HashiConf 2024 Now streaming live from Boston! Attend for free
HVD Home
HVD Home

Audit logs

An important principle of securing access to sensitive resources is creating a system of record for users' access and actions over remote sessions.

For many organizations, demonstrating compliance with their infrastructure's security posture to internal or external auditors is a critical requirement. In this context, records of remote access are often necessary.

Various laws and regulations impose record-keeping requirements. These stipulations outline the activities that need to be recorded and the duration for which the records must be retained. One of the primary reasons an organization maintains records of system access is to comply with these record-keeping requirements.

By default, Boundary does not emit audit events. Organizations should configure Boundary to emit audit events, which are ingested with the appropriate log analytics platform.

Boundary emits audit events for all requests and responses made to a Boundary controller, every authentication attempt, and all upstream requests made from workers to a controller.

Event types

There are three types of audit events emitted by Boundary: audit, observation, and error.

  • Audit will be used for any user action that could contain sensitive material.
  • Observation is any action that occurs within the execution of an event within the application. For example, any function that is called within the process of an event
  • Error is utilized to handle any event that had an action that did not occur as expected.

Sensitive information

Boundary supports sanitizing sensitive information from audit events, and Boundary administrators can configure which sensitive information is encrypted or redacted.

Boundary audit events will support three levels of data redaction: none, hmac-sha256, or encrypted. The default is set to none. If hmac-sha256 or encrypted are specified, then a corresponding KMS for audit must be specified in Boundary’s configuration.

Organizations should only sanitize if required by laws, regulations, organizational standards, or policies.

Boundary classifies event data into three categories, “public”, “sensitive” or “secret”.

  • Public - Boundary events that capture request information contain fields such as “Id,” “Method,” and “Path.”

  • Sensitive - Boundary events that capture auth information contain fields such as “UserName” and “UserEmail”. By default, sensitive data is encrypted unless audit_filter_overrides is configured. Overrides can be configured to "encrypt", "hmac-sha256" or "redact".

  • Secret - By default, secret data is redacted unless audit_filter_overrides is configured. Overrides can be configured to "encrypt", "hmac-sha256" or "redact".

Retention

Audit events should be retained for a minimum period to comply with relevant laws, regulations, organizational standards, and/or policies.

Configuration

The events stanza configures Boundary events-specific parameters.

Default configuration

If no event stanza is specified then the following default is used. This is not recommended for production scenarios.

events {   
   audit_enabled = false   
   observations\_enabled = true   
   sysevents_enabled = true   
   telemetry_enabled = false   
   sink "stderr" {     
      name = "default"     
      event_types = ["*"]     
      format = "cloudevents-json"   
      } 
}

Minimum configuration**

events {   
   audit_enabled = true   
   observations_enabled = true   
   sysevents_enabled = true   
   telemetry_enabled = false   
   sink "stderr" {     
      name = "all-events"     
      description = "All events sent to stderr"     
      event_types = ["*"]     
      format = "hclog-text"  
      } 
}

Example of Audit events configurations can be found in the Tutorial

Audit event correlation

Boundary supports correlating audit events with other systems to meet traceability requirements. To track and correlate requests and responses across Boundary and other systems, Boundary uses a Correlation Identifier in the form of an X-Correlation-ID header.

Boundary will check for a Correlation Identifier, and if present, it will be included in the event stream as a public field. If not, a random UUIDv4 will be generated as the Correlation Identifier.

As the user can provide the Correlation Identifier, Boundary cannot guarantee its uniqueness.

Audit log streaming

Audit log streaming is HCP Boundary specific and supports near real-time streaming of audit events to existing customer-managed accounts of supported providers.

Supported providers

  • AWS Cloudwatch
  • Datadog
Previous

Dynamic credentials

 Next

Session recording