Compliance and Audit Reporting

Compliance and Audit Reporting

Security audit logs serve critical compliance functions, providing evidence of security controls and incident response capabilities. Automated reporting reduces manual effort while ensuring consistent, accurate compliance documentation. Understanding compliance requirements helps design logging strategies that satisfy regulatory obligations.

Generate Windows compliance reports:

# PCI-DSS compliance report generator
function Generate-PCIDSSReport {
    param(
        [DateTime]$StartDate = (Get-Date).AddDays(-30),
        [DateTime]$EndDate = (Get-Date)
    )
    
    $Report = @{
        'Generated' = Get-Date
        'Period' = "$StartDate to $EndDate"
        'Requirements' = @{}
    }
    
    # Requirement 8.1.6 - Limit repeated access attempts
    $Report.Requirements['8.1.6'] = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ID=4625
        StartTime=$StartDate
        EndTime=$EndDate
    } | Group-Object {$_.Properties[5].Value} |
        Where-Object {$_.Count -gt 6} |
        Select-Object @{n='Account';e={$_.Name}}, Count
    
    # Requirement 10.2.2 - All actions taken by individuals with root or administrative privileges
    $Report.Requirements['10.2.2'] = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ID=4672
        StartTime=$StartDate
        EndTime=$EndDate
    } | Select-Object TimeCreated, @{n='User';e={$_.Properties[1].Value}}
    
    # Requirement 10.2.5 - Use of and changes to identification and authentication mechanisms
    $Report.Requirements['10.2.5'] = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ID=4720,4722,4724,4738,4740
        StartTime=$StartDate
        EndTime=$EndDate
    } | Select-Object TimeCreated, Id, Message
    
    $Report | ConvertTo-Json -Depth 5 | Out-File "PCI-DSS-Report-$(Get-Date -Format yyyyMMdd).json"
}

Linux compliance reporting with audit tools:

#!/bin/bash
# HIPAA compliance audit report generator

REPORT_DATE=$(date +%Y%m%d)
REPORT_FILE="HIPAA_Audit_Report_${REPORT_DATE}.html"

cat > $REPORT_FILE << EOF
<!DOCTYPE html>
<html>
<head>
    <title>HIPAA Security Audit Report - $REPORT_DATE</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        table { border-collapse: collapse; width: 100%; margin-top: 10px; }
        th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
        th { background-color: #4CAF50; color: white; }
        .pass { color: green; }
        .fail { color: red; }
    </style>
</head>
<body>
    <h1>HIPAA Security Audit Report</h1>
    <p>Generated: $(date)</p>
    
    <h2>§164.308(a)(1) - Access Control</h2>
    <table>
        <tr><th>Check</th><th>Result</th><th>Details</th></tr>
EOF

# Check user access reviews
echo "<tr><td>User Access Reviews</td>" >> $REPORT_FILE
if [ -f /var/log/user_access_review.log ]; then
    LAST_REVIEW=$(stat -c %y /var/log/user_access_review.log | cut -d' ' -f1)
    DAYS_AGO=$(( ($(date +%s) - $(date -d "$LAST_REVIEW" +%s)) / 86400 ))
    if [ $DAYS_AGO -lt 90 ]; then
        echo "<td class='pass'>PASS</td><td>Last review: $LAST_REVIEW ($DAYS_AGO days ago)</td></tr>" >> $REPORT_FILE
    else
        echo "<td class='fail'>FAIL</td><td>Last review: $LAST_REVIEW ($DAYS_AGO days ago) - exceeds 90 days</td></tr>" >> $REPORT_FILE
    fi
else
    echo "<td class='fail'>FAIL</td><td>No access review log found</td></tr>" >> $REPORT_FILE
fi

# Check password policy
echo "<tr><td>Password Policy</td>" >> $REPORT_FILE
MIN_LEN=$(grep "^minlen" /etc/security/pwquality.conf 2>/dev/null | cut -d= -f2)
if [ -n "$MIN_LEN" ] && [ "$MIN_LEN" -ge 8 ]; then
    echo "<td class='pass'>PASS</td><td>Minimum length: $MIN_LEN characters</td></tr>" >> $REPORT_FILE
else
    echo "<td class='fail'>FAIL</td><td>Password policy not properly configured</td></tr>" >> $REPORT_FILE
fi

# Check audit logging
echo "<tr><td>Audit Logging</td>" >> $REPORT_FILE
if systemctl is-active auditd >/dev/null 2>&1; then
    AUDIT_RULES=$(auditctl -l | wc -l)
    echo "<td class='pass'>PASS</td><td>Audit daemon active with $AUDIT_RULES rules</td></tr>" >> $REPORT_FILE
else
    echo "<td class='fail'>FAIL</td><td>Audit daemon not running</td></tr>" >> $REPORT_FILE
fi

echo "</table>" >> $REPORT_FILE

# Generate authentication report
echo "<h2>§164.312(a)(1) - Authentication Summary</h2>" >> $REPORT_FILE
echo "<pre>" >> $REPORT_FILE
aureport -au --summary >> $REPORT_FILE
echo "</pre>" >> $REPORT_FILE

# Failed login attempts
echo "<h2>§164.308(a)(5) - Failed Access Attempts</h2>" >> $REPORT_FILE
echo "<pre>" >> $REPORT_FILE
aureport -au --failed --summary | head -20 >> $REPORT_FILE
echo "</pre>" >> $REPORT_FILE

cat >> $REPORT_FILE << EOF
</body>
</html>
EOF

echo "Report generated: $REPORT_FILE"

By implementing comprehensive security auditing and log analysis strategies, organizations gain visibility into their security posture while meeting compliance requirements. The next chapter explores data encryption implementation across operating systems.## Data Encryption Implementation Guide

Data encryption serves as the last line of defense when other security controls fail, protecting sensitive information from unauthorized access even when systems are compromised. Modern operating systems provide comprehensive encryption capabilities ranging from full disk encryption to granular file-level protection. This comprehensive guide explores encryption technologies, implementation strategies, and best practices for both Windows and Linux environments, enabling administrators to protect data at rest and in transit effectively.