Samir Boulahtit
92434c8971
Import audit rules from scaffold project covering: - Access control validation - Audit trail requirements - Change management policies - Compliance checks - Data governance rules - Documentation requirements - Third-party dependency checks 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
171 lines
4.9 KiB
YAML
171 lines
4.9 KiB
YAML
# Audit Trail Rules
|
|
# ==================
|
|
# Ensures all sensitive operations are logged and traceable.
|
|
# Critical for SOX compliance and incident investigation.
|
|
|
|
rules:
|
|
# ===================
|
|
# LOGGING REQUIREMENTS
|
|
# ===================
|
|
|
|
- id: AUDIT-LOG-001
|
|
name: "Authentication events must be logged"
|
|
description: "All login, logout, and failed authentication attempts must be logged"
|
|
severity: critical
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "app/api/v1/auth.py"
|
|
- "app/routes/admin.py"
|
|
patterns:
|
|
- "logger\\.(info|warning|error).*login"
|
|
- "logger\\.(info|warning|error).*auth"
|
|
message: "Authentication endpoints must log all attempts"
|
|
|
|
- id: AUDIT-LOG-002
|
|
name: "Data modification must be logged"
|
|
description: "Create, update, delete operations must include audit logging"
|
|
severity: critical
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "app/services/*.py"
|
|
patterns:
|
|
- "logger\\."
|
|
exclude_patterns:
|
|
- "__init__.py"
|
|
message: "Service layer must include logging for data modifications"
|
|
|
|
- id: AUDIT-LOG-003
|
|
name: "Admin actions must be logged"
|
|
description: "All administrative actions require audit logging"
|
|
severity: critical
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "app/routes/admin.py"
|
|
patterns:
|
|
- "logger\\."
|
|
message: "Admin routes must log all actions"
|
|
|
|
- id: AUDIT-LOG-004
|
|
name: "Log must include user identity"
|
|
description: "Audit logs must include the user ID performing the action"
|
|
severity: high
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "app/**/*.py"
|
|
patterns:
|
|
- "user_id|current_user|admin_user"
|
|
context: "logging"
|
|
message: "Logs should include user identity for traceability"
|
|
|
|
# ===================
|
|
# AUDIT FIELDS
|
|
# ===================
|
|
|
|
- id: AUDIT-FIELD-001
|
|
name: "Models must have audit timestamps"
|
|
description: "Database models must include created_at and updated_at fields"
|
|
severity: high
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "models/database/*.py"
|
|
patterns:
|
|
- "created_at"
|
|
- "updated_at"
|
|
exclude_patterns:
|
|
- "__init__.py"
|
|
- "base.py"
|
|
- "audit_log.py" # Uses timestamp field instead
|
|
message: "Database models must include audit timestamp fields"
|
|
|
|
- id: AUDIT-FIELD-002
|
|
name: "Models should track who made changes"
|
|
description: "Models should include created_by and updated_by fields"
|
|
severity: medium
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "models/database/*.py"
|
|
patterns:
|
|
- "created_by|updated_by|modified_by"
|
|
message: "Consider adding created_by/updated_by fields for accountability"
|
|
|
|
# ===================
|
|
# LOG INTEGRITY
|
|
# ===================
|
|
|
|
- id: AUDIT-INT-001
|
|
name: "Logs must not be modifiable by application"
|
|
description: "Application should not have delete/modify access to audit logs"
|
|
severity: high
|
|
check:
|
|
type: pattern_forbidden
|
|
paths:
|
|
- "app/**/*.py"
|
|
patterns:
|
|
- "os\\.remove.*\\.log"
|
|
- "truncate.*log"
|
|
- "open.*\\.log.*[\"']w[\"']"
|
|
message: "Application must not modify or delete log files"
|
|
|
|
- id: AUDIT-INT-002
|
|
name: "Structured logging required"
|
|
description: "Use structured logging for machine-parseable audit trails"
|
|
severity: medium
|
|
check:
|
|
type: pattern_recommended
|
|
paths:
|
|
- "app/core/logging.py"
|
|
patterns:
|
|
- "structlog|json|JSONFormatter"
|
|
message: "Consider structured logging for better audit trail analysis"
|
|
|
|
# ===================
|
|
# SENSITIVE OPERATIONS
|
|
# ===================
|
|
|
|
- id: AUDIT-SENS-001
|
|
name: "Password changes must be logged"
|
|
description: "All password change operations require audit logging"
|
|
severity: critical
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "app/services/user_service.py"
|
|
- "app/api/v1/users.py"
|
|
patterns:
|
|
- "password"
|
|
context: "must have corresponding logger call"
|
|
message: "Password operations must be logged"
|
|
|
|
- id: AUDIT-SENS-002
|
|
name: "Permission changes must be logged"
|
|
description: "Role and permission changes require audit logging"
|
|
severity: critical
|
|
check:
|
|
type: pattern_required
|
|
paths:
|
|
- "app/services/*.py"
|
|
patterns:
|
|
- "is_admin|role|permission"
|
|
context: "must have corresponding logger call"
|
|
message: "Permission changes must be logged"
|
|
|
|
- id: AUDIT-SENS-003
|
|
name: "Data exports must be logged"
|
|
description: "Any data export functionality must be logged"
|
|
severity: high
|
|
check:
|
|
type: pattern_check
|
|
paths:
|
|
- "app/**/*.py"
|
|
patterns:
|
|
- "export|download|csv|xlsx"
|
|
requires:
|
|
- "logger\\."
|
|
message: "Data export operations must be logged"
|