Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

PCI Audit Logging

From: phenfen <phenfen () mailbag com>
Date: Tue, 20 Dec 2005 10:19:29 -0600
Greetings All,

I have a couple questions regarding the fulfillment of PCI
auditing/logging requirements. Here's what the auditors have proclaimed
in the Report of Compliance:

"Corporate policy and audit logging will be changed to include
successful and unsuccessful login attempts when attempting to access
audit logs on devices passing or storing card holder data."

My read on this is that I just need to audit login attempts to the
server where the card holder data is stored. Is that correct?  Or, do
I need to audit access to the audit logs on the server where the card
holder data is stored? What about intermediary and/or
infrastructure devices? It seems infeasible to me to audit "all"
activities on all devices that pass card holder data. For example, I
can't very well audit the data as is passes through say, a switch. Would
aggregating event logs to a central syslog server (and then audit access
to the raw logs) suffice?

According to the Visa PCI requirements, "All key management activities
should be logged..." (from the Visa Cardholder Information Security
Program v5.5):

Audit Trails
All key management activities should be logged and adequate information
maintained such that all key management processing can be reviewed.
The characteristics of audit trails are:
* Audit trails must be generated and maintained for all actions that
occur within the life cycle of a cryptographic key or key components.
* Audit trails must kept, at minimum, for a period of time greater than
the life of the cryptographic key or key components that they cover.
* Audit trails must include enough data to enable a complete
reconstruction of all key management activities, including when, where,
why, by whom, and how all events took place.
* Audit trails must be secured so that they cannot be altered.
* Audit trails must be reviewed periodically to detect violations of
policy.

I understand that my goal is to appease the auditor, but I was looking
for additional clarification or if anyone would like to share their
experience with fulfilling this requirement.

TIA,

-phenfen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: