Enable audit

Registered by Tim Hinrichs on 2015-08-07

To chronicle the history of policy and its violations, Congress should persistently log pertinent information. Ideally this would include

- policy violations
- changes in the policy definitions
- changes in the data
- the actions that were executed

One option for adding this functionality is to create a new node on the DSE bus that subscribes to all policy violation tables, all policy changes, all changes in table data, and all actions that are executed, and then log all received messages to disk. That sequence of messages allows an auditor to ask at any point in time what all the violations were by running the log forward.

The downside to this option is that everything that was auditable would need to be messaged using pub/sub instead of RPC, e.g. API calls that modify policy and action execution. This is unnatural because RPC calls typically require a response (e.g. the policy engine might reject a policy modification, and the action execution could cause an error). The audit-module would need to understand the meaning of those responses.

Another option is to log all of that same information from within the policy engine itself. The drawback is that auditing would be ingrained within the policy engine. The benefit is that the rest of the system would function naturally.

Blueprint information

Status:
Not started
Approver:
Tim Hinrichs
Priority:
Medium
Drafter:
Tim Hinrichs
Direction:
Approved
Assignee:
None
Definition:
Approved
Series goal:
None
Implementation:
Not started
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.