Merge origin/main into codex/docs/release-facing-docs-v0.2

Author: stacknil

AGENTS.md

@@ -1,41 +1,14 @@
 # AGENTS.md
 
-## Project
-LogLens is a defensive C++20 CLI for parsing Linux authentication logs and generating structured detection reports.
-
-## Priorities
-1. Working MVP first
-2. Clean modular C++20
-3. Safe public-repo content
-4. Reproducible build and tests
-5. Clear README and docs
-
-## Constraints
-- Do not add offensive or exploitation functionality
-- Do not use real IPs, secrets, usernames, or private infrastructure identifiers
-- Prefer standard library over third-party dependencies
-- Keep file structure simple
-- Avoid unnecessary templates or meta-programming
-- Avoid heavy regex-only designs if a clearer parser is possible
-- Keep detection rules centralized and configurable
-
-## Code style
-- C++20
-- Readable names
-- Small functions
-- Comments only where they add real value
-- Fail gracefully on malformed log lines
-
-## Repository rules
-- Always update README when adding user-visible features
-- Add or update tests for parser and detector changes
-- Preserve public-safe placeholders like 203.0.113.x and example-host
-- Do not introduce large unrelated refactors
-
-## Task behavior
-When given a task:
-1. inspect repository state
-2. explain plan briefly
-3. implement in small steps
-4. run build/tests if available
-5. summarize created/modified files and remaining issues
+## LogLens Repo Rules
+
+- Keep the repository defensive and public-safe. Do not add offensive, exploitation, persistence, or live attack functionality.
+- Use only safe placeholders such as `203.0.113.x` and `example-host`. Never add real IPs, usernames, secrets, or private identifiers.
+- Prefer standard C++20 and the standard library. Keep code modular, readable, and easy to extend.
+- Keep detection rules centralized and configurable. Avoid large unrelated refactors.
+- Fail gracefully on malformed log lines.
+- Update README or docs for user-visible changes.
+- Tests are required for code changes. Add or update parser/detector tests and run available build/tests when possible:
+  `cmake -S . -B build`
+  `cmake --build build`
+  `ctest --test-dir build --output-on-failure`

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 stacknil
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

assets/parser_fixture_matrix_journalctl_short_full.log

@@ -0,0 +1,12 @@
+Tue 2026-03-10 09:00:01 UTC example-host sshd[3000]: Failed password for invalid user admin from 203.0.113.10 port 52000 ssh2
+Tue 2026-03-10 09:00:40 UTC example-host sshd[3001]: Failed publickey for alice from 203.0.113.11 port 52001 ssh2
+Tue 2026-03-10 09:01:15 UTC example-host sshd[3002]: Invalid user backup from 203.0.113.12 port 52002
+Tue 2026-03-10 09:01:52 UTC example-host pam_unix(sshd:auth): authentication failure; user=alice euid=0 tty=ssh rhost=203.0.113.40
+Tue 2026-03-10 09:02:30 UTC example-host pam_unix(sudo:session): session opened for user root(uid=0) by alice(uid=1000)
+Tue 2026-03-10 09:03:05 UTC example-host pam_unix(su-l:session): session opened for user root by bob(uid=1001)
+Tue 2026-03-10 09:03:40 UTC example-host sshd[3003]: Connection closed by user alice 203.0.113.50 port 52010 [preauth]
+Tue 2026-03-10 09:04:05 UTC example-host sshd[3004]: Connection closed by authenticating user carol 203.0.113.51 port 52011 [preauth]
+Tue 2026-03-10 09:04:28 UTC example-host sshd[3005]: Connection closed by invalid user deploy 203.0.113.52 port 52012 [preauth]
+Tue 2026-03-10 09:05:02 UTC example-host sshd[3006]: Disconnected from authenticating user dave 203.0.113.53 port 52013 [preauth]
+Tue 2026-03-10 09:05:34 UTC example-host sshd[3007]: Timeout, client not responding from 203.0.113.54 port 52014
+Tue 2026-03-10 09:06:10 UTC example-host pam_unix(sshd:session): session closed for user alice

