What Is a Hash Chain Audit Log

A hash chain audit log is a tamper-evident logging structure where each entry is cryptographically linked to the previous one using SHA-256 hashes. If any entry is modified after the fact, the hash chain breaks and the tampering is detectable. osModa uses this structure for its system-wide audit ledger.

How a Hash Chain Works

Each entry in a hash chain contains: the event data (timestamp, actor, action, details), and the SHA-256 hash of the previous entry. When a new event occurs, the system computes hash(previous_entry) and embeds it in the new entry. This creates an unbroken chain from the first entry to the most recent.

To verify the chain's integrity, start at the beginning and recompute each hash. If the computed hash for entry N matches the hash stored in entry N+1, that entry has not been modified. If any hash does not match, the entry was tampered with. This verification can be performed by any tool that implements SHA-256 -- no proprietary software is required.

Hash Chain Structure

Entry 1: { data: "agent started", prev_hash: "0000...0000" }
  hash_1 = SHA-256(Entry 1) = "a3f8...c912"

Entry 2: { data: "tool invoked: read_file", prev_hash: "a3f8...c912" }
  hash_2 = SHA-256(Entry 2) = "7b2e...d401"

Entry 3: { data: "config deployed", prev_hash: "7b2e...d401" }
  hash_3 = SHA-256(Entry 3) = "e91c...f738"

If Entry 2 is modified → hash_2 changes → Entry 3.prev_hash ≠ new hash_2
→ Tampering detected.

What osModa's Audit Ledger Records

The osModa audit ledger records every significant event on the server. This is not selective logging -- it is comprehensive, tamper-evident recording of all system activity. Events include:

MCP Tool Invocations

Every tool call through osmoda-mcpd: which tool was called, by which agent, with what parameters, and what result was returned. All 83 built-in tools and any custom MCP tools are logged.

Crash and Restart Events

Every process crash detected by osmoda-watch: process name, exit code, crash timestamp, restart timestamp, and post-restart health check result.

Configuration Changes

Every NixOS generation switch and atomic rollback: what changed between generations, who triggered the deployment, and whether SafeSwitch performed an automatic rollback.

Security Events

Authentication attempts, trust tier changes, mesh network connections via osmoda-mesh (Noise_XX + ML-KEM-768 encrypted), and wallet signing operations via osmoda-keyd for ETH and SOL transactions.

Hash Chain Logs and Compliance

Regulatory frameworks require audit trails that are complete, accurate, and protected from unauthorized modification. Traditional log files fail this test because anyone with file system access can alter them. Hash chain logs provide cryptographic proof of integrity.

  • SOC 2 (CC7.2) -- Requires monitoring and detection of unauthorized changes. The hash chain makes any modification detectable.
  • HIPAA (45 CFR 164.312(b)) -- Requires audit controls recording access to electronic protected health information. The ledger provides this with tamper evidence.
  • 21 CFR Part 11 -- FDA requirement for electronic records. Hash chain logs satisfy the audit trail, record integrity, and non-repudiation requirements.

For detailed compliance guidance, see the Audit & Compliance documentation and the Tamper-Evident Audit Log technical guide.

Hash Chain vs. Blockchain

A hash chain and a blockchain both use cryptographic linking. The difference is that a blockchain adds distributed consensus -- multiple nodes must agree on each block. osModa's audit ledger is a hash chain, not a blockchain. It runs on a single server and does not require distributed consensus. This makes it faster (no consensus delay), simpler (no network coordination), and equally tamper-evident for the purpose of audit logging on a dedicated server.

The tamper-evident property comes from the hash chain itself, not from distribution. If an auditor can independently verify the chain (by recomputing SHA-256 hashes), they can confirm that no entries were modified. Distribution adds protection against the server operator, but for compliance purposes, the hash chain provides the required integrity guarantee.

Frequently Asked Questions

What is a hash chain?

A hash chain is a data structure where each entry contains the cryptographic hash of the previous entry. This creates a chain: entry N includes hash(entry N-1), entry N-1 includes hash(entry N-2), and so on back to the first entry. If any entry in the chain is modified, its hash changes, which invalidates all subsequent entries. This makes tampering detectable -- you cannot alter a past entry without breaking the chain.

Why does osModa use SHA-256 for audit logging?

SHA-256 is a widely trusted cryptographic hash function that produces a 256-bit (32-byte) hash. It is computationally infeasible to find two different inputs that produce the same hash (collision resistance) or to reconstruct the input from a hash (preimage resistance). These properties make it ideal for audit logs where you need mathematical proof that entries have not been altered after the fact.

What events does osModa's audit ledger record?

The audit ledger records all significant system events: tool invocations via MCP, agent process crashes and restarts, NixOS generation switches and rollbacks, authentication events, configuration changes, mesh network connections, wallet signing operations via osmoda-keyd, and watchdog events. Each entry includes a timestamp, event type, actor, action details, and the SHA-256 hash linking it to the previous entry.

How does a hash chain differ from a regular log file?

A regular log file is a plain text or structured data file. Anyone with write access can modify, delete, or insert entries without detection. A hash chain log includes a cryptographic link between entries. If an entry is modified, the hash link breaks and the tampering is immediately detectable. This provides mathematical proof of log integrity, not just access control.

Is osModa's audit ledger useful for compliance?

Yes. The tamper-evident property of hash-chained logs satisfies audit trail requirements in SOC 2 (CC7.2 monitoring), HIPAA (audit controls per 45 CFR 164.312(b)), and 21 CFR Part 11 (electronic records for FDA-regulated industries). The ledger provides cryptographic proof that log entries have not been altered, which is stronger evidence than traditional access-controlled logs.

Can I export the audit ledger?

Yes. The audit ledger can be exported for external analysis, long-term archival, or compliance review. The hash chain integrity can be independently verified by any tool that implements SHA-256 -- you do not need osModa software to validate the chain. Each exported entry includes the hash of the previous entry, so the full chain can be verified offline.

Tamper-Proof Logging Out of the Box

Every osModa server includes the SHA-256 hash-chained audit ledger. Every action is recorded, every entry is linked. Plans from $14.99/month.

Spawn Server

Explore More

Watchdog Daemon

Process supervision and auto-restart

Atomic Rollback

NixOS generation-based reversion

Self-Healing Infrastructure

Complete failure recovery stack

Audit & Compliance

SOC 2, HIPAA, 21 CFR Part 11

Tamper-Evident Audit Log

Technical implementation guide

Incident Forensics

Using the ledger for investigations