NSAuditor AI EE 0.31.7: When a Database Logs Nothing, the Compliance Report Should Not Read Clean

MobNS

Nsasoft has shipped NSAuditor AI Enterprise 0.31.7, a patch focused on the single most dangerous thing a compliance scanner can do: hand back a green verdict over a database that is producing no audit logs at all. It pairs with Community Edition nsauditor-ai@0.2.21 (MIT) and agent-skill 0.2.19.

The silent failure

Audit logging is the control every framework leans on to reconstruct what happened during an incident. When it quietly stops working, a scanner that still reports “compliant” is worse than useless — it certifies a gap. EE 0.31.7 targets that failure on the AWS RDS surface, where it is easy to miss and easy to get wrong.

Generation and retention are different failures

A log can fail to be generated — never produced or shipped — or fail to be retained long enough. They map to different controls, and conflating them is how subtle false cleans happen. In 0.31.7, an RDS region with CloudWatch Logs audit exports disabled (no exports, no log groups, partial exports missing an essential type, or an unsupported engine) now fails closed against the full generation set: SOC 2 CC7.2, HIPAA §164.312(b), PCI DSS 10.2.1, CIS Controls v8 8.2 and 8.5, NIST CSF PR.PS-04, and ISO 27001 A.8.15. Before this, the finding reached only SOC 2 and HIPAA, leaving four of seven frameworks reading clean over a database emitting nothing.

The pgAudit trap

PostgreSQL’s pgAudit has a famously deceptive failure mode: set pgaudit.log but forget to add the extension to shared_preload_libraries, and the database loads cleanly while silently logging nothing. That misconfigured state — along with pgAudit disabled or its parameter group unreadable — now fails closed against the same generation family (plus NIST CSF DE.CM-09). The fix also closed a worse defect: the misconfigured case had previously routed to no controls at all.

Retention substrate and the first positive evidence

PCI DSS 10.5.1 asks for twelve months of audit-log history. Because logs are routinely archived to S3 or Glacier where a scanner cannot see them, 0.31.7 surfaces the twelve-month dimension as conservative, non-flipping substrate — an honest partial that never false-fails a shop archiving correctly. The release also introduces the first positive-substrate evidence in the per-control Report on Compliance: an opt-in, display-only PASS-tier finding surfaced under its control as proof a control is operating — never a violation, never affecting status, never altering the coverage matrix.

What is unchanged

This is a patch: no new framework, plugin count unchanged at 28, all seven coverage matrices unchanged, and read-only (zero data exfiltration) enforcement holds fleet-wide. Upgrade in place with no configuration change. More at nsauditor.com/ai/enterprise.

Related Posts:

  • nsauditor-ai-ee-0-31-5-rds-cluster-snapshot-detection
  • nsauditor-ai-ce-0-2-10-mcp-affordance-ii
  • nsauditor-ai-ee-0-31-6-audit-log-retention-cis-v8-matrix-move
  • nsauditor-ai-ee-0-31-4-cloud-scan-false-clean-fix
  • nsauditor-ai-ee-0-31-3-enumeration-failure-aurora