Echo
297bf1bd83
M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped
30 lines
1.5 KiB
SQL
30 lines
1.5 KiB
SQL
-- Migration: 005_audit_hardening
|
|
-- Description: Add prev_hash column to audit_log for full hash chaining,
|
|
-- add notification config defaults to system_config, add new
|
|
-- audit_action enum values, and add audit_integrity_last_verified.
|
|
|
|
-- ============================================================
|
|
-- 1. Add prev_hash column to audit_log
|
|
-- ============================================================
|
|
ALTER TABLE audit_log ADD COLUMN IF NOT EXISTS prev_hash TEXT NOT NULL DEFAULT '';
|
|
|
|
-- ============================================================
|
|
-- 2. Add notification config defaults to system_config
|
|
-- ============================================================
|
|
INSERT INTO system_config (key, value, updated_at)
|
|
VALUES
|
|
('notification_email_enabled', 'false', NOW()),
|
|
('notification_email_from', 'patch-manager@localhost', NOW()),
|
|
('notification_email_recipients', '[]', NOW()),
|
|
('audit_integrity_last_verified', '', NOW())
|
|
ON CONFLICT (key) DO NOTHING;
|
|
|
|
-- ============================================================
|
|
-- 3. Add new audit_action enum values
|
|
-- ============================================================
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'audit_integrity_verified';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'email_notification_sent';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'patch_job_completed';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'patch_job_failed';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'maintenance_window_reminder';
|