July 14, 2007
Logging – Meaningful or Meaningless?
10.2 of PCI DSS requires “…implementation of audit trails for all system components”.
Sections 10.2.1 through 10.2.7 detail what specific actions need to be covered in
the audit trail.
first thing that caught myattention here are the System Object requirements,
being specifically “creation and deletion of system level objects”.
during both reviewing these specifications and also during implementation of the necessary
technical controls has been: how does require logging in this fashion actually help
detect an intrusion? Is the PCI DSS approach sound from a business perspective? Is
it sound from an applied science perspective?
you look under the hood a bit, I believe it is.
would suggest that anyone looking to implement PCI DSS audit trails not begin with
the actual technical configuration. Obviously, I would not suggest starting with the
procurement of a logging solution either.
Instead, I believe
a more sound approach is to first draft out what the goals are within the PCI implementation.
Some of the areas I’ve started with in the past are:
objects need auditing enabled? Do I want to enable the Audit policy on specific objects
only or do I want to let file system inheritance do the dirty work? Maybe a hybrid
approach is best given the file system structure?
permissions may need to be adjusted to support the Audit policy? How is the data “normally”
accessed and what would be “abnormal”?
What data will
be generated by this Audit policy? What data will be meaningful and what data will
How will I collect
How will I analyze
the data after collection and what specifically will I be looking for during the review?
those questions before turning on the technical Audit policy will not only produce
more meaningful log data, in my opinion, but will also begin to illuminate why the
PCI DSS logging requirements are reasonable and effective detective controls.
Jason Pittman, M.S. Network Security