do-audit-report is the command that turns the device's continuous audit data into a single, signed, take-it-to-the-auditor evidence ZIP for any past period. It's the headline operator command behind Compliance Reporting — every reference in that page to "one terminal command produces a signed evidence ZIP" is this binary.
Where to run it: Open the Cockpit admin interface and click Tools → Terminal. Or SSH to the device.
do-audit-reportis on the$PATHas a regular user — it needssudoto read the audit state under/opt/data/auditor/.
| File | What it is |
|---|---|
events.csv |
Every IDS event in the period |
decisions.csv |
Every CrowdSec decision in the period |
dns_events.csv / file_events.csv / tls_events.csv |
Phase-6 ransomware indicators (audit-deb 1.3.0+) |
config-snapshot.tar.gz |
Suricata, CrowdSec, nftables, ulogd, chrony, and node-exporter configuration at report time |
manifests/MANIFEST-YYYY-MM-DD.json |
The daily Ed25519-signed manifest for every day in the period |
chrony-logs/ |
NTP attestation — proof the device clock was disciplined |
report.pdf (optional) |
Rendered snapshot of the NIS2 Evidence Grafana dashboard |
manifest.pubring.json |
Device's signing-key ring (for offline verification by the auditor) |
chain-of-custody.json |
Ed25519-signed SHA-256 manifest of every other file in the ZIP |
The ZIP itself is written with mode 0640, root-owned. Safe to copy onto a USB drive, attach to a support ticket, or upload to a compliance portal.
do-audit-report --from YYYY-MM-DD --to YYYY-MM-DD [--out PATH]
[--no-pdf] [--no-config-snapshot]
[--grafana-url URL]
--from and --to are inclusive UTC dates. If you omit --out, the ZIP is written into the current working directory as defend-o-tron-audit-FROM-to-TO.zip.
| Flag | Required? | Default | Effect |
|---|---|---|---|
--from YYYY-MM-DD |
Yes | — | Inclusive start of the audit period, in UTC. |
--to YYYY-MM-DD |
Yes | — | Inclusive end of the audit period, in UTC. Must be on or after --from. |
--out PATH |
No | ./defend-o-tron-audit-FROM-to-TO.zip |
Output filename. The destination directory must exist; intermediate dirs are not created. |
--no-pdf |
No | off | Skip the Grafana PDF render. Use this if grafana-image-renderer isn't deployed in your fleet. |
--no-config-snapshot |
No | off | Skip the config-snapshot.tar.gz step. Useful if the auditor only wants events, or you're sharing a slimmer bundle. |
--grafana-url URL |
No | https://grafana.protected.lan |
Grafana base URL used for the render API. Read from $AUDIT_GRAFANA_URL if set. Rarely needs override. |
Generate a Q2-coverage bundle for an auditor:
$ sudo do-audit-report --from 2026-04-01 --to 2026-06-30 \
--out /home/admin/q2-evidence.zip
[do-audit-report] period: 2026-04-01 .. 2026-06-30 (UTC)
[do-audit-report] events: 14,827 rows
[do-audit-report] decisions: 4,113 rows
[do-audit-report] dns_events: 248 rows
[do-audit-report] file_events: 31 rows
[do-audit-report] tls_events: 19 rows
[do-audit-report] config snapshot: /etc/suricata, /etc/crowdsec, /etc/nftables.d,
/etc/nftables.conf, /etc/ulogd.conf,
/etc/chrony/chrony.conf, /etc/chrony/conf.d,
/etc/default/prometheus-node-exporter
[do-audit-report] manifests: 91 days copied
[do-audit-report] chrony logs: /var/log/chrony copied
[do-audit-report] grafana PDF: rendering dashboard 'nis2-evidence-pack' … ok
[do-audit-report] pubring: /opt/data/auditor/keys/manifest.pubring.json copied
[do-audit-report] chain-of-custody: signing 11 files (key A4kP7w2…) … ok
[do-audit-report] zipping → /home/admin/q2-evidence.zip
[do-audit-report] mode 0640, owner root:root … ok
OK Success: 1 file written, 138 MB.
The same export, on a fleet without grafana-image-renderer and without the config snapshot:
$ sudo do-audit-report --from 2026-04-01 --to 2026-06-30 \
--no-pdf --no-config-snapshot \
--out /tmp/slim.zip
[do-audit-report] period: 2026-04-01 .. 2026-06-30 (UTC)
[do-audit-report] events: 14,827 rows
[do-audit-report] decisions: 4,113 rows
[do-audit-report] dns_events: 248 rows
[do-audit-report] file_events: 31 rows
[do-audit-report] tls_events: 19 rows
[do-audit-report] config snapshot: skipped (--no-config-snapshot)
[do-audit-report] manifests: 91 days copied
[do-audit-report] chrony logs: /var/log/chrony copied
[do-audit-report] grafana PDF: skipped (--no-pdf)
[do-audit-report] pubring: /opt/data/auditor/keys/manifest.pubring.json copied
[do-audit-report] chain-of-custody: signing 9 files (key A4kP7w2…) … ok
[do-audit-report] zipping → /tmp/slim.zip
OK Success: 1 file written, 12 MB.
Quarterly audit cadence:
# Q1
sudo do-audit-report --from 2026-01-01 --to 2026-03-31 --out ~/q1.zip
# Q2
sudo do-audit-report --from 2026-04-01 --to 2026-06-30 --out ~/q2.zip
Quick one-month bundle for an insurance review:
sudo do-audit-report --from 2026-05-01 --to 2026-05-31 --out ~/insurance-review.zip
A single day, for an incident-response timeline:
sudo do-audit-report --from 2026-05-14 --to 2026-05-14 --out ~/incident-2026-05-14.zip
report_meta inside chain-of-custody.json (currently 1.3.0). An auditor verifying the bundle later can use this to match against the corresponding schema.chain-of-custody.json is signed with the device's currently-active key. If the key has rotated since the underlying daily manifests were signed, the per-day manifests still verify against the older key (it stays in the pubring). See do-audit-key-rotate.