assets/parser_fixture_matrix_syslog.log

@@ -0,0 +1,12 @@
+Mar 10 09:00:01 example-host sshd[2000]: Failed password for invalid user admin from 203.0.113.10 port 52000 ssh2
+Mar 10 09:00:40 example-host sshd[2001]: Failed publickey for alice from 203.0.113.11 port 52001 ssh2
+Mar 10 09:01:15 example-host sshd[2002]: Invalid user backup from 203.0.113.12 port 52002
+Mar 10 09:01:52 example-host pam_unix(sshd:auth): authentication failure; user=alice euid=0 tty=ssh rhost=203.0.113.40
+Mar 10 09:02:30 example-host pam_unix(sudo:session): session opened for user root(uid=0) by alice(uid=1000)
+Mar 10 09:03:05 example-host pam_unix(su-l:session): session opened for user root by bob(uid=1001)
+Mar 10 09:03:40 example-host sshd[2003]: Connection closed by user alice 203.0.113.50 port 52010 [preauth]
+Mar 10 09:04:05 example-host sshd[2004]: Connection closed by authenticating user carol 203.0.113.51 port 52011 [preauth]
+Mar 10 09:04:28 example-host sshd[2005]: Connection closed by invalid user deploy 203.0.113.52 port 52012 [preauth]
+Mar 10 09:05:02 example-host sshd[2006]: Disconnected from authenticating user dave 203.0.113.53 port 52013 [preauth]
+Mar 10 09:05:34 example-host sshd[2007]: Timeout, client not responding from 203.0.113.54 port 52014
+Mar 10 09:06:10 example-host pam_unix(sshd:session): session closed for user alice

docs/release-v0.1.0.md

@@ -1,16 +1,16 @@
-# LogLens v0.1.0
-
-LogLens v0.1.0 is the first public MVP release of the repository.
-
-## Highlights
-
-- Parses Linux authentication logs in both `syslog_legacy` and `journalctl_short_full` modes.
-- Normalizes authentication evidence and applies configurable detections for SSH brute force, multi-user probing, and sudo burst activity.
-- Reports parser coverage telemetry so unsupported lines are visible instead of silently ignored.
-- Ships with deterministic Markdown and JSON reports, unit tests, CI, CodeQL, and baseline repository hardening.
-
-## Notes
-
-- This release is intentionally narrow in scope and focused on a clean, public-safe baseline.
-- Parser coverage is limited to a small set of common `sshd`, `sudo`, and `pam_unix` patterns.
-- Repository protections are designed for PR-based development with CI and CodeQL gating merges into `main`.
+# LogLens v0.1.0
+
+LogLens v0.1.0 is the first public MVP release of the repository.
+
+## Highlights
+
+- Parses Linux authentication logs in both `syslog_legacy` and `journalctl_short_full` modes.
+- Normalizes authentication evidence and applies configurable detections for SSH brute force, multi-user probing, and sudo burst activity.
+- Reports parser coverage telemetry so unsupported lines are visible instead of silently ignored.
+- Ships with deterministic Markdown and JSON reports, unit tests, CI, CodeQL, and baseline repository hardening.
+
+## Notes
+
+- This release is intentionally narrow in scope and focused on a clean, public-safe baseline.
+- Parser coverage is limited to a small set of common `sshd`, `sudo`, and `pam_unix` patterns.
+- Repository protections are designed for PR-based development with CI and CodeQL gating merges into `main`.

src/detector.cpp

@@ -7,7 +7,6 @@ namespace loglens {
 namespace {
 
 using SignalGroup = std::unordered_map<std::string, std::vector<const AuthSignal*>>;
-using EventGroup = std::unordered_map<std::string, std::vector<const Event*>>;
 
 std::vector<const AuthSignal*> sort_signals_by_time(const std::vector<const AuthSignal*>& signals) {
     auto sorted = signals;
@@ -20,17 +19,6 @@ std::vector<const AuthSignal*> sort_signals_by_time(const std::vector<const Auth
     return sorted;
 }
 
