orion/.security-rules/audit.yaml

# Audit & Logging Rules
# =====================

audit_rules:
  - id: "SEC-051"
    name: "Authentication event logging"
    severity: warning
    description: |
      Log authentication events:
      - Successful logins (with user ID, IP)
      - Failed login attempts (with IP, reason)
      - Logouts
      - Password changes
      - Password reset requests
    file_pattern: "**/auth*.py|**/login*.py"
    required_patterns:
      - "log"
    suggested_patterns:
      - 'logger\.(info|warning).*login|auth|password'

  - id: "SEC-052"
    name: "Admin action audit trail"
    severity: warning
    description: |
      All admin operations should be logged with:
      - Admin user ID
      - Action performed
      - Target resource
      - Timestamp
      - IP address
    file_pattern: "**/admin/**/*.py"
    required_patterns:
      - "log"
    suggested_patterns:
      - "logger|audit"

  - id: "SEC-053"
    name: "Data modification logging"
    severity: info
    description: |
      Log create/update/delete on sensitive data:
      - User accounts
      - Roles and permissions
      - Financial transactions
      - Configuration changes
    file_pattern: "**/service*.py"

  - id: "SEC-054"
    name: "Security event logging"
    severity: warning
    description: |
      Log security-relevant events:
      - Authorization failures
      - Input validation failures
      - Rate limit triggers
      - Suspicious activity patterns
    file_pattern: "**/*.py"
    context_patterns:
      - "unauthorized|forbidden|rate_limit|suspicious"
    suggested_patterns:
      - "logger\\.warning|logger\\.error"

  - id: "SEC-055"
    name: "Log injection prevention"
    severity: warning
    description: |
      Sanitize user input before logging.
      Newlines and control characters can corrupt logs.
    file_pattern: "**/*.py"
    anti_patterns:
      - 'logger\.[a-z]+\(.*request\..*\)'
    suggested_patterns:
      - "sanitize|escape|repr\\("
    example_bad: |
      logger.info(f"User search: {request.query}")
    example_good: |
      logger.info(f"User search: {request.query!r}")  # repr escapes

  - id: "SEC-056"
    name: "Centralized logging"
    severity: info
    description: |
      Use centralized logging for:
      - Correlation across services
      - Tamper-evident storage
      - Retention management
      - Alerting capabilities

  - id: "SEC-057"
    name: "Log level appropriateness"
    severity: info
    description: |
      Use appropriate log levels:
      - ERROR: Security failures requiring attention
      - WARNING: Suspicious activity, failed auth
      - INFO: Successful security events
      - DEBUG: Never log sensitive data even at debug

  - id: "SEC-058"
    name: "Structured logging format"
    severity: info
    description: |
      Use structured logging (JSON) for:
      - Easy parsing
      - Consistent fields
      - Searchability
    suggested_patterns:
      - "structlog|json_formatter|extra={"

  - id: "SEC-059"
    name: "Audit log integrity"
    severity: info
    description: |
      Protect audit logs from tampering:
      - Append-only storage
      - Cryptographic chaining
      - Separate access controls

  - id: "SEC-060"
    name: "Privacy-aware logging"
    severity: warning
    description: |
      Comply with data protection regulations:
      - No PII in logs without consent
      - Log retention limits
      - Right to deletion support
    file_pattern: "**/*.py"
    anti_patterns:
      - 'log.*email(?!.*@.*sanitized)'
      - 'log.*phone'
      - 'log.*address(?!.*ip)'