| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Dec 20 19:50:52 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Subject: PCI Audit Logging Section 10.2 requires sufficient logging to allow a sequence of events to be recreated from the log data, including access to audit logs. I suspect the rationale is to be able to detect attempted alterations of logs. If this can't be done, then the audit log has questionable value as evidence. In many casaes I would think that logging centrally (http, firewall, app events etc) and then having an access control process on the log server may suffice. Or require 'sudo' permissions to access the logs, for both read and write. lyal -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of phenfen Sent: Wednesday, 21 December 2005 3:19 AM To: full-disclosure@...ts.grok.org.uk Subject: [Full-disclosure] PCI Audit Logging Greetings All, I have a couple questions regarding the fulfillment of PCI auditing/logging requirements. Here's what the auditors have proclaimed in the Report of Compliance: "Corporate policy and audit logging will be changed to include successful and unsuccessful login attempts when attempting to access audit logs on devices passing or storing card holder data." My read on this is that I just need to audit login attempts to the server where the card holder data is stored. Is that correct? Or, do I need to audit access to the audit logs on the server where the card holder data is stored? What about intermediary and/or infrastructure devices? It seems infeasible to me to audit "all" activities on all devices that pass card holder data. For example, I can't very well audit the data as is passes through say, a switch. Would aggregating event logs to a central syslog server (and then audit access to the raw logs) suffice? According to the Visa PCI requirements, "All key management activities should be logged..." (from the Visa Cardholder Information Security Program v5.5): Audit Trails All key management activities should be logged and adequate information maintained such that all key management processing can be reviewed. The characteristics of audit trails are: * Audit trails must be generated and maintained for all actions that occur within the life cycle of a cryptographic key or key components. * Audit trails must kept, at minimum, for a period of time greater than the life of the cryptographic key or key components that they cover. * Audit trails must include enough data to enable a complete reconstruction of all key management activities, including when, where, why, by whom, and how all events took place. * Audit trails must be secured so that they cannot be altered. * Audit trails must be reviewed periodically to detect violations of policy. I understand that my goal is to appease the auditor, but I was looking for additional clarification or if anyone would like to share their experience with fulfilling this requirement. TIA, -phenfen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists