[Observability] Insufficient Audit Logging #152
Description
Current State
- Basic operation logging exists
- Missing audit trail for security-sensitive operations
Issues
- Cannot track who accessed what and when
- Missing audit logs for:
- SVID issuance (who, when, for which workload)
- TPM quote requests (who requested, when, result)
- Geolocation verification (which sensor, when, result)
- CAMARA API access (who, when, what data)
- No tamper-evident audit logs
- Cannot meet compliance requirements
Required
- Add comprehensive audit logging for all security-sensitive operations
- Include in audit logs:
- User/agent identity
- Timestamp (with timezone)
- Operation performed
- Result (success/failure)
- Relevant identifiers (sensor_id, SPIFFE ID, etc.)
- Make audit logs tamper-evident (signing, write-once storage)
- Store audit logs separately from application logs
- Document audit log retention policy
- Add audit log query/search capabilities
Location
- SPIRE Server (SVID issuance)
- Keylime Verifier (quote verification)
- Mobile sensor microservice (geolocation verification)
Related
From PRODUCTION_READINESS_ANALYSIS.md - Section 3.3