RE: PCI Audit Logging

["Lyal Collins" <lyal.collins () key2it com au>]

Section 10.2 requires sufficient logging to allow a sequence of events to be
recreated from the log data, including access to audit logs.  I suspect the
rationale is to be able to detect attempted alterations of logs.
If this can't be done, then the audit log has questionable value as
evidence.

In many casaes I would think that logging centrally (http, firewall, app
events etc) and then having an access control process on the log server may
suffice.  Or require 'sudo' permissions to access the logs, for both read
and write.

lyal

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of phenfen
Sent: Wednesday, 21 December 2005 3:19 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] PCI Audit Logging


Greetings All,

I have a couple questions regarding the fulfillment of PCI auditing/logging
requirements. Here's what the auditors have proclaimed in the Report of
Compliance:

"Corporate policy and audit logging will be changed to include successful
and unsuccessful login attempts when attempting to access audit logs on
devices passing or storing card holder data."

My read on this is that I just need to audit login attempts to the server
where the card holder data is stored. Is that correct?  Or, do I need to
audit access to the audit logs on the server where the card holder data is
stored? What about intermediary and/or infrastructure devices? It seems
infeasible to me to audit "all" activities on all devices that pass card
holder data. For example, I can't very well audit the data as is passes
through say, a switch. Would aggregating event logs to a central syslog
server (and then audit access to the raw logs) suffice?

According to the Visa PCI requirements, "All key management activities
should be logged..." (from the Visa Cardholder Information Security Program
v5.5):

Audit Trails
All key management activities should be logged and adequate information
maintained such that all key management processing can be reviewed. The
characteristics of audit trails are:
* Audit trails must be generated and maintained for all actions that occur
within the life cycle of a cryptographic key or key components.
* Audit trails must kept, at minimum, for a period of time greater than the
life of the cryptographic key or key components that they cover.
* Audit trails must include enough data to enable a complete reconstruction
of all key management activities, including when, where, why, by whom, and
how all events took place.
* Audit trails must be secured so that they cannot be altered.
* Audit trails must be reviewed periodically to detect violations of policy.

I understand that my goal is to appease the auditor, but I was looking for
additional clarification or if anyone would like to share their experience
with fulfilling this requirement.

TIA,

-phenfen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/