audit
Append-only event capture for policy decisions and incident analysis.
What it mitigates
- Untraceable allow/deny outcomes
- Lack of evidence during investigations
- Policy drift without observable signals
Recommended defaults
| Profile | sink | includeArguments | includeResults |
|---|---|---|---|
local | file or central sink | true | true |
standard | file | true | true |
unbounded | file + external sink | true | true |
Minimal config
audit:
sink: file
path: .radius/audit.jsonl
includeArguments: true
includeResults: true
# webhookUrl: https://...
# otlpEndpoint: https://...Best practices
- Keep audit module last in pipeline.
- Protect log integrity and retention policy.
- Review blocked/challenged event trends weekly.