fix: edge-control: append-only audit log for register/deregister operations (#1095)

Every successful register/deregister appends one line to /var/log/disinto/edge-register.log with space-separated key=value pairs: 2026-04-20T14:30:12Z register project=myproj port=20034 pubkey_fp=SHA256:… caller=alice 2026-04-20T14:31:55Z deregister project=myproj port=20034 pubkey_fp=SHA256:… caller=alice - Log dir /var/log/disinto/ created by install.sh (root:disinto-register, 0750) - Log file created at install time (0640, root:disinto-register) - Logrotate: daily rotation, 30 days retention, copytruncate - Write failures emit a warning but do not fail the operation - Caller derived from SSH_USERNAME > SUDO_USER > USER env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-20 19:42:10 +00:00 · 2026-04-20 19:42:10 +00:00 · 5ddf379191
commit 5ddf379191
parent 2fd4da6b64
2 changed files with 90 additions and 7 deletions
--- a/tools/edge-control/install.sh
+++ b/tools/edge-control/install.sh
@ -162,7 +162,43 @@ if [ ! -f "$ALLOWLIST_FILE" ]; then
 fi

 # =============================================================================
-# Step 3: Install Caddy with Gandi DNS plugin
+# Step 3: Create audit log directory and logrotate config
+# =============================================================================
+log_info "Setting up audit log..."
+
+LOG_DIR="/var/log/disinto"
+LOG_FILE="${LOG_DIR}/edge-register.log"
+
+mkdir -p "$LOG_DIR"
+chown root:disinto-register "$LOG_DIR"
+chmod 0750 "$LOG_DIR"
+
+# Touch the log file so it exists from day one
+touch "$LOG_FILE"
+chmod 0640 "$LOG_FILE"
+chown root:disinto-register "$LOG_FILE"
+
+# Install logrotate config (daily rotation, 30 days retention)
+LOGROTATE_CONF="/etc/logrotate.d/disinto-edge"
+cat > "$LOGROTATE_CONF" <<EOF
+${LOG_FILE} {
+    daily
+    rotate 30
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root disinto-register
+    copytruncate
+}
+EOF
+chmod 0644 "$LOGROTATE_CONF"
+
+log_info "Audit log: ${LOG_FILE}"
+log_info "Logrotate config: ${LOGROTATE_CONF}"
+
+# =============================================================================
+# Step 4: Install Caddy with Gandi DNS plugin
 # =============================================================================
 log_info "Installing Caddy ${CADDY_VERSION} with Gandi DNS plugin..."

@ -293,7 +329,7 @@ systemctl restart caddy 2>/dev/null || {
 log_info "Caddy configured with admin API on 127.0.0.1:2019"

 # =============================================================================
-# Step 4: Install control plane scripts
+# Step 5: Install control plane scripts
 # =============================================================================
 log_info "Installing control plane scripts to ${INSTALL_DIR}..."

@ -315,7 +351,7 @@ chmod 750 "${INSTALL_DIR}/lib"
 log_info "Control plane scripts installed"

 # =============================================================================
-# Step 5: Set up SSH authorized_keys
+# Step 6: Set up SSH authorized_keys
 # =============================================================================
 log_info "Setting up SSH authorized_keys..."

@ -357,7 +393,7 @@ source "${INSTALL_DIR}/lib/authorized_keys.sh"
 rebuild_authorized_keys

 # =============================================================================
-# Step 6: Configure forced command for disinto-register
+# Step 7: Configure forced command for disinto-register
 # =============================================================================
 log_info "Configuring forced command for disinto-register..."

@ -380,7 +416,7 @@ if [ -n "$ADMIN_PUBKEY" ]; then
 fi

 # =============================================================================
-# Step 7: Final configuration
+# Step 8: Final configuration
 # =============================================================================
 log_info "Configuring domain suffix: ${DOMAIN_SUFFIX}"