Skip to content

feat: add parser support for accepted publickey, pam_faillock, and pam_sss variants#15

Merged
stacknil merged 1 commit intomainfrom
codex/feat/parser-auth-families-v0.3
Mar 23, 2026
Merged

feat: add parser support for accepted publickey, pam_faillock, and pam_sss variants#15
stacknil merged 1 commit intomainfrom
codex/feat/parser-auth-families-v0.3

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented Mar 23, 2026

Closes #14

Summary

  • add parser support for Accepted publickey success events
  • add conservative support for selected pam_faillock and pam_sss failure variants
  • keep ambiguous variants in deterministic telemetry buckets
  • preserve existing detector thresholds and golden report contract behavior

Scope

This PR is limited to parser-family expansion.
It does not change detector thresholds, cross-host correlation, enrichment, or SIEM-like behavior.
This is a parser-only change; no detector thresholds changed.

What changed

  • added sanitized syslog and journalctl_short_full fixtures
  • added parser tests for recognized vs telemetry-only behavior
  • parsed Accepted publickey as a supported auth event
  • parsed stable pam_faillock / pam_sss failure variants into the event model
  • retained ambiguous variants as deterministic telemetry buckets

Verification

  • cmake --preset dev-debug
  • cmake --build --preset dev-debug
  • ctest --preset dev-debug
  • cmake --preset ci-release
  • cmake --build --preset ci-release
  • ctest --preset ci-release

Deferred

  • broader pam_faillock success / lockout / admin-style variants
  • broader pam_sss backend / service-state variants
  • detector-policy changes for newly parsed families

@stacknil stacknil merged commit 1d3979b into main Mar 23, 2026
7 checks passed
@stacknil stacknil deleted the codex/feat/parser-auth-families-v0.3 branch March 23, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[v0.3] Add parser support for accepted publickey, pam_faillock, and pam_sss variants

1 participant

@stacknil