces | ||
|
|
||
| We should make a very simply interface for each of the output implementations so that | ||
| contributors can very easily add their own. The following makes sense right now? | ||
|
|
||
| ```go | ||
| type Output interface { | ||
| Send(PolicyViolation) error | ||
| } | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| module github.com/nsmith5/rekorsidekick | ||
|
|
||
| go 1.17 |