[I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases)

Fri, 03 Apr 2026 15:17:21 -0700 


asf-tooling opened a new issue, #1110:
URL: https://github.com/apache/tooling-trusted-releases/issues/1110

   **ASVS Level(s):** L1
   
   **Description:**
   
   ### Summary
   While the code includes authentication failure logging (log.warning, 
log.failed_authentication with structured metadata), the documentation does not 
describe how these logs are monitored, what alerting thresholds exist, or how 
operators should respond to attack patterns. Operations teams cannot determine 
proper monitoring configuration from documentation alone. Security events may 
go undetected without documented alerting thresholds and incident response 
procedures are unclear.
   
   ### Details
   The file `security/ASVS/audit_guidance/authentication-security.md` does not 
document monitoring and alerting procedures. Authentication failure logging 
exists in `atr/storage/writers/tokens.py` at lines 105-116, but operational 
guidance is missing.
   
   ### Recommended Remediation
   Add a 'Monitoring and Detection' section to `authentication-security.md` 
documenting:
   - Authentication failure logging with structured metadata (reason, asf_uid, 
remote_addr, timestamp)
   - Log locations
   - Recommended monitoring thresholds:
     - Sustained rate limit violations >10 HTTP 429 from single IP in 1 hour
     - Failed PAT validations >5 for single user in 1 hour
     - Account status failures
     - SSH authentication failures >20 from single IP in 10 minutes
   - Incident response procedures for sustained authentication failures
   
   ### Acceptance Criteria
   - [ ] Monitoring section added to documentation
   - [ ] Alerting thresholds documented
   - [ ] Incident response procedures documented
   - [ ] Log locations and formats documented
   
   ### References
   - Source reports: L1:6.1.1.md
   - Related findings: FINDING-128
   - ASVS sections: 6.1.1
   
   ### Priority
   Low
   
   ---
   
   ---
   
   **Triage notes:** discussion - detecting brute force


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to