To ensure the proper operation and security of GitLab.com, GitLab logs critical information system activity.
The audit logging policy applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
Roles & Responsibilities:
Policy definition and oversight
Definition of individual audit log criteria; Definition and execution of system audit log procedures
GitLab shall log and monitor critical information system activity.
Logs must be retained for a defined period of time.
Logs must not be modified and or deleted.
Access to audit log data must be limited based on the principle of least privilege.
Inline with GitLab's Audit Logging Control Guidance
System Owners are responsible for determining what constitutes "critical information system activity" in their respective system based on their experience and professional judgement; such activity is then documented either in the handbook or a runbook, whichever is found to be appropriate. Audit logging process must created and implemented by the department(s) or team(s) responsible for a given system.