openshift / compliance-audit-router

Intake compliance alerts and process them for audit information

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool


A tool to receive compliance alert webhooks from an external source (eg. Splunk), look up the responsible engineer's information (eg. from LDAP), and create a compliance report ticket (eg. Jira) assigned to the engineer for follow-up.

   │                                                                                                                       │
   │                                  1                                                3                                   │
   │                                                                                                                       │
   │          ┌────────────► Alert Notification ────────────┐      ┌──────────► Create Compliance ─────────┐               │
   │          │                    Webhook                  │      │                 Issue                 │               │
   │          │                                             ▼      │                                       ▼               │
   │ ┌────────┴───────┐                                ┌───────────┴────┐                             ┌──────────────────┐ │
   │ │                │                                │                │                             │                  │ │
   │ │  SEIM Service  │                                │   Compliance   │                             │  Issue Tracking  │ │
   │ │  (eg: Splunk)  │                                │  Audit Router  │                             │    (eg: Jira)    │ │
   │ │                │                                │                │                             │                  │ │
   │ └────────────────┘                                └────┬───────────┘                             └──────────────────┘ │
   │          ▲                                             │      ▲                                       ▲               │
   │          │                Retrieve Alert               │      │            Listen for Issue           │               │
   │          └───────────────    Details     ◄─────────────┘      └─────────►  State Transition  ◄────────┘               │
   │                                                                               and Update                              │
   │                                 2                                                 4                                   │
   │                                                                                                                       │

      1. Compliance Audit Router (CAR) receives incoming alert notification webhook from the SEIM service
      2. CAR retrieves details of the triggered alert from the SEIM service
      3. CAR creates a compliance tracking issue in the Issue Tracking service
      4. CAR listens for issue state transition/lifecycle changes and updates as necessary


Configuration is managed in the ~/.config/compliance-audit-router/compliance-audit-router.yaml file.

Alternatively, configuration options may be set using environment variables according to the Viper environmental variable setup, with the prefix CAR_ (eg. CAR_LISTENPORT=8080).

Configuration Values

General Configuration

verbose : Turns on more verbose logging output. Default: false

listenport : The port on which Compliance Audit Router will listen for SIEM (ie. Splunk) alert webhooks. Default: 8080

LDAP Configuration : The LDAP server to query for user information. May or may not include ldap:// or ldaps:// schema, as appropriate. (eg: ldaps://

ldapconfig.username : The username with which to authenticate to the LDAP server. Requires ldapconfig.password. If no username is provided, Compliance Audit Router will attempt an unauthenticated bind.

ldapconfig.password : The password with which to authenticate to the LDAP server. Requires ldapconfig.username.

ldapconfig.searchbase : The LDAP Search Base directory from which to begin object searches.

ldapconfig.scope : The LDAP scope depth for queries.

ldapconfig.attributes : The LDAP attributes to look up for the provided query.

Splunk Configuration : The Splunk server to query for alert search results. Must include the scheme and port. (eg:

splunkconfig.token : An API token to authenticate to the Splunk API.

splunkconfig.allowinsecure : Boolean. When true, allows insecure TLS connections. Don't do this.

Jira Configuration : The Jira instance in which to create and manage compliance alert issues. Must include the scheme. May optionally include the port. (eg:

jiraconfig.username : The (optional) username with which to authenticate to the Jira API. Requires jiraconfig.token. Setting this causes Compliance Audit Router to use Jira's Basic Authentication method. This should only be done for development. (eg:

jiraconfig.token : The API token to authenticate to the Jira API. Setting this without setting jiraconfig.username causes Compliance Audit Router to use Jira's Personal Access Token (PAT) authentication method.

jiraconfig.allowinsecure : Boolean. When true, allows insecure TLS connections. Don't do this.

jiraconfig.key : The Jira Project key of the project in which Compliance Audit Router will create and manage compliance alert issues.

jiraconfig.issuetype : The Jira Issue type that new compliance alerts will be created as. (eg. "Task")

jiraconfig.transitions : TODO - document the transitions

Example compliance-audit-router.yaml file

verbose: false
listenport: 8080

  host: ldaps://
  username: <username>
  password: <password>
  searchbase: dc=example,dc=org
  scope: sub
    - manager
    - alternateID

  token: <token>
  allowinsecure: false

  allowinsecure: false
  username: <username>
  token: <token>
  key: <Jira project key>
  issuetype: <type of issue to create>
  dev: false

messagetemplate: |

  This action required business justification from the engineer who used this access, and management approval.

  If this action is unexpected or unexplained, please contact the Security team immediately for further investigation.


Intake compliance alerts and process them for audit information

License:Apache License 2.0


Language:Go 58.7%Language:Shell 35.3%Language:Makefile 5.0%Language:Dockerfile 0.9%