Context
Spun off from #355 — the initial auditing.md review is complete (output types, reason codes, Prometheus metrics, env var overrides documented), but several sections are outdated or missing.
Gaps
1. Event types significantly outdated
The doc lists generic event types (schema_delete, subject_delete, kek_delete, dek_delete) but the code now uses split variants:
| Doc says |
Code actually uses |
schema_delete |
schema_delete_soft, schema_delete_permanent |
subject_delete |
subject_delete_soft, subject_delete_permanent |
kek_delete |
kek_delete_soft, kek_delete_permanent |
dek_delete |
dek_delete_soft, dek_delete_permanent |
Missing event types not documented at all:
kek_undelete, dek_undelete
compatibility_check
exporter_config_update
server_startup, server_shutdown
security_warning
2. No CEF format deep-dive
The docs mention CEF is supported but do not cover:
- Severity mapping (which events map to which CEF severity)
- Extension fields used
- Header escaping rules
- Example CEF output
3. No OIDC/JWT/mTLS example payloads
Auth-specific audit payloads are only shown for basic auth / API key. Missing examples for:
- OIDC-authenticated requests
- JWT-authenticated requests
- mTLS-authenticated requests
Acceptance Criteria
References
Context
Spun off from #355 — the initial auditing.md review is complete (output types, reason codes, Prometheus metrics, env var overrides documented), but several sections are outdated or missing.
Gaps
1. Event types significantly outdated
The doc lists generic event types (
schema_delete,subject_delete,kek_delete,dek_delete) but the code now uses split variants:schema_deleteschema_delete_soft,schema_delete_permanentsubject_deletesubject_delete_soft,subject_delete_permanentkek_deletekek_delete_soft,kek_delete_permanentdek_deletedek_delete_soft,dek_delete_permanentMissing event types not documented at all:
kek_undelete,dek_undeletecompatibility_checkexporter_config_updateserver_startup,server_shutdownsecurity_warning2. No CEF format deep-dive
The docs mention CEF is supported but do not cover:
3. No OIDC/JWT/mTLS example payloads
Auth-specific audit payloads are only shown for basic auth / API key. Missing examples for:
Acceptance Criteria
internal/auth/audit.goto ensure completenessReferences