generated from coulomb/repo-seed
79 lines
2.5 KiB
Markdown
79 lines
2.5 KiB
Markdown
# Pattern: Central Audit Ledger
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: NetKingdom, Railiance platform, State Hub
|
|
|
|
## Problem
|
|
|
|
Security-relevant events lose accountability when identity, policy,
|
|
OpenBao, Kubernetes, deployment, and workload logs remain disconnected.
|
|
|
|
## Context
|
|
|
|
Use this pattern when platform actions, tenant actions, agent actions,
|
|
policy decisions, secret access, deployments, and data access must be
|
|
correlated for operations, incident response, and customer trust.
|
|
|
|
## Forces
|
|
|
|
- Logs are high volume, but audit events must be durable and searchable.
|
|
- Tenants may need partial visibility without seeing platform secrets.
|
|
- Agents and humans need distinct attribution.
|
|
- Correlation ids must cross system boundaries.
|
|
|
|
## Solution
|
|
|
|
Define a central security event taxonomy and durable audit ledger for
|
|
security-sensitive actions. Every protected system emits events with
|
|
actor, tenant, resource, action, decision, correlation id, and source.
|
|
|
|
## Implementation Sketch
|
|
|
|
1. Define security event classes and required fields.
|
|
2. Emit events from key-cape, flex-auth, Topaz, OpenBao, Kubernetes,
|
|
artifact-store, ops-bridge, and workloads.
|
|
3. Preserve correlation ids across request, decision, secret, and data
|
|
paths.
|
|
4. Protect ledger retention, access, and integrity.
|
|
5. Add tenant-visible projections where appropriate.
|
|
|
|
## Failure Modes
|
|
|
|
| Failure | Mitigation |
|
|
| --- | --- |
|
|
| Logs exist but cannot answer who did what | require actor/resource/action fields |
|
|
| Tenant-visible logs expose platform internals | define projection and redaction rules |
|
|
| Agent events hide behind human account | require explicit agent identity |
|
|
| Audit sink outage loses privileged events | fail closed for privileged paths or buffer under policy |
|
|
|
|
## Related Capabilities
|
|
|
|
- Observability, detection, and audit.
|
|
- Incident response and recovery.
|
|
- Authorization and access control.
|
|
- Agent access control.
|
|
|
|
## Maturity
|
|
|
|
Seed. The need is clear, but storage, retention, projection, and State
|
|
Hub integration decisions remain open.
|
|
|
|
## Verification
|
|
|
|
- Critical systems emit events with required fields.
|
|
- A single correlation id links identity, policy, secret, and workload
|
|
events.
|
|
- Ledger access is protected and audited.
|
|
- Tenant-visible views contain only tenant-appropriate records.
|
|
|
|
## Research Basis
|
|
|
|
Seeded by security logging, central log collection, audit trail, tenant
|
|
visible audit logs, and security event taxonomy.
|
|
|
|
## References
|
|
|
|
- Initial exploration: Observability, detection, and audit.
|
|
- Initial exploration: Detection and response patterns.
|