This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-central-audit-ledger.md

79 lines
2.5 KiB
Markdown

# Pattern: Central Audit Ledger
Status: seed
Readiness target: RL3 production
Primary owners: NetKingdom, Railiance platform, State Hub
## Problem
Security-relevant events lose accountability when identity, policy,
OpenBao, Kubernetes, deployment, and workload logs remain disconnected.
## Context
Use this pattern when platform actions, tenant actions, agent actions,
policy decisions, secret access, deployments, and data access must be
correlated for operations, incident response, and customer trust.
## Forces
- Logs are high volume, but audit events must be durable and searchable.
- Tenants may need partial visibility without seeing platform secrets.
- Agents and humans need distinct attribution.
- Correlation ids must cross system boundaries.
## Solution
Define a central security event taxonomy and durable audit ledger for
security-sensitive actions. Every protected system emits events with
actor, tenant, resource, action, decision, correlation id, and source.
## Implementation Sketch
1. Define security event classes and required fields.
2. Emit events from key-cape, flex-auth, Topaz, OpenBao, Kubernetes,
artifact-store, ops-bridge, and workloads.
3. Preserve correlation ids across request, decision, secret, and data
paths.
4. Protect ledger retention, access, and integrity.
5. Add tenant-visible projections where appropriate.
## Failure Modes
| Failure | Mitigation |
| --- | --- |
| Logs exist but cannot answer who did what | require actor/resource/action fields |
| Tenant-visible logs expose platform internals | define projection and redaction rules |
| Agent events hide behind human account | require explicit agent identity |
| Audit sink outage loses privileged events | fail closed for privileged paths or buffer under policy |
## Related Capabilities
- Observability, detection, and audit.
- Incident response and recovery.
- Authorization and access control.
- Agent access control.
## Maturity
Seed. The need is clear, but storage, retention, projection, and State
Hub integration decisions remain open.
## Verification
- Critical systems emit events with required fields.
- A single correlation id links identity, policy, secret, and workload
events.
- Ledger access is protected and audited.
- Tenant-visible views contain only tenant-appropriate records.
## Research Basis
Seeded by security logging, central log collection, audit trail, tenant
visible audit logs, and security event taxonomy.
## References
- Initial exploration: Observability, detection, and audit.
- Initial exploration: Detection and response patterns.