security_events 0.1.1

Security telemetry, redaction, HMAC-sealed events, and audit-friendly event sinks.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

//! Core security event schema.

use crate::kind::EventKind;
use security_core::classification::DataClassification;
use security_core::severity::SecuritySeverity;
use security_core::types::{RequestId, TenantId, TraceId};
use serde::Serialize;
use std::collections::BTreeMap;
use std::net::IpAddr;
use time::OffsetDateTime;
use uuid::Uuid;

/// The outcome of a security event.
///
/// # Examples
///
/// ```
/// use security_events::event::EventOutcome;
///
/// let outcome = EventOutcome::Success;
/// assert_eq!(outcome, EventOutcome::Success);
/// ```
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, Serialize)]
#[serde(rename_all = "snake_case")]
pub enum EventOutcome {
    /// The operation succeeded.
    Success,
    /// The operation failed.
    Failure,
    /// The operation was blocked by a security control.
    Blocked,
    /// The outcome is unknown.
    Unknown,
}

/// A labeled value that carries its data classification.
///
/// # Examples
///
/// ```
/// use security_events::event::EventValue;
/// use security_core::classification::DataClassification;
///
/// let val = EventValue::Classified {
///     value: "user@example.com".to_string(),
///     classification: DataClassification::PII,
/// };
/// assert_eq!(format!("{val:?}").contains("PII"), true);
/// ```
#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum EventValue {
    /// A classified data value.
    Classified {
        /// The raw or (post-redaction) string value.
        value: String,
        /// The data classification for this value.
        classification: DataClassification,
    },
}

/// A structured, serializable security audit event.
#[derive(Clone, Debug, Serialize)]
pub struct SecurityEvent {
    /// ISO-8601 timestamp of when the event occurred.
    pub timestamp: OffsetDateTime,
    /// Unique identifier for this event.
    pub event_id: Uuid,
    /// Optional identifier of the parent event for correlation and investigation.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub parent_event_id: Option<Uuid>,
    /// The kind of security event.
    pub kind: EventKind,
    /// Severity of this event.
    pub severity: SecuritySeverity,
    /// The outcome of the operation that triggered this event.
    pub outcome: EventOutcome,
    /// The actor (user/service) that triggered the event.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<String>,
    /// The tenant context of this event.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tenant: Option<TenantId>,
    /// The source IP address.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub source_ip: Option<IpAddr>,
    /// The inbound request identifier.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request_id: Option<RequestId>,
    /// The distributed trace identifier.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub trace_id: Option<TraceId>,
    /// The session identifier.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session_id: Option<String>,
    /// The resource that was the target of the event.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource: Option<String>,
    /// A stable reason code for this event.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reason_code: Option<&'static str>,
    /// Optional per-event HMAC-SHA256 signature for tamper evidence.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hmac: Option<String>,
    /// Arbitrary labelled values associated with this event.
    pub labels: BTreeMap<String, EventValue>,
}

impl SecurityEvent {
    /// Creates a new [`SecurityEvent`] with the given kind, severity, and outcome.
    ///
    /// Sets `timestamp` to now (UTC) and generates a new random `event_id`.
    #[must_use]
    pub fn new(kind: EventKind, severity: SecuritySeverity, outcome: EventOutcome) -> Self {
        Self {
            timestamp: OffsetDateTime::now_utc(),
            event_id: Uuid::new_v4(),
            parent_event_id: None,
            kind,
            severity,
            outcome,
            actor: None,
            tenant: None,
            source_ip: None,
            request_id: None,
            trace_id: None,
            session_id: None,
            resource: None,
            reason_code: None,
            hmac: None,
            labels: BTreeMap::new(),
        }
    }

    /// Returns a copy of this event linked to `parent_event_id`.
    ///
    /// # Examples
    ///
    /// ```rust
    /// use security_core::severity::SecuritySeverity;
    /// use security_events::event::{EventOutcome, SecurityEvent};
    /// use security_events::kind::EventKind;
    /// use uuid::Uuid;
    ///
    /// let parent_id = Uuid::new_v4();
    /// let event = SecurityEvent::new(
    ///     EventKind::AdminAction,
    ///     SecuritySeverity::Info,
    ///     EventOutcome::Success,
    /// )
    /// .with_parent_event_id(parent_id);
    ///
    /// assert_eq!(event.parent_event_id, Some(parent_id));
    /// ```
    #[must_use]
    pub fn with_parent_event_id(mut self, parent_event_id: Uuid) -> Self {
        self.parent_event_id = Some(parent_event_id);
        self
    }
}