mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add audit logging for all mutating gRPC operations

Browse Source 
Log Info-level audit events on success for:
- system: Init, Unseal, Seal
- auth: Login, Logout
- engine: Mount, Unmount
- policy: CreatePolicy, DeletePolicy
- ca: ImportRoot, CreateIssuer, DeleteIssuer, IssueCert, RenewCert

Each log line includes relevant identifiers (mount, issuer, serial, CN,
SANs, username) so that certificate issuance and other privileged
operations are traceable in the server logs.

Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 13:11:17 -07:00
parent 8215aaccc5
commit 65c92fe5ec
8 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/grpcserver/engine.go
View File

@@ -40,6 +40,12 @@ func (es *engineServer) Mount(ctx context.Context, req *pb.MountRequest) (*pb.Mo
return nil, status.Error(codes.Internal, err.Error())
}
}
ti := tokenInfoFromContext(ctx)
username := ""
if ti != nil {
username = ti.Username
}
es.s.logger.Info("audit: engine mounted", "name", req.Name, "type", req.Type, "username", username)
return &pb.MountResponse{}, nil
}
@@ -53,6 +59,12 @@ func (es *engineServer) Unmount(ctx context.Context, req *pb.UnmountRequest) (*p
}
return nil, status.Error(codes.Internal, err.Error())
}
ti := tokenInfoFromContext(ctx)
username := ""
if ti != nil {
username = ti.Username
}
es.s.logger.Info("audit: engine unmounted", "name", req.Name, "username", username)
return &pb.UnmountResponse{}, nil
}