CME-1006

Privilege Change Audit Logging

Detect Application High Confidence

Description

Application-level audit trail that records every modification to user roles, permissions, and authorization policies. Each log entry captures the actor (who made the change), the target (whose privileges changed), the before and after state (e.g., role viewer to admin), the timestamp, and the request context (IP, session, endpoint). Logs authorization decision denials with sufficient context to identify privilege escalation attempts. Distinct from OS-level audit (CME-1002) in that it operates within the application's authorization domain and captures semantically meaningful privilege transitions invisible to syscall-level logging. Enables real-time alerting on anomalous patterns such as self-promotion, bulk role changes, or privilege changes from unexpected sources.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Privilege escalation actions are recorded with full actor/target/change context in an application-level audit trail; the attacker must escalate privileges AND act before the logged privilege change triggers alerting or review, significantly narrowing the exploitation window.

CWE Relationships

CWE-778 CWE-223

Verification

Inspect application source for audit logging on role/permission change operations; verify log entries are generated on privilege modifications

$ grep -rn 'audit_log\|AuditLog\|log.*role.*change\|log.*permission\|ActivityLog\|SecurityEvent' <app_source>/
# Expected: Audit logging calls present in role/permission modification handlers
Platform: any
$ grep -rn 'before.*after\|old_role.*new_role\|previous.*current\|from_state.*to_state' <app_source>/
# Expected: Before/after state capture in privilege change logging
Platform: any
← CME-1005: Runtime Memory Error Detection (KASAN/HWASan) CME-1007: Application Configuration Drift Detection (IaC Enforcement) →