Add audit logging for all mutating gRPC operations

Log Info-level audit events on success for: - system: Init, Unseal, Seal - auth: Login, Logout - engine: Mount, Unmount - policy: CreatePolicy, DeletePolicy - ca: ImportRoot, CreateIssuer, DeleteIssuer, IssueCert, RenewCert Each log line includes relevant identifiers (mount, issuer, serial, CN, SANs, username) so that certificate issuance and other privileged operations are traceable in the server logs. Co-authored-by: Junie <junie@jetbrains.com>
2026-03-15 13:11:17 -07:00
parent 8215aaccc5
commit 65c92fe5ec
8 changed files with 45 additions and 7 deletions
--- a/internal/grpcserver/auth.go
+++ b/internal/grpcserver/auth.go
@@ -27,6 +27,7 @@ func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginR
 	if t, err := time.Parse(time.RFC3339, expiresAtStr); err == nil {
 		expiresAt = timestamppb.New(t)
 	}
+	as.s.logger.Info("audit: login", "username", req.Username)
 	return &pb.LoginResponse{Token: token, ExpiresAt: expiresAt}, nil
 }

@@ -39,6 +40,7 @@ func (as *authServer) Logout(ctx context.Context, _ *pb.LogoutRequest) (*pb.Logo
 	if err == nil {
 		_ = as.s.auth.Logout(client)
 	}
+	as.s.logger.Info("audit: logout", "username", callerUsername(ctx))
 	return &pb.LogoutResponse{}, nil
 }