2.5 KiB
Pattern: Central Audit Ledger
Status: seed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, State Hub
Problem
Security-relevant events lose accountability when identity, policy, OpenBao, Kubernetes, deployment, and workload logs remain disconnected.
Context
Use this pattern when platform actions, tenant actions, agent actions, policy decisions, secret access, deployments, and data access must be correlated for operations, incident response, and customer trust.
Forces
- Logs are high volume, but audit events must be durable and searchable.
- Tenants may need partial visibility without seeing platform secrets.
- Agents and humans need distinct attribution.
- Correlation ids must cross system boundaries.
Solution
Define a central security event taxonomy and durable audit ledger for security-sensitive actions. Every protected system emits events with actor, tenant, resource, action, decision, correlation id, and source.
Implementation Sketch
- Define security event classes and required fields.
- Emit events from key-cape, flex-auth, Topaz, OpenBao, Kubernetes, artifact-store, ops-bridge, and workloads.
- Preserve correlation ids across request, decision, secret, and data paths.
- Protect ledger retention, access, and integrity.
- Add tenant-visible projections where appropriate.
Failure Modes
| Failure | Mitigation |
|---|---|
| Logs exist but cannot answer who did what | require actor/resource/action fields |
| Tenant-visible logs expose platform internals | define projection and redaction rules |
| Agent events hide behind human account | require explicit agent identity |
| Audit sink outage loses privileged events | fail closed for privileged paths or buffer under policy |
Related Capabilities
- Observability, detection, and audit.
- Incident response and recovery.
- Authorization and access control.
- Agent access control.
Maturity
Seed. The need is clear, but storage, retention, projection, and State Hub integration decisions remain open.
Verification
- Critical systems emit events with required fields.
- A single correlation id links identity, policy, secret, and workload events.
- Ledger access is protected and audited.
- Tenant-visible views contain only tenant-appropriate records.
Research Basis
Seeded by security logging, central log collection, audit trail, tenant visible audit logs, and security event taxonomy.
References
- Initial exploration: Observability, detection, and audit.
- Initial exploration: Detection and response patterns.