Audit logs
An audit log that survives its own audit
A mutable log is a comfort, not a guarantee. We chain every event to the previous one with a SHA-256 hash, so altering a single record breaks every record after it. A verifier you can run yourself confirms the chain in O(n). Tampering is no longer a thing you have to detect — it is a self-evident, mathematically demonstrable fact.
Executive summary
Every action — login, seal, role change, document access — is recorded with a SHA-256 hash linking it to the previous event. Verification walks the chain in O(n) time. Customers can export the chain and run the verifier themselves; integrity is independent of our infrastructure.
On top of the chain we layer 7 prebuilt compliance reports, JSON and CSV export, draft → approved → immutable workflow, and per-organization retention policies. Reports lock their content hash on approval; later edits create new versions, never silent revisions.
Our commitments
Five rules for the audit log
Tampering is mathematically detectable
Modifying one event in the middle of history requires recomputing every event after it. The verifier returns the exact sequence number where divergence occurs.
The verifier is open code, not a trust statement
Chain integrity is checked by a deterministic Elixir function whose source is in this repository. Run it yourself against an exported chain.
Approved reports are immutable
Compliance reports go through draft → approved. Once approved, the report's content hash is signed and cannot be silently edited.
Every event has actor, action, time, and source
No 'system' actors without explicit cause. No 'automated' without the worker module name. Attribution is non-optional.
Retention is your decision, not ours
Each org sets its own retention policy. Default is 'keep forever' — sealing creates a professional record we treat as such.
Implementation — the chain
How the chain is built and verified
Implementation — reports
Seven prebuilt reports for your auditor
The full picture
What is built, what is being built, and what we chose not to build
Live today
SHA-256 hash chain
LivePure-Elixir verifier; O(n) over the org's event log.
Per-event metadata: actor, IP, UA, target, before/after state
LiveNo silent system actors. Every event traces to a who and a why.
Audit log export (JSON + CSV)
LiveSelf-service export for your SIEM or auditor; includes the chain hashes for independent verification.
Seven prebuilt compliance reports
LiveActivity summary, access audit, lifecycle, credentials, incidents, retention, integrity.
Draft → approved → immutable report workflow
LiveApproved reports lock their content hash; later edits create new versions, never silent revisions.
Per-organization retention policies
LiveConfigurable per-event-type retention; auto-archive on schedule; never auto-delete below policy minimum.
Building now
Periodic chain anchoring to an external TSA
Building nowDaily snapshot of the chain head signed by an RFC 3161 TSA. Anchors the chain to a third-party clock so we cannot rewrite history even if we wanted to.
Same TSA pipeline as document seals; reuses verified infrastructure.
SIEM streaming via signed webhooks
Building nowReal-time event push to Splunk, Datadog, Sumo. HMAC-signed, replay-protected.
Field-level encryption for sensitive event metadata
Building nowHigh-sensitivity payloads in audit events get a second AES-256-GCM wrap so partial database read does not leak them.
Roadmap
Custom report builder
RoadmapOrg admins define their own report shapes alongside the prebuilt seven. Same draft → approved → immutable lifecycle.
Cross-organization log federation
RoadmapEnterprise customers with multiple EngineeringID orgs get a federated view across them, with per-org access controls preserved.
Continuous compliance dashboards
RoadmapReal-time dashboards mapped to specific control IDs (SOC 2 / ISO / HIPAA) showing live evidence collection per control.
Considered & rejected
Blockchain-anchored audit log
Considered & rejectedA chained SHA-256 plus a periodic TSA anchor gives the same tamper-evidence at zero per-write cost.
Why we rejected it: blockchain optimizes for "no trusted third party exists." We have public TSAs that already provide the trust property — at a fraction of the latency and at zero per-write cost. RFC 3161 is the eIDAS / 21 CFR Part 11 / common-law-evidence answer to "prove this was unmodified at this time."
Append-only file-based logs without a chain
Considered & rejectedAppend-only filesystems are append-only until they are not.
Why we rejected it: filesystem-level append-only is a property of one storage system. A SHA-256 hash chain is a mathematical property of the data, independent of the storage system. We use the latter; storage hardening is defense in depth on top.
Compressing duplicate events
Considered & rejectedA '10x clicked the same button' rollup looks tidier and obscures attack signal.
Why we rejected it: failed-MFA events especially must be recorded individually. Aggregation is what the report layer does — it does not rewrite the underlying log. The log is dense on purpose.
Skipping the chain in dev environments to save cycles
Considered & rejectedCode that runs differently in dev than in prod is the source of every 'it worked locally' production incident.
Why we rejected it: the chain runs everywhere. The performance argument was "save 50ms across an entire test suite," and the risk was "production-only code paths." Hard no.
Compliance mappings
Controls this surface satisfies
Anomaly Detection
Hash-chained event log with first-divergence reporting
Evaluation of Security Events
Seven prebuilt reports map directly to evaluation evidence
Event logging
Per-event actor, action, time, source — chained for integrity
Administrator and operator logs
Privileged actions are first-class events with full payload
Audit Controls
Hardware, software, and procedural mechanisms to record activity
Audit trail — secure, computer-generated
Tamper-evident chain with attribution; export retains integrity
Records of processing activities
Per-record processing log; retention configurable per data category
Internal control over financial reporting
Tamper-evident change records for financially significant operations
For compliance teams
Questions you do not need to call to ask
Can an EngineeringID employee modify the audit log?
Can we run the verifier ourselves against an exported log?
What's the smallest tamper that produces a detection?
Credo.Enterprise.Audit.AuditChain.compute_record_hash/7
for the exact field set. The chain treats those fields byte-for-byte; cosmetic changes elsewhere (resource_name, metadata) are recorded but not yet part of the chained hash — that v2 surface is on the roadmap.
What's the retention default and can we change it?
Are reports themselves tamper-evident?
Do you support real-time SIEM ingestion?
What's covered in 'access audit' reports?
An audit log your auditor can run themselves
Export the chain, run the verifier, see the result. No trust required, only math.