mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add audit logging for all mutating gRPC operations

Browse Source 
Log Info-level audit events on success for:
- system: Init, Unseal, Seal
- auth: Login, Logout
- engine: Mount, Unmount
- policy: CreatePolicy, DeletePolicy
- ca: ImportRoot, CreateIssuer, DeleteIssuer, IssueCert, RenewCert

Each log line includes relevant identifiers (mount, issuer, serial, CN,
SANs, username) so that certificate issuance and other privileged
operations are traceable in the server logs.

Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 13:11:17 -07:00
parent 8215aaccc5
commit 65c92fe5ec
8 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/grpcserver/policy.go
View File

@@ -24,6 +24,7 @@ func (ps *policyServer) CreatePolicy(ctx context.Context, req *pb.CreatePolicyRe
ps.s.logger.Error("grpc: create policy", "error", err)
return nil, status.Error(codes.Internal, "internal error")
}
ps.s.logger.Info("audit: policy created", "id", rule.ID, "username", callerUsername(ctx))
return &pb.CreatePolicyResponse{Rule: ruleToPB(rule)}, nil
}
@@ -58,6 +59,7 @@ func (ps *policyServer) DeletePolicy(ctx context.Context, req *pb.DeletePolicyRe
if err := ps.s.policy.DeleteRule(ctx, req.Id); err != nil {
return nil, status.Error(codes.NotFound, "not found")
}
ps.s.logger.Info("audit: policy deleted", "id", req.Id, "username", callerUsername(ctx))
return &pb.DeletePolicyResponse{}, nil
}