Audit trail for admin requests

Severity: Recommended

Check automatically:

1. Find audit logging:

# Look for audit log implementation
grep -riE "audit.?log|action.?log|activity.?log" --include="*.ts" --include="*.js" | head -10

# Find audit trail table/model
grep -riE "model.*audit|table.*audit|AuditLog|ActivityLog" --include="*.prisma" --include="*.ts" --include="*.sql" | head -10

2. Check for admin middleware logging:

# Look for admin action middleware
grep -riE "middleware.*(admin|audit)|admin.*(middleware|interceptor)" --include="*.ts" --include="*.js" | head -10

# Find action recording on mutations
grep -riE "log.*(create|update|delete)|record.*(action|change)" --include="*.ts" --include="*.js" | head -10

3. Check what's being logged:

# Look for audit log fields
grep -riE "userId|action|resource|timestamp|before|after|changes" --include="*.ts" --include="*.js" | grep -iE "audit|log" | head -10

Cross-reference with:

• MON-005 (log retention policies)

Ask user:

• Are admin actions logged? (user edits, deletions, permission changes)
• Can you see what an admin did recently?
• How long is the audit trail retained?
• Can you reconstruct what happened if there's an incident?

Pass criteria:

• Admin actions (especially destructive ones) are logged
• Logs include: who, what, when, and affected resource
• At least recent history is queryable (last 30 days minimum)

Fail criteria:

• No logging of admin actions
• Can't determine what an admin changed or when
• Only login logging, no action logging

Evidence to capture:

• Audit logging implementation (if any)
• What actions are logged (all mutations? only destructive?)
• Retention period
• How to query audit trail

---