HighPR-scope Plug & play

Emit tamper-evident audit logs with required fields

Every security-relevant action must append to an immutable, append-only audit log with fields: timestamp (UTC ISO8601), actor.user_id, actor.role, action, resource.id, result, trace_id, ip, user_agent. Logs must be signed or stored in WORM/immutable storage and forwarded to a SIEM.

Add to Mesrai Open workspace

Why this matters

SOC 2 requires auditability and tamper evidence; consistent fields enable investigations and access reviews.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

{ "event": "changed_settings" }

Prefer

{ "ts":"2025-08-28T18:30:00Z","actor":{"user_id":"u_123","role":"admin"},"action":"settings.update","resource":{"id":"org_9"},"result":"success","trace_id":"7f7c...","ip":"203.0.113.10","user_agent":"Chrome/139" }

More snippets

Good

{"action":"user.login","trace_id":"abc","result":"failure"}

Bad

{"action":"user.login"}

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Emit tamper-evident audit logs with required fields

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

{ "event": "changed_settings" }

Prefer

{ "ts":"2025-08-28T18:30:00Z","actor":{"user_id":"u_123","role":"admin"},"action":"settings.update","resource":{"id":"org_9"},"result":"success","trace_id":"7f7c...","ip":"203.0.113.10","user_agent":"Chrome/139" }

More snippets

Good

{"action":"user.login","trace_id":"abc","result":"failure"}

Bad

{"action":"user.login"}

Related rules

From the same buckets as this rule.

Critical

Encrypt sensitive data at rest with KMS and rotate keys

Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

compliance-soc2-essentialssecrets-credentials+1

Critical

Enforce TLS 1.2+ and HSTS on all external endpoints

Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.

compliance-soc2-essentialssecurity-hardening+1

Critical

Use a secrets manager and 90-day rotation policy

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

compliance-soc2-essentialssecrets-credentials+1