Full Disclosure mailing list archives
RE: PCI Audit Logging
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Wed, 21 Dec 2005 06:51:08 +1100
Section 10.2 requires sufficient logging to allow a sequence of events to be recreated from the log data, including access to audit logs. I suspect the rationale is to be able to detect attempted alterations of logs. If this can't be done, then the audit log has questionable value as evidence. In many casaes I would think that logging centrally (http, firewall, app events etc) and then having an access control process on the log server may suffice. Or require 'sudo' permissions to access the logs, for both read and write. lyal -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of phenfen Sent: Wednesday, 21 December 2005 3:19 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] PCI Audit Logging Greetings All, I have a couple questions regarding the fulfillment of PCI auditing/logging requirements. Here's what the auditors have proclaimed in the Report of Compliance: "Corporate policy and audit logging will be changed to include successful and unsuccessful login attempts when attempting to access audit logs on devices passing or storing card holder data." My read on this is that I just need to audit login attempts to the server where the card holder data is stored. Is that correct? Or, do I need to audit access to the audit logs on the server where the card holder data is stored? What about intermediary and/or infrastructure devices? It seems infeasible to me to audit "all" activities on all devices that pass card holder data. For example, I can't very well audit the data as is passes through say, a switch. Would aggregating event logs to a central syslog server (and then audit access to the raw logs) suffice? According to the Visa PCI requirements, "All key management activities should be logged..." (from the Visa Cardholder Information Security Program v5.5): Audit Trails All key management activities should be logged and adequate information maintained such that all key management processing can be reviewed. The characteristics of audit trails are: * Audit trails must be generated and maintained for all actions that occur within the life cycle of a cryptographic key or key components. * Audit trails must kept, at minimum, for a period of time greater than the life of the cryptographic key or key components that they cover. * Audit trails must include enough data to enable a complete reconstruction of all key management activities, including when, where, why, by whom, and how all events took place. * Audit trails must be secured so that they cannot be altered. * Audit trails must be reviewed periodically to detect violations of policy. I understand that my goal is to appease the auditor, but I was looking for additional clarification or if anyone would like to share their experience with fulfilling this requirement. TIA, -phenfen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PCI Audit Logging phenfen (Dec 20)
- Re: PCI Audit Logging coderman (Dec 20)
- RE: PCI Audit Logging Lyal Collins (Dec 20)