GRC Store

Search / finos-ccc/ccc.auditlog.cn / v2026.06-rc5

Release · v2026.06-rc5

FINOS-CCC/CCC.AuditLog.CN Control Catalog

FINOS-CCC/CCC.AuditLog.CN

Controls for Audit Logging technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.auditlog.cn --tag v2026.06-rc5
Coordinate
oci.grc.store/finos-ccc/ccc.auditlog.cn:v2026.06-rc5
Manifest digest
sha256:be47cb318cc030d490bfe485a81b7d64f2e32b41e0c255d5f0dbee1cfc3f0196

Provenance

1 layer
Digest Media type Size
142fa4a30042… application/vnd.gemara.artifact.v1+yaml 15.4 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.AuditLog.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.auditlog.cn",
            "tag": "v2026.06-rc5"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26771723499",
          "GITHUB_SHA": "a9503345caf59a144d8ab9b4bede212b393ca56a",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/management/auditlog/controls.yaml",
            "uri": "file://artifacts/management/auditlog/controls.yaml",
            "digest": {
              "sha256": "142fa4a30042c8399935497d1da96e940f867274c0170339a550c4faf50f9814"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@a9503345caf59a144d8ab9b4bede212b393ca56a",
            "digest": {
              "gitCommit": "a9503345caf59a144d8ab9b4bede212b393ca56a"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26771723499",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26771723499-1",
          "startedOn": "2026-06-01T17:48:12.154380543Z",
          "finishedOn": "2026-06-01T17:48:12.274572645Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "142fa4a30042c8399935497d1da96e940f867274c0170339a550c4faf50f9814"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.AuditLog.CN",
      "role": "artifact"
    }
  ]
}

CCC Audit Logging Controls

Controls for Audit Logging technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.AuditLog.CN
Version
v2026.06-rc5
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.AuditLog.CN01 Implement Digital Signatures With Hash Chaining

    Objective

    Digital signatures allows for external verification of log data tampering and hash chaining allows for deleted log files to be detected.

    Assessment requirements

    1. When the signature validation process is performed, then it MUST detect any modification of data.

      Applicability: tlp-red

    2. When the signature validation process is performed, then it MUST detect any missing (deleted) log file.

      Applicability: tlp-red

    Guidelines
    • NIST-CSF
      • PR.DS-01
    • NIST_800_53
      • AU-9
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH06
      • CCC.Core.TH07

  2. CCC.AuditLog.CN02 Enable And Validate All Audit Log Types

    Objective

    Review audit log configuration and ensure that all audit log types are being generated and replicated to configured sinks

    Assessment requirements

    1. When a manual action is performed to generate each audit log type, then the corresponding audit log type MUST be generated and recorded.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-2
      • AU-3
      • AU-12
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH06

  3. CCC.AuditLog.CN03 Alert On Audit Log Changes And Access

    Objective

    Ensure that specific alerts have been configured to detect changes in audit log configuration such as disabling exporting of logs. Alerts MUST also be created to detect changes in retention/object lock policies for exported data log sources/buckets.

    Assessment requirements

    1. When an attempt is made to disable a log source, then an alert MUST be generated.

      Applicability: tlp-red, tlp-amber

    2. When an attempt is made to alter the retention or object lock status of an external data log source or bucket, then an alert MUST be generated.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • DE.CM-1
    • NIST_800_53
      • AU-5
      • AU-6
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH07

  4. CCC.AuditLog.CN04 Ensure Access Logging Is Enabled on the Audit Log Bucket

    Objective

    Ensure that access logging is enabled for the audit log storage bucket to capture all requests made to the bucket, providing an audit trail of data access.

    Assessment requirements

    1. When audit log buckets are created then verify that server access logging MUST be enabled for the audit log bucket, with logs delivered to a separate, secure logging bucket.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • DE.CM-1
    • NIST_800_53
      • AU-2
      • AU-3
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01
      • CCC.Core.TH09

  5. CCC.AuditLog.CN05 Export Audit Logs To Bucket

    Objective

    Configure audit logs to be sent to a external bucket where they can be globally replicated and can be subject to greater access control and data retention polices.

    Assessment requirements

    1. When audit logs are exported, then audit logs MUST be present in the configured data location.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-9
      • AU-11
      • AU-4
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH07

  6. CCC.AuditLog.CN06 Enforce Retention Policy on Audit Log Bucket

    Objective

    Configure a custom retention policy on the designated audit log bucket to ensure that logs are retained for the correct number of days as defined by your organization's policy.

    Assessment requirements

    1. When the retention policy is applied, then data MUST be automatically deleted after the configured number of days.

      Applicability: tlp-red, tlp-amber, tlp-green

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-9
      • AU-11
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH06
      • CCC.Core.TH07

  7. CCC.AuditLog.CN08 Enable Object Lock On Audit Log Bucket

    Objective

    Ensure that object log is enabled globally on all objects with the bucket. The lock time MUST be configured to meet your organization, legal and compliance goals. Deletion attempts before the lock period MUST be denied.

    Assessment requirements

    1. When an attempt is made to delete data before the object lock period expires, then the deletion MUST be denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-9
      • AU-11
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH07

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.AuditLog.CN07 Enforce MFA Delete on Audit Log Bucket

    Objective

    Enable Multi-Factor Authentication (MFA) delete on the audit log bucket to provide greater protection against accidental or malicious deletion of audit data.

    Assessment requirements

    1. When a standard file deletion is attempted on an object within the audit log bucket, then it MUST be prevented unless MFA is provided.

      Applicability: tlp-red, tlp-amber, tlp-green

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-9
      • AU-11
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH06
      • CCC.Core.TH07

  2. CCC.AuditLog.CN09 Restrict Field And Log Type Access

    Objective

    Configure access to audit logs to follow the principle of least privilege in particular where technically possible limit the log fields users have access to to prevent accidental exposure to sensitive information such as PII.

    Assessment requirements

    1. When restricted fields are accessed by unauthorized users, then those fields MUST remain masked.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AC-6
      • AU-9
      • AC-3
      • PT-2
      • PT-3
      • PT-3
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH07

  3. CCC.AuditLog.CN10 Ensure Audit Bucket is Not Publicly Accessible

    Objective

    Ensure that audit log storage buckets are not publicly accessible to prevent unauthorized exposure of sensitive log data.

    Assessment requirements

    1. When audit log storage bucket's are created then, bucket's access control settings MUST explicitly deny public read and write access.

      Applicability: tlp-red, tlp-amber, tlp-green

    2. When the URL of a audit log storage bucket's object is accessed publicly then, it should be denied by bucket policy.

      Applicability: tlp-red, tlp-amber, tlp-green

    Guidelines
    • NIST-CSF
      • PR.AA-05
    • NIST_800_53
      • AC-3
      • SC-7
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01