GRC Store

Search / finos-ccc/ccc.logging.cn / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.Logging.CN Control Catalog

FINOS-CCC/CCC.Logging.CN

Controls for Logging technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.logging.cn --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.logging.cn:v2026.06-rc3
Manifest digest
sha256:97994738069ca49bf8ef3989df4ff2333201322eebc4622398cab924eefc2bf7

Provenance

1 layer
Digest Media type Size
ad43534726ac… application/vnd.gemara.artifact.v1+yaml 12.5 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.Logging.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.logging.cn",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/management/logging/controls.yaml",
            "uri": "file://artifacts/management/logging/controls.yaml",
            "digest": {
              "sha256": "ad43534726ac2e63066373d9bc050cebef53d16031d605a0672a25e27b47820f"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:45:02.718838548Z",
          "finishedOn": "2026-06-01T16:45:02.828157212Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "ad43534726ac2e63066373d9bc050cebef53d16031d605a0672a25e27b47820f"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.Logging.CN",
      "role": "artifact"
    }
  ]
}

CCC Logging Controls

Controls for Logging technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.Logging.CN
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.Logging.CN01 Centralized and Comprehensive Log Aggregation

    Objective

    Ensure all operational and security logs from across the cloud environment, including applications, operating systems, network traffic, and cloud service activity, are captured automatically and streamed to a central, secure log management service.

    Assessment requirements

    1. When a new cloud account is created, provider-level audit and network flow logging MUST be enabled by default and directed to the central sink.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    2. When a new cloud compute resource is deployed, it MUST be configured to forward all relevant logs (e.g., OS, application, service logs) to the central log sink.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-2
      • AU-3
    Threats
    • CCC.Logging.Threats
      • CCC.Logging.TH07Insufficient Logging

  2. CCC.Logging.CN02 Enforce Data Retention Policy for Logs

    Objective

    Ensure that the retention period configured for logs aligns with the organization's data retention policy.

    Assessment requirements

    1. When a new log bucket or stream is created, its retention policy MUST be configured in accordance with organisation's data retention policy.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    2. When a query is performed to retrieve log events older than the number of days defined in the organisation's data retention policy, it MUST return an empty result.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • GV.PO-01
    • NIST_800_53
      • AU-11
    Threats
    • CCC.Logging.Threats
      • CCC.Logging.TH05Log Retention Policy Evasion or Misconfiguration

  3. CCC.Logging.CN03 Enable Object Lock On Log Bucket

    Objective

    Ensure log immutability by enabling Write Once, Read Many (WORM) protection using object lock on log storage buckets. This prevents logs from being modified or deleted during the defined retention period, supporting compliance and forensic integrity.

    Assessment requirements

    1. When an attempt is made to modify or delete data before the object lock period expires, then the action MUST be denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AU-9
      • AU-11
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH07Logs are Tampered With or Deleted

  4. CCC.Logging.CN06 Detect and Alert on Potential Log Exfiltration

    Objective

    Identify and alert on anomalous data access patterns that may indicate an attempt to exfiltrate log data.

    Assessment requirements

    1. When a single principal executes an anomalously high number of log queries, an alert MUST be generated.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-03
      • DE.CM-09
    • NIST_800_53
      • SI-4
      • CA-7
      • AU-6
    Threats
    • CCC.Logging.Threats
      • CCC.Logging.TH02Log Data Exfiltration via Query Interfaces

  5. CCC.Logging.CN07 Detect and Alert on Log Service Tampering

    Objective

    Alert when any component of the critical logging infrastructure is disabled, modified, or deleted, indicating a defense evasion attempt.

    Assessment requirements

    1. When an audit log event is recorded that corresponds to a modification of the logging service configuration such as disabling a log trail, deleting a log sink, or altering a log forwarding rule, an alert MUST be generated.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-03
      • DE.CM-09
    • NIST_800_53
      • SI-4
      • CA-7
      • AU-6
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH16Logging and Monitoring are Disabled

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.Logging.CN04 Restrict Field And Log Type Access

    Objective

    Configure access to logs to follow the principle of least privilege in particular where technically possible limit the log fields users have access to to prevent accidental exposure to sensitive information such as PII.

    Assessment requirements

    1. When restricted fields are accessed by unauthorized users, then those fields MUST remain masked.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.PS-04
    • NIST_800_53
      • AC-6
      • AU-9
      • AC-3
      • PT-2
      • PT-3
      • PT-3
    Threats
    • CCC.Logging.Threats
      • CCC.Logging.TH04Inadequate Log Anonymization/Masking

  2. CCC.Logging.CN05 Ensure Log Bucket is Not Publicly Accessible

    Objective

    Ensure that log storage buckets are not publicly accessible to prevent unauthorized access to sensitive log data. In addition, logs should be replicated to another cloud region to enhance availability, durability, and support disaster recovery requirements.

    Assessment requirements

    1. When a log storage bucket is created, the bucket's access control settings MUST explicitly deny public read and write access.

      Applicability: tlp-red, tlp-amber, tlp-green

    2. When the URL of a log storage bucket's object is accessed publicly, the action MUST be denied by bucket policy.

      Applicability: tlp-red, tlp-amber, tlp-green

    Guidelines
    • NIST-CSF
      • PR.AA-05
    • NIST_800_53
      • AC-3
      • SC-7
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH01Access Control is Misconfigured