April 8, 2010

How to address the common stumbling blocks of your PCI Assessment – Logging

Part 2 – Logging

Complying with PCI DSS logging and audit trail requirements can be very challenging for many organizations. We will be stepping through a selection of logging and audit trail requirements that are among the more challenging requirements to meet and outline possible approaches and solutions for each.

From a high level, PCI DSS logging requirements primarily exist to facilitate a forensic investigation during a credit card data compromise. The more effective the logging solution, the better the forensic investigator will be equipped to recreate the compromise and determine the cause of the incident.

PCI DSS Requirement:

10.2.7 Creation and deletion of system-level objects.

PCI DSS Testing Procedure:

10.2.7 Verify creation and deletion of system level objects are logged.

Intent:

The intent of PCI DSS 10.2.7 is to ensure that if a system level object were to be
created, or deleted and then recreated, that there would be an audit trail to track
that event.

Possible Solutions:

Monitoring the creation and deletion of system level objects is normally covered by
the deployment of FIM (File Integrity Monitoring). Frequently, the first question
many organizations have is “what exactly is a system level object?” At a high level,
it is any object or file that is critical to the functioning of a system. In a Microsoft
Windows system, this is commonly interpreted as the %SYSTEMROOT%SYSTEM32 directory.
There are numerous commercial and open source FIM solutions. Any of which will meet
this requirement as long as they are deployed and configured to address all related
PCI DSS FIM requirements.

PCI
DSS Requirement:

10.5.2 Protect audit trail files from unauthorized modifications.

PCI DSS Testing Procedure:

10.5.2 Verify that current audit trail files are protected from unauthorized
modifications via access control mechanisms, physical segregation, and/or network
segregation.

Intent:

PCI DSS 10.5.2 is intended to ensure that audit trails are not able to be altered
by unauthorized parties.

Possible Solutions:

There are three primary ways to address PCI DSS 10.5.2.

1. Implement an ACL (Access Control List) to protect the audit trails. This is typically
addressed by configuring proper file system permissions on the audit trail files,
or the directory in which they are contained. This should be limited to the least
amount of access necessary.

2. Physically segregate the audit trails from the rest of the network. This can include
transferring audit trails to another system that is physically separate from where
the audit trails originated, or even to another location such as a backup site.

3. Logically segregate the audit trails via network ACL’s. Creating a dedicated network
segment, or firewalling off a specific host or group of hosts that collect log files
can also be an avenue to pursue in addressing this requirement.

PCI
DSS Requirement:

10.5.3 Promptly back up audit trail files to a centralized log server or media
that is difficult to alter.

PCI DSS Testing Procedure:

10.5.3 Verify that current audit trail files are promptly backed up to a centralized
log server or media that is difficult to alter.

Intent:

PCI DSS 10.5.3 is arguably the most important logging requirement. The intent is to
ensure that audit trails are promptly backed up to a centralized system or media that
is difficult to alter. Backing up log files promptly or ideally in real time to a
centralized log server can be one of the most effective ways in tracking a credit
card compromise. If a system in your cardholder data environment is compromised, an
attacked can disable logging and remove existing log files thereby eliminating significant
evidence of their activities. If log files are quickly or in real time sent to a centralized
log server, the attacker will be unable to “clean up” the environment and there will
be more evidence available to a forensic investigator.

Possible Solutions:

There are numerous centralized log server solutions out on the market. Centralized
log servers range from very expensive enterprise level commercial solutions to open
source deployments of simpler software such as SYSLOG. The high level goal is to ensure
that log files are being sent to a centralized system in real time if at all possible.
This is frequently accomplished via the use of SYSLOG or tools on other operating
systems that can “stream” log files off the system similar to how SYSLOG is traditionally
configured. If real time transfer is unavailable, then log files should be backed
up to a centralized system as frequently as is feasible.

Properly configuring PCI DSS logging requirements can be one of the most important
security considerations as you work towards PCI DSS compliance. The proper deployment
and configuration of these logging solutions can be challenging, but in the unfortunate
event of a credit card data compromise, proper logging is critical.

If you ever find yourself having a conversation with a forensic investigator, and if you’ve done your due diligence, they will be thanking you for it.