# Audit Trail Rules # ================== # Ensures all sensitive operations are logged and traceable. # Critical for SOX compliance and incident investigation. rules: # =================== # LOGGING REQUIREMENTS # =================== - id: AUDIT-LOG-001 name: "Authentication events must be logged" description: "All login, logout, and failed authentication attempts must be logged" severity: critical check: type: pattern_required paths: - "app/api/v1/auth.py" - "app/routes/admin.py" patterns: - "logger\\.(info|warning|error).*login" - "logger\\.(info|warning|error).*auth" message: "Authentication endpoints must log all attempts" - id: AUDIT-LOG-002 name: "Data modification must be logged" description: "Create, update, delete operations must include audit logging" severity: critical check: type: pattern_required paths: - "app/services/*.py" patterns: - "logger\\." exclude_patterns: - "__init__.py" message: "Service layer must include logging for data modifications" - id: AUDIT-LOG-003 name: "Admin actions must be logged" description: "All administrative actions require audit logging" severity: critical check: type: pattern_required paths: - "app/routes/admin.py" patterns: - "logger\\." message: "Admin routes must log all actions" - id: AUDIT-LOG-004 name: "Log must include user identity" description: "Audit logs must include the user ID performing the action" severity: high check: type: pattern_recommended paths: - "app/**/*.py" patterns: - "user_id|current_user|admin_user" context: "logging" message: "Logs should include user identity for traceability" # =================== # AUDIT FIELDS # =================== - id: AUDIT-FIELD-001 name: "Models must have audit timestamps" description: "Database models must include created_at and updated_at fields" severity: high check: type: pattern_required paths: - "models/database/*.py" patterns: - "created_at" - "updated_at" exclude_patterns: - "__init__.py" - "base.py" - "audit_log.py" # Uses timestamp field instead message: "Database models must include audit timestamp fields" - id: AUDIT-FIELD-002 name: "Models should track who made changes" description: "Models should include created_by and updated_by fields" severity: medium check: type: pattern_recommended paths: - "models/database/*.py" patterns: - "created_by|updated_by|modified_by" message: "Consider adding created_by/updated_by fields for accountability" # =================== # LOG INTEGRITY # =================== - id: AUDIT-INT-001 name: "Logs must not be modifiable by application" description: "Application should not have delete/modify access to audit logs" severity: high check: type: pattern_forbidden paths: - "app/**/*.py" patterns: - "os\\.remove.*\\.log" - "truncate.*log" - "open.*\\.log.*[\"']w[\"']" message: "Application must not modify or delete log files" - id: AUDIT-INT-002 name: "Structured logging required" description: "Use structured logging for machine-parseable audit trails" severity: medium check: type: pattern_recommended paths: - "app/core/logging.py" patterns: - "structlog|json|JSONFormatter" message: "Consider structured logging for better audit trail analysis" # =================== # SENSITIVE OPERATIONS # =================== - id: AUDIT-SENS-001 name: "Password changes must be logged" description: "All password change operations require audit logging" severity: critical check: type: pattern_required paths: - "app/services/user_service.py" - "app/api/v1/users.py" patterns: - "password" context: "must have corresponding logger call" message: "Password operations must be logged" - id: AUDIT-SENS-002 name: "Permission changes must be logged" description: "Role and permission changes require audit logging" severity: critical check: type: pattern_required paths: - "app/services/*.py" patterns: - "is_admin|role|permission" context: "must have corresponding logger call" message: "Permission changes must be logged" - id: AUDIT-SENS-003 name: "Data exports must be logged" description: "Any data export functionality must be logged" severity: high check: type: pattern_check paths: - "app/**/*.py" patterns: - "export|download|csv|xlsx" requires: - "logger\\." message: "Data export operations must be logged"