-std::vector<const Event*> sort_events_by_time(const std::vector<const Event*>& events) {
-    auto sorted = events;
-    std::sort(sorted.begin(), sorted.end(), [](const Event* left, const Event* right) {
-        if (left->timestamp != right->timestamp) {
-            return left->timestamp < right->timestamp;
-        }
-        return left->line_number < right->line_number;
-    });
-    return sorted;
-}
-
 SignalGroup group_terminal_auth_failures_by_ip(const std::vector<AuthSignal>& signals) {
     SignalGroup grouped;
     for (const auto& signal : signals) {
@@ -53,13 +41,13 @@ SignalGroup group_attempt_evidence_by_ip(const std::vector<AuthSignal>& signals)
     return grouped;
 }
 
-EventGroup group_sudo_by_user(const std::vector<Event>& events) {
-    EventGroup grouped;
-    for (const auto& event : events) {
-        if (event.username.empty() || event.event_type != EventType::SudoCommand) {
+SignalGroup group_sudo_burst_evidence_by_user(const std::vector<AuthSignal>& signals) {
+    SignalGroup grouped;
+    for (const auto& signal : signals) {
+        if (signal.username.empty() || !signal.counts_as_sudo_burst_evidence) {
             continue;
         }
-        grouped[event.username].push_back(&event);
+        grouped[signal.username].push_back(&signal);
     }
     return grouped;
 }
@@ -220,12 +208,12 @@ std::vector<Finding> detect_multi_user(const std::vector<AuthSignal>& signals, c
     return findings;
 }
 
-std::vector<Finding> detect_sudo_burst(const std::vector<Event>& events, const DetectorConfig& config) {
+std::vector<Finding> detect_sudo_burst(const std::vector<AuthSignal>& signals, const DetectorConfig& config) {
     std::vector<Finding> findings;
-    const auto grouped = group_sudo_by_user(events);
+    const auto grouped = group_sudo_burst_evidence_by_user(signals);
 
     for (const auto& [username, group] : grouped) {
-        const auto ordered = sort_events_by_time(group);
+        const auto ordered = sort_signals_by_time(group);
         std::size_t start = 0;
         std::size_t best_count = 0;
         std::size_t best_start = 0;
@@ -279,7 +267,7 @@ std::vector<Finding> Detector::analyze(const std::vector<Event>& events) const {
     const auto auth_signals = build_auth_signals(events, config_.auth_signal_mappings);
     auto findings = detect_brute_force(auth_signals, config_);
     auto multi_user = detect_multi_user(auth_signals, config_);
-    auto sudo = detect_sudo_burst(events, config_);
+    auto sudo = detect_sudo_burst(auth_signals, config_);
 
     findings.insert(findings.end(), multi_user.begin(), multi_user.end());
     findings.insert(findings.end(), sudo.begin(), sudo.end());

src/signal.cpp

@@ -1,43 +1,62 @@
 #include "signal.hpp"
 
+#include <optional>
+
 namespace loglens {
 namespace {
 
-AuthSignalKind signal_kind_for_event_type(EventType type) {
-    switch (type) {
-    case EventType::SshFailedPassword:
-        return AuthSignalKind::SshFailedPassword;
-    case EventType::SshInvalidUser:
-        return AuthSignalKind::SshInvalidUser;
-    case EventType::SshFailedPublicKey:
-        return AuthSignalKind::SshFailedPublicKey;
-    case EventType::PamAuthFailure:
-        return AuthSignalKind::PamAuthFailure;
-    case EventType::Unknown:
-    case EventType::SshAcceptedPassword:
-    case EventType::SessionOpened:
-    case EventType::SudoCommand:
-    default:
-        return AuthSignalKind::Unknown;
-    }
-}
+struct SignalMapping {
+    AuthSignalKind signal_kind = AuthSignalKind::Unknown;
+    bool counts_as_attempt_evidence = false;
+    bool counts_as_terminal_auth_failure = false;
+    bool counts_as_sudo_burst_evidence = false;
+};
 
