From 53f20bf3e64015de8195f13b8ff379a50ab3200c Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 1 Jun 2026 22:12:22 +0200 Subject: [PATCH] Start OpenBao audit recovery closeout --- ...-it-security-readiness-for-user-onboarding.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md index 1575bf1..aa339e5 100644 --- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md +++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md @@ -124,7 +124,7 @@ revoked or allowed to expire after the check. ```task id: NET-WP-0017-T02 -status: todo +status: in_progress priority: high state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88" ``` @@ -139,6 +139,20 @@ Resolve the remaining OpenBao production-trust gates: - identify the next independent escrow holder for moving beyond temporary single-king custody. +**2026-06-01:** Started the OpenBao audit/recovery closeout. Railiance source +now has a declarative OpenBao file-audit stanza in +`helm/openbao-values.yaml`, and its initial-config helper now verifies +`bao audit list` instead of trying to create audit devices through the API. +The Railiance post-unseal verifier also warns when +`/openbao/audit/openbao-audit.log` is missing or empty. Live non-secret +checks still show OpenBao healthy and unsealed with Bound data/audit PVCs, but +the live Helm values do not yet include the declarative audit stanza and the +audit directory is empty. Do not move production secrets into OpenBao until a +planned Helm rollout is performed with unseal shares available, `file/` audit +is visible, an audit log is written, durable audit shipping beyond the PVC is +selected, and restore/emergency drill evidence plus a next escrow holder are +recorded. + ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths ```task