docs(compliance): add M-26-14 compliance crosswalk#27
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Adds initial documentation scaffolding to track LocalObserve’s alignment with OMB M-26-14 logging requirements, including a crosswalk matrix and per-requirement issue-draft templates to guide future implementation work.
Changes:
- Added
docs/compliance_crosswalk.mdwith an audit matrix and detailed requirement-to-implementation mapping. - Added
.github/ISSUES_DRAFTS/markdown drafts (8) to seed standardized GitHub issues with tasks and acceptance criteria. - Added
.github/PR_BODY.mdtemplate text describing the crosswalk + issue-draft workflow.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/compliance_crosswalk.md | New M-26-14 crosswalk matrix and detailed requirement mappings for LocalObserve. |
| .github/PR_BODY.md | PR body template describing the compliance crosswalk and issue-draft workflow. |
| .github/ISSUES_DRAFTS/01_compliance_logging.md | Issue draft for structured logging + timestamp requirements. |
| .github/ISSUES_DRAFTS/02_compliance_retention.md | Issue draft for retention/archival requirements. |
| .github/ISSUES_DRAFTS/03_compliance_access_controls.md | Issue draft for access controls / JIT / export requirements. |
| .github/ISSUES_DRAFTS/04_compliance_network_capture.md | Issue draft for network capture minimization/controls requirements. |
| .github/ISSUES_DRAFTS/05_compliance_audit_trail.md | Issue draft for tamper-evident audit trail and config integrity. |
| .github/ISSUES_DRAFTS/06_compliance_monitoring.md | Issue draft for pipeline monitoring/alerting requirements. |
| .github/ISSUES_DRAFTS/07_compliance_encryption.md | Issue draft for encryption/KMS requirements. |
| .github/ISSUES_DRAFTS/08_compliance_docs_tests.md | Issue draft for compliance documentation + tests/CI validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| | Req ID | M-26-14 Target Reference | LocalObserve Implementation Strategy | Tracking Issue | Status | | ||
| | :--- | :--- | :--- | :--- | :--- | | ||
| | **Req-1** | Appendix B.3, B.5 (Structured Schema & Timestamp Sync) | JSON-structured log formatting across all system collectors, aligned with authoritative NTP synchronization (traceable to USNO/NIST). | [Issue #19](https://github.com/JJediny/LocalObserve/issues/19) | 🟡 Planned | |
| - **M-26-14 Text Reference**: | ||
| > *"Log storage may be decentralized; however, logs must be readily available to the top-level agency security operations center (SOC)... Logs must include a consistently accurate timestamp. To ensure accuracy, network time must be synchronized to Network Time Protocol (NTP) or equivalent mechanisms to a traceable time source... traceable to the U.S. Naval Observatory or NIST, where feasible."* (Appendix B.2, B.3, B.5) | ||
| - **LocalObserve Implementation Plan**: | ||
| Configure the collector (`otelcol`) and agent (`osqueryd`, `falco`) engines to append standard UTC timestamps and serialize outputs to JSON formats. Synchronize container and host systems against pool.ntp.org (traceable time source). |
| | **Req-4** | Appendix A, B.5.b (Network Capture Minimization) | Integrated flow captures via `goflow2` with PII filters to protect sensitive identifiers. | [Issue #22](https://github.com/JJediny/LocalObserve/issues/22) | 🟡 Planned | | ||
| | **Req-5** | Appendix C (Log Veracity & Hashing) | Hashing log batches for tamper-evidence and auditing configurations. | [Issue #23](https://github.com/JJediny/LocalObserve/issues/23) | 🟡 Planned | | ||
| | **Req-6** | Appendix B.5.k, Appendix C (Pipeline Monitoring & Alerts) | Pipeline health monitoring, threshold alerting for data drops, and tuning alerts. | [Issue #24](https://github.com/JJediny/LocalObserve/issues/24) | 🟡 Planned | | ||
| | **Req-7** | Appendix C (Data Protection & KMS) | TLS 1.3 transit encryption, AES-256 rest encryption, and integration with KMS. | [Issue #25](https://github.com/JJediny/LocalObserve/issues/25) | 🟡 Planned | |
