Skip to content

docs: update auditing.md — event type drift, CEF format, auth examples #374

Description

@millerjp

Context

Spun off from #355 — the initial auditing.md review is complete (output types, reason codes, Prometheus metrics, env var overrides documented), but several sections are outdated or missing.

Gaps

1. Event types significantly outdated

The doc lists generic event types (schema_delete, subject_delete, kek_delete, dek_delete) but the code now uses split variants:

Doc says Code actually uses
schema_delete schema_delete_soft, schema_delete_permanent
subject_delete subject_delete_soft, subject_delete_permanent
kek_delete kek_delete_soft, kek_delete_permanent
dek_delete dek_delete_soft, dek_delete_permanent

Missing event types not documented at all:

  • kek_undelete, dek_undelete
  • compatibility_check
  • exporter_config_update
  • server_startup, server_shutdown
  • security_warning

2. No CEF format deep-dive

The docs mention CEF is supported but do not cover:

  • Severity mapping (which events map to which CEF severity)
  • Extension fields used
  • Header escaping rules
  • Example CEF output

3. No OIDC/JWT/mTLS example payloads

Auth-specific audit payloads are only shown for basic auth / API key. Missing examples for:

  • OIDC-authenticated requests
  • JWT-authenticated requests
  • mTLS-authenticated requests

Acceptance Criteria

  • Event type table updated to match current code
  • All new event types documented with field descriptions
  • CEF format section with severity mapping, extension fields, and examples
  • Auth-specific audit payload examples for OIDC, JWT, and mTLS
  • Cross-reference with internal/auth/audit.go to ensure completeness

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions