Skip to content

Commit 6c5d5e7

Browse files
committed
feat: Add audit log viewing instructions and details for OpenBao
1 parent 33ad5a3 commit 6c5d5e7

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

README.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,34 @@ OpenBao audit logging is enabled with a file audit device by default.
179179

180180
Warning: OpenBao blocks requests when no enabled audit device is writable. Keep the audit PVC healthy and sized for retained logs.
181181

182+
The device is declared in the OpenBao server config (`roles/openbao/templates/values.yaml.j2`), not via the `sys/audit` API — OpenBao v2.4+ rejects API-driven audit device creation as unsafe.
183+
184+
#### Viewing the audit log
185+
186+
Entries are one JSON object per line, in `request`/`response` pairs matched by `request.id`. Secret values and tokens are HMAC-SHA256 hashed — the log shows who did what to which path, never the credential itself. Key fields: `auth.display_name` (who), `auth.policies` (with what rights), `request.operation` + `request.path` (did what), `request.remote_address` (from where).
187+
188+
All commands run inside the VM (`vagrant ssh`). Rotated files sit next to the live log as `audit.log.<timestamp>`.
189+
190+
```bash
191+
# Follow live
192+
sudo k3s kubectl exec -n openbao openbao-0 -- tail -f /openbao/audit/audit.log
193+
194+
# Pull a copy for offline analysis (jq: sudo dnf install -y jq)
195+
sudo k3s kubectl cp openbao/openbao-0:/openbao/audit/audit.log /tmp/audit.log
196+
197+
# Who is talking to OpenBao, and how much
198+
jq -r 'select(.type=="request") | .auth.display_name' /tmp/audit.log | sort | uniq -c | sort -rn
199+
200+
# Every access to a given secret path
201+
jq -r 'select(.request.path=="secret/data/keycloak/db") | [.time, .auth.display_name, .request.operation] | @tsv' /tmp/audit.log
202+
203+
# All writes (anything mutating)
204+
jq -r 'select(.type=="request" and (.request.operation|IN("create","update","delete"))) | [.time, .auth.display_name, .request.path] | @tsv' /tmp/audit.log
205+
206+
# Denied requests
207+
jq -r 'select(.auth.policy_results.allowed==false) | [.time, .auth.display_name, .request.path] | @tsv' /tmp/audit.log
208+
```
209+
182210
## Retrieve Generated Credentials
183211

184212
The deployment uses Keycloak plus OpenBao/VSO. Re-runs reuse existing values unless secrets are intentionally rotated.

0 commit comments

Comments
 (0)