Phase 6 Sprint 6.1 - Tamper-Evident Logging
Threat Model
- Asset: telemetry gateway audit trail for accept/reject outcomes.
- Adversary: operator or attacker attempting to alter or erase prior log history.
- Trust boundary: append path to local audit log storage.
Attack Vectors Considered
- In-place modification of historical audit entries.
- Removal of log records to hide rejected/failed actions.
- Silent truncation and rewrite of recent entries.
Mitigations Implemented
- Added append-only JSONL audit log writer.
- Every record includes previous-hash link and entry hash.
- Hash-chain integrity verification API detects tampering.
- Periodic sealing records inserted automatically every N entries.
- Gateway now records accepted and rejected telemetry outcomes in tamper-evident log.
Residual Risk
- Local file storage can still be deleted by privileged host access.
- Seals are local records; external notarization is not yet implemented.
Future Improvements
- Stream seals to remote immutable store (WORM/S3 Object Lock).
- Add asynchronous off-host replication for log continuity.
- Sign seals with hardware-backed attestation keys.