Redis + Postgres enforcement layer for django-sec-audit: temp/permanent blocks, ingress check, OTel enforcement events
Project description
django-sec-audit-enforcement
The enforcement layer for django-sec-audit. It turns the
detection brain in sec-audit-rules into action: it holds
block state (temp blocks in Redis, permanent blocks in Postgres with a Redis
read-through cache), applies a matched rule's RuleAction as a block, checks
incoming requests against active blocks before the view runs, and emits every
enforcement decision as OTel JSONL on the existing sec_audit.audit logger.
Status: alpha. Master switch is off by default — installing the package is
inert until SEC_AUDIT_ENFORCEMENT['enabled'] is set.
Design
- Temp blocks → Redis only (self-expiring TTL keys). Permanent blocks → Postgres (durable, auditable) + a Redis read-through cache carrying a long refresh TTL (never a no-TTL key, which managed Redis can silently evict).
- One scope vocabulary (
ip/user/session/route) shared with detection, via thesec-audit-rulesScopeRegistry. Theipscope is resolved throughdjango-sec-audit's trusted-proxy config — never a rawX-Forwarded-For. - Fail-open by default, per-path fail-closed opt-in.
- No feedback loop: emitted
audit.enforcement.*events are skipped by the rule engine.
Documentation
Full docs live in docs/:
- Getting started — install,
INSTALLED_APPS/MIDDLEWARE, migrate, enable, verify - Configuration — every
SEC_AUDIT_ENFORCEMENTkey +rule_actions/block_rules - Architecture — the ingress/egress paths, the tiered store, fail modes
- Custom rules — write and register your own
Rule - Enforcement events — the four
audit.enforcement.*events - Operations — deploy tiers, system checks, the
PermanentBlockmodel, revocation
Custom rules
The three built-in rules (brute_force_login, login_throttle,
repeated_client_error) can be extended with your own. Subclass
sec_audit.rules.Rule, then register it via SEC_AUDIT_ENFORCEMENT['rules']
(appended to the built-ins):
SEC_AUDIT_ENFORCEMENT = {
'enabled': True,
'rules': ['myapp.security.rules.GeoVelocityRule'],
# observe-only until you map the rule's name to an action:
'rule_actions': {'geo_velocity': {'action': 'temp_block', 'scopes': ['ip']}},
}
A custom rule observes (detect + log, no block) until it has a rule_actions
entry, and runs on the egress path unless it sets safe_for_enforcement = True.
See the full Custom rules guide.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django_sec_audit_enforcement-0.1.0a1.tar.gz.
File metadata
- Download URL: django_sec_audit_enforcement-0.1.0a1.tar.gz
- Upload date:
- Size: 40.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
855d602838b6b73d9ec7e7fc02252925396c764847d343bf11b7194faf7d1dea
|
|
| MD5 |
70c230a00dbb0cd6eefa19af0c9b111e
|
|
| BLAKE2b-256 |
c45ac91653fef6b844be26c26c520c466d8e541a09677902c53c166923dd072c
|
File details
Details for the file django_sec_audit_enforcement-0.1.0a1-py3-none-any.whl.
File metadata
- Download URL: django_sec_audit_enforcement-0.1.0a1-py3-none-any.whl
- Upload date:
- Size: 28.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dd478f1dae5065f579a6bf96af6a2212d412477b380ed623d708bea06b0b1bf7
|
|
| MD5 |
15875d8aac1390d2d4f31913630d9b47
|
|
| BLAKE2b-256 |
d47066769a5ef785054d565811af9cec4512edf8618c06ada3e2d4f99dca73a5
|
