GRC Store

Search / finos-ccc/ccc.auditlog.th / v2026.06-rc4

Release · v2026.06-rc4

FINOS-CCC/CCC.AUDITLOG.TH Threat Catalog

FINOS-CCC/CCC.AUDITLOG.TH

Threats for Audit Logging technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.auditlog.th --tag v2026.06-rc4
Coordinate
oci.grc.store/finos-ccc/ccc.auditlog.th:v2026.06-rc4
Manifest digest
sha256:9f42f200ee25451a302a82edf0297731eb3db6be07cde2ac5a26712e45dd4904

Provenance

1 layer
Digest Media type Size
4db1708543c8… application/vnd.gemara.artifact.v1+yaml 5.3 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.AUDITLOG.TH",
            "type": "ThreatCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.auditlog.th",
            "tag": "v2026.06-rc4"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26770748733",
          "GITHUB_SHA": "2b6dab4c1307a0ac67d90c99829f6c1825154c84",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/management/auditlog/threats.yaml",
            "uri": "file://artifacts/management/auditlog/threats.yaml",
            "digest": {
              "sha256": "4db1708543c82a8d41bafcff00923d6c69804836a8a07fbf18571c98d3c2d4f0"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@2b6dab4c1307a0ac67d90c99829f6c1825154c84",
            "digest": {
              "gitCommit": "2b6dab4c1307a0ac67d90c99829f6c1825154c84"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26770748733",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26770748733-1",
          "startedOn": "2026-06-01T17:29:36.814680561Z",
          "finishedOn": "2026-06-01T17:29:37.10270889Z"
        },
        "byproducts": [
          {
            "name": "threats.yaml",
            "digest": {
              "sha256": "4db1708543c82a8d41bafcff00923d6c69804836a8a07fbf18571c98d3c2d4f0"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "threats.yaml",
      "type": "ThreatCatalog",
      "id": "CCC.AUDITLOG.TH",
      "role": "artifact"
    }
  ]
}

CCC Audit Logging Threats

Threats for Audit Logging technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.AUDITLOG.TH
Version
v2026.06-rc4
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.AUDITLOG.TH01 Insufficient Audit Logs

    If security critical audit events are not logged then it increases the difficulty to detect threats and perform post incident analysis.

    Capabilities
    • CCC.Core.Capabilities
      • CCC.Core.CP03
      • CCC.Core.CP10

  2. CCC.AUDITLOG.TH02 Log Ingestion Latency

    Large spikes or sustained delays in log ingestion may degrade the timeliness and completeness of security telemetry. This can increase the time required to detect and investigate threats, potentially impacting incident response effectiveness.

    Capabilities
    • CCC.Core.Capabilities
      • CCC.Core.CP03
      • CCC.Core.CP10

  3. CCC.AUDITLOG.TH03 Sensitive Data Logged

    Sensitive information such as passwords, environment variables, or personally identifiable information (PII) may be included in audit logs due to a number of reasons such as; end user human error, developers not sanitizing fields or maliciously by a threat actor attempting to exfil data. This can lead to unauthorized disclosure if logs are accessed by unintended parties or forwarded to external systems.

    Capabilities
    • CCC.AuditLog.Capabilities
      • CCC.AuditLog.CP03Sink
      • CCC.AuditLog.CP08External Sink
    • CCC.Core.Capabilities
      • CCC.Core.CP03
      • CCC.Core.CP10

  4. CCC.AUDITLOG.TH05 Logging Evasion via violating size constraints

    An attacker can evade detection by intentionally crafting input that violates the size constraints of a clouds audit logging mechanism. Many systems impose a maximum size limit on individual log entries. By performing an action with oversized data such as whitespace or Unicode injection, the resulting log event, which often includes the offending data, exceeds this limit, which often is redacted in the audit logs.

    Capabilities
    • CCC.Core.Capabilities
      • CCC.Core.CP03
      • CCC.Core.CP10

Ingestion

The Ingestion group covers entries related to how a service receives or retrieves data, inputs, or commands for processing. This includes both active (pull-based) and passive (push-based) ingestion patterns.

  1. CCC.AUDITLOG.TH04 Insufficient encoding of audit logs

    User-supplied data such as scripts, control characters, escape sequences, or code fragments may be written to audit logs without proper encoding or sanitization. This can result in malformed or unexpected log entries that could disrupt or compromise systems that process or display these logs, including log viewers or downstream services.

    Capabilities
    • CCC.AuditLog.Capabilities
      • CCC.AuditLog.CP03Sink
      • CCC.AuditLog.CP08External Sink
    • CCC.Core.Capabilities
      • CCC.Core.CP03
      • CCC.Core.CP10