Audit & compliance
The audit log only earns its keep when it produces evidence. This page is the operational discipline that
turns tamper-evidence into something you can hand an auditor.
Verify the chain on a schedule
Tamper-evidence is only useful if you actually check it. Verify the chain regularly and alert on a break:
# scheduled (e.g. hourly) — fails loudly if a row was altered/deleted out of band
php artisan iam:audit:verify --stream=global
// app/Console/Kernel.php
$schedule->command('iam:audit:verify')->hourly();
$schedule->command('iam:audit:checkpoint')->daily(); // seal streams → cheaper verification
A break (AuditVerificationResult reports the position) means out-of-band tampering — treat it as a
security incident, not a data-quality issue.
Export to your SIEM
Stream events to your security tooling for retention and correlation:
php artisan iam:audit:export --stream=global
Pair with webhooks for real-time delivery; the transactional outbox makes
delivery at-least-once and crash-safe. The SIEM is your long-term, queryable record; the chain is the proof
it wasn’t altered.
GDPR erasure without breaking proof
Deleting rows to satisfy an erasure request breaks the hash-chain for every later event. Use
crypto-shredding: destroy the per-scope key so the PII is unrecoverable while the row (and the chain)
stays intact and verifiable.
- Crypto-shred the subject’s PII key on an erasure request — the event still verifies, the data is gone.
- Legal hold exempts records from shredding until released; apply it before shredding when litigation or
a regulatory hold applies. - Configure IP retention with
audit.ip_mode.
Produce access-review evidence
An auditor asks “who reviewed this access, when, and what did they decide?”. Access
reviews answer exactly that:
- Run a campaign per scope on a schedule (quarterly is common).
- Attach signals — least-privilege and SoD findings give reviewers context.
- Certify/revoke every item — each decision is a dated, audited record.
- Close the campaign — the frozen snapshot + decisions are your evidence.
- Export the audit slice for the campaign to your evidence store.
A compliance checklist
| Control | Mechanism |
|---|---|
| Tamper-evidence | hash-chain + scheduled iam:audit:verify |
| Immutable retention | SIEM export + checkpoints |
| Right to erasure | crypto-shredding (not deletion) + legal hold |
| Access certification | access-review campaigns |
| Least-privilege | recommender + iam:least-privilege:scan |
| Separation of duties | SoD toxic combinations |
| Strong auth for sensitive ops | AAL step-up |
The goal is that “is the audit intact?” is answered by a green scheduled job, not a manual scramble during
an audit. Wire iam:audit:verify into your monitoring and alert on non-zero exit.
Next
- Tamper-evident audit — how the chain works.
- Least-privilege & SoD — the signals you certify against.
- CLI reference — the audit/review commands.