-const AuthSignalBehavior* behavior_for_event_type(EventType type, const AuthSignalConfig& config) {
-    switch (type) {
+std::optional<SignalMapping> signal_mapping_for_event(const Event& event, const AuthSignalConfig& config) {
+    switch (event.event_type) {
     case EventType::SshFailedPassword:
-        return &config.ssh_failed_password;
+        return SignalMapping{
+            AuthSignalKind::SshFailedPassword,
+            config.ssh_failed_password.counts_as_attempt_evidence,
+            config.ssh_failed_password.counts_as_terminal_auth_failure,
+            false};
     case EventType::SshInvalidUser:
-        return &config.ssh_invalid_user;
+        return SignalMapping{
+            AuthSignalKind::SshInvalidUser,
+            config.ssh_invalid_user.counts_as_attempt_evidence,
+            config.ssh_invalid_user.counts_as_terminal_auth_failure,
+            false};
     case EventType::SshFailedPublicKey:
-        return &config.ssh_failed_publickey;
+        return SignalMapping{
+            AuthSignalKind::SshFailedPublicKey,
+            config.ssh_failed_publickey.counts_as_attempt_evidence,
+            config.ssh_failed_publickey.counts_as_terminal_auth_failure,
+            false};
     case EventType::PamAuthFailure:
-        return &config.pam_auth_failure;
+        return SignalMapping{
+            AuthSignalKind::PamAuthFailure,
+            config.pam_auth_failure.counts_as_attempt_evidence,
+            config.pam_auth_failure.counts_as_terminal_auth_failure,
+            false};
+    case EventType::SudoCommand:
+        return SignalMapping{
+            AuthSignalKind::SudoCommand,
+            false,
+            false,
+            true};
+    case EventType::SessionOpened:
+        if (event.program == "pam_unix(sudo:session)") {
+            return SignalMapping{
+                AuthSignalKind::SudoSessionOpened,
+                false,
+                false,
+                false};
+        }
+        return std::nullopt;
     case EventType::Unknown:
     case EventType::SshAcceptedPassword:
-    case EventType::SessionOpened:
-    case EventType::SudoCommand:
     default:
-        return nullptr;
+        return std::nullopt;
     }
 }
 
@@ -48,18 +67,19 @@ std::vector<AuthSignal> build_auth_signals(const std::vector<Event>& events, con
     signals.reserve(events.size());
 
     for (const auto& event : events) {
-        const auto* behavior = behavior_for_event_type(event.event_type, config);
-        if (behavior == nullptr) {
+        const auto mapping = signal_mapping_for_event(event, config);
+        if (!mapping.has_value()) {
             continue;
         }
 
         signals.push_back(AuthSignal{
             event.timestamp,
             event.source_ip,
             event.username,
-            signal_kind_for_event_type(event.event_type),
-            behavior->counts_as_attempt_evidence,
-            behavior->counts_as_terminal_auth_failure,
+            mapping->signal_kind,
+            mapping->counts_as_attempt_evidence,
+            mapping->counts_as_terminal_auth_failure,
+            mapping->counts_as_sudo_burst_evidence,
             event.line_number});
     }
 

src/signal.hpp

@@ -13,7 +13,9 @@ enum class AuthSignalKind {
     SshFailedPassword,
     SshInvalidUser,
     SshFailedPublicKey,
-    PamAuthFailure
+    PamAuthFailure,
+    SudoCommand,
+    SudoSessionOpened
 };
 
 struct AuthSignalBehavior {
@@ -35,6 +37,7 @@ struct AuthSignal {
     AuthSignalKind signal_kind = AuthSignalKind::Unknown;
     bool counts_as_attempt_evidence = false;
     bool counts_as_terminal_auth_failure = false;
+    bool counts_as_sudo_burst_evidence = false;
     std::size_t line_number = 0;
 };