This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-central-audit-ledger.md

2.5 KiB

Pattern: Central Audit Ledger

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, State Hub

Problem

Security-relevant events lose accountability when identity, policy, OpenBao, Kubernetes, deployment, and workload logs remain disconnected.

Context

Use this pattern when platform actions, tenant actions, agent actions, policy decisions, secret access, deployments, and data access must be correlated for operations, incident response, and customer trust.

Forces

  • Logs are high volume, but audit events must be durable and searchable.
  • Tenants may need partial visibility without seeing platform secrets.
  • Agents and humans need distinct attribution.
  • Correlation ids must cross system boundaries.

Solution

Define a central security event taxonomy and durable audit ledger for security-sensitive actions. Every protected system emits events with actor, tenant, resource, action, decision, correlation id, and source.

Implementation Sketch

  1. Define security event classes and required fields.
  2. Emit events from key-cape, flex-auth, Topaz, OpenBao, Kubernetes, artifact-store, ops-bridge, and workloads.
  3. Preserve correlation ids across request, decision, secret, and data paths.
  4. Protect ledger retention, access, and integrity.
  5. Add tenant-visible projections where appropriate.

Failure Modes

Failure Mitigation
Logs exist but cannot answer who did what require actor/resource/action fields
Tenant-visible logs expose platform internals define projection and redaction rules
Agent events hide behind human account require explicit agent identity
Audit sink outage loses privileged events fail closed for privileged paths or buffer under policy
  • Observability, detection, and audit.
  • Incident response and recovery.
  • Authorization and access control.
  • Agent access control.

Maturity

Seed. The need is clear, but storage, retention, projection, and State Hub integration decisions remain open.

Verification

  • Critical systems emit events with required fields.
  • A single correlation id links identity, policy, secret, and workload events.
  • Ledger access is protected and audited.
  • Tenant-visible views contain only tenant-appropriate records.

Research Basis

Seeded by security logging, central log collection, audit trail, tenant visible audit logs, and security event taxonomy.

References

  • Initial exploration: Observability, detection, and audit.
  • Initial exploration: Detection and response patterns.