NSAuditor AI EE 0.31.7 Closes the Zero-Audit-Log False-Clean on AWS RDS — and Adds the First Positive Evidence to the Report on Compliance

Nsasoft has released NSAuditor AI Enterprise 0.31.7, a patch that closes one of the most deceptive failures a compliance scanner can have: a database that reports “audit logging: compliant” while producing no audit logs at all. The release pairs with Community Edition nsauditor-ai@0.2.21 (MIT) and agent-skill 0.2.19.

Two ways a verdict can be wrong

A compliance verdict can flag something that is fine — a false positive that wastes an analyst’s afternoon — or it can stay silent over something that is broken. The second kind ships a “you’re compliant” verdict over a live gap, and it is most dangerous on the audit log itself, the control every framework leans on to reconstruct what happened. EE 0.31.7 is a release about that second kind, on the AWS RDS audit-logging surface.

Generation versus retention

Audit logging fails in two fundamentally different ways. A log can fail to be generated — the database is not producing or shipping audit records at all — or it can fail to be retained long enough. Conflating the two is how scanners produce subtle false cleans, so 0.31.7 routes each to its correct control family.

When an RDS region has its CloudWatch Logs audit exports disabled (no exports, no log groups, partial exports missing an essential log type, or an engine that does not support the export), the finding now fails closed against the full generation control set: SOC 2 CC7.2, HIPAA §164.312(b), PCI DSS 10.2.1, CIS Controls v8 8.2 and 8.5, NIST CSF PR.PS-04, and ISO 27001 A.8.15. Previously it routed only to SOC 2 and HIPAA, so four of the seven frameworks read clean over a database emitting nothing. The routing was verified exact against the live compliance engine, and it deliberately does not touch the retention controls — an absent log is a generation problem, not a duration one.

The PostgreSQL trap

pgAudit has a uniquely deceptive failure mode: an operator sets pgaudit.log, believes auditing is on, but never adds the extension to shared_preload_libraries — so PostgreSQL loads cleanly and silently produces no audit logs. That misconfigured case, plus pgAudit simply disabled or its parameter group unreadable, now fails closed against the same generation family (plus NIST CSF DE.CM-09). Closing it also fixed a worse pre-existing defect found during development: the misconfigured posture — the configuration most likely to fool a human reviewer — had been routing to no controls at all.

A conservative step toward the twelve-month bar

PCI DSS Requirement 10.5.1 asks for twelve months of audit-log history with the most recent three months immediately available. A scanner reading an instance’s CloudWatch retention cannot see logs archived to S3 or Glacier, so EE 0.31.7 adds the twelve-month dimension as conservative, non-flipping substrate: it surfaces both 10.5.1 dimensions for the operator’s proportionality determination without ever forcing a false failure on a shop that archives correctly. PCI DSS 10.5.1 ships as an honest partial.

The first positive evidence in the report

Every compliance engine is good at recording what is wrong. NSAuditor AI also computes a great deal of what is right — PASS-tier evidence that a control is actually operating — but it used to discard all of it. EE 0.31.7 introduces an opt-in, display-only positive-substrate channel: a PASS-tier finding the producing plugin curates is surfaced under its control in the markdown, HTML, and JSON report as affirmative evidence, never counted as a violation, never affecting a control’s status, never altering the coverage matrix. The first finding to opt in is the new twelve-month retention substrate.

Availability

EE 0.31.7 is a patch — no new framework, plugin count unchanged at 28, and all seven coverage matrices unchanged (SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, CIS Controls v8 17/23/113, GDPR Art. 32 4/5/2). Read-only (zero data exfiltration) enforcement holds across all 28 plugins. Upgrade in place — no configuration change, no new dependency. Details at nsauditor.com/ai/enterprise.