CyFun BasicProtect
PR.PT-1: Audit log management
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PROTECTPR.PT-1Key Measure
Requirement
Logs shall be maintained, documented, and reviewed.
Our Implementation
Audit logging is implemented across multiple systems, capturing authentication events, application activity, and operational data:
- Authentication logs: Supabase Auth records all login events, failed attempts, and session activity with timestamps, user IDs, and IP addresses
- Application monitoring: PostHog tracks user interactions, feature usage events, and application errors
- Background job logs: Trigger.dev maintains execution logs for all background tasks and workflows
- Deployment logs: Vercel and GitHub Actions maintain CI/CD pipeline execution history
Logs include who performed the action, when it occurred, what was done, and the source IP where available.
Gaps / Planned improvements:
- No centralised log aggregation across all software tools (NEX-354)
- Log retention follows provider defaults (7–90 days) — 6-month retention target not yet met (NEX-370)
- No formal log review process established (NEX-370)
Evidence
Partially ImplementedL2 — Repeatable