Support "2.7 Logging" of MVSP

[cmlh]

"2.7 Logging" of MVSP is reproduced below:

2.7 Logging
Keep logs of:

* Users logging in and out
* Read, write, delete operations on application and system users and objects
* Security settings changes (including disabling logging)
* Application owner access to customer data (access transparency)

Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.

The parent of this [MVSP] issue is #1151.

[cmlh]

* Users logging in and out
7.1.3 Verify that the application logs security relevant events including successful and failed authentication events ...

* Read, write, delete operations on application and system users and objects
4.2.1 Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records.

Security settings changes (including disabling logging)
👎

Application owner access to customer data (access transparency
👎 V1.8 Data Protection and Privacy Architecture

Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
👎

Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.
👎