Comment on lines
+16
to
+25
| | Req ID | M-26-14 Target Reference | LocalObserve Implementation Strategy | Tracking Issue | Status | | ||
| | :--- | :--- | :--- | :--- | :--- | | ||
| | **Req-1** | Appendix B.3, B.5 (Structured Schema & Timestamp Sync) | JSON-structured log formatting across all system collectors, aligned with authoritative NTP synchronization (traceable to USNO/NIST). | [Issue #19](https://github.com/JJediny/LocalObserve/issues/19) | 🟡 Planned | | ||
| | **Req-2** | Appendix B.1 (Retention Policy: Search vs. Retrieval) | 6-month hot searchable data retention in OpenObserve alongside a 12-month cold retrieval policy. | [Issue #20](https://github.com/JJediny/LocalObserve/issues/20) | 🟡 Planned | | ||
| | **Req-3** | Par. 125-131, Appendix C (Access Controls & JIT) | SOC integration, Just-In-Time (JIT) access policies, and audited log exports for CISA/FBI. | [Issue #21](https://github.com/JJediny/LocalObserve/issues/21) | 🟡 Planned | | ||
| | **Req-4** | Appendix A, B.5.b (Network Capture Minimization) | Integrated flow captures via `goflow2` with PII filters to protect sensitive identifiers. | [Issue #22](https://github.com/JJediny/LocalObserve/issues/22) | 🟡 Planned | | ||
| | **Req-5** | Appendix C (Log Veracity & Hashing) | Hashing log batches for tamper-evidence and auditing configurations. | [Issue #23](https://github.com/JJediny/LocalObserve/issues/23) | 🟡 Planned | | ||
| | **Req-6** | Appendix B.5.k, Appendix C (Pipeline Monitoring & Alerts) | Pipeline health monitoring, threshold alerting for data drops, and tuning alerts. | [Issue #24](https://github.com/JJediny/LocalObserve/issues/24) | 🟡 Planned | | ||
| | **Req-7** | Appendix C (Data Protection & KMS) | TLS 1.3 transit encryption, AES-256 rest encryption, and integration with KMS. | [Issue #25](https://github.com/JJediny/LocalObserve/issues/25) | 🟡 Planned | | ||
| | **Req-8** | Appendix A, C (Compliance Validation & CI) | Automated CI regression tests verifying compliance controls and fields. | [Issue #26](https://github.com/JJediny/LocalObserve/issues/26) | 🟡 Planned | |
| ### Acceptance Criteria | ||
| - Storage configuration parameters explicitly map to the 6-month hot searchable and 12-month cold retrieval baseline. | ||
| - Automated tests or staging scripts verify that log data past the 180-day window is successfully rolled to archival storage and not deleted prematurely. | ||
| - Archival extraction and "thawing" procedures are fully documented under `docs/compliance.md`. |
Comment on lines
+11
to
+15
| 2. Configure AES-256 rest encryption on the primary OpenObserve storage tier. | ||
| 3. Establish a standard policy and key rotation schedule for storage encryption keys using an integrated Key Management Service (KMS). | ||
|
|
||
| ### Acceptance Criteria | ||
| - Configuration files explicitly reference TLS 1.3 and active KMS/rest encryption setups. |
| > *"Logs are encrypted in transit and at rest, and regularly hashed for veracity."* | ||
|
|
||
| ### Suggested Tasks | ||
| 1. Enforce strict repository branch protections on all telemetry configuration files (`otelcol.yaml`, `osqueryd.conf`, `falco_rules.local.yaml`). |
…logy, and file paths
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This Pull Request introduces the foundational M-26-14 Compliance Crosswalk and corresponding GitHub Issue Drafts mapping OMB M-26-14 federal logging requirements in the LocalObserve pipeline.
What this PR does
docs/compliance_crosswalk.mdmapping M-26-14 requirements for real-time Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response, and Forensics (THIRF) to specific architectural features in LocalObserve, fully linked to active tracking issues..github/ISSUES_DRAFTS/containing exact text extractions, suggested tasks, and verification acceptance criteria.