mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add audit logging for all mutating gRPC operations

Browse Source 
Log Info-level audit events on success for:
- system: Init, Unseal, Seal
- auth: Login, Logout
- engine: Mount, Unmount
- policy: CreatePolicy, DeletePolicy
- ca: ImportRoot, CreateIssuer, DeleteIssuer, IssueCert, RenewCert

Each log line includes relevant identifiers (mount, issuer, serial, CN,
SANs, username) so that certificate issuance and other privileged
operations are traceable in the server logs.

Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 13:11:17 -07:00
parent 8215aaccc5
commit 65c92fe5ec
8 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/grpcserver/system.go
View File

@@ -38,6 +38,7 @@ func (ss *systemServer) Init(ctx context.Context, req *pb.InitRequest) (*pb.Init
ss.s.logger.Error("grpc: init failed", "error", err)
return nil, status.Error(codes.Internal, "initialization failed")
}
ss.s.logger.Info("audit: vault initialized")
return &pb.InitResponse{State: ss.s.sealMgr.State().String()}, nil
}
@@ -61,6 +62,7 @@ func (ss *systemServer) Unseal(ctx context.Context, req *pb.UnsealRequest) (*pb.
return nil, status.Error(codes.Internal, "engine unseal failed")
}
ss.s.logger.Info("audit: vault unsealed")
return &pb.UnsealResponse{State: ss.s.sealMgr.State().String()}, nil
}
@@ -73,5 +75,6 @@ func (ss *systemServer) Seal(_ context.Context, _ *pb.SealRequest) (*pb.SealResp
return nil, status.Error(codes.Internal, "seal failed")
}
ss.s.auth.ClearCache()
ss.s.logger.Info("audit: vault sealed")
return &pb.SealResponse{State: ss.s.sealMgr.State().String()}, nil
}