Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Getting to know PCI Requirement 10

By Anton Chuvakin

The requirement itself is called “Track, and monitors all access to network resources and cardholder data” and is organized under the “Regularly Monitor and Test Networks” heading in PCI DSS. The requirement is organized in several sections related to process, events that need to be logged, suggested level of details, time synchronization, log security, required log review, and log retention policy.

Specifically, Requirement 10.1 covers “establish[ing] a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” It is this requirement that often creates problems for PCI implementers, since many think of logs as “records of people actions,” while in reality they will only have the “records of computer actions.”

Next, Section 10.2 defines a minimum list of system events to be. Such requirements are motivated by the need to assess and monitor user actions as well as other events that can affect credit card data (such as system failures).

Moreover, PCI DSS Requirement 10 goes into an even deeper level of detail and covers specific data fields or values that need to be logged for each event.

As can be seen, this minimum list contains all of the basic attributes needed for security monitoring and investigation.

The next requirement, 10.4, addresses a critical requirement: a need to have accurate and consistent time in all of the logs. System time is frequently found to be arbitrary in a home or small office network. Using NTP for time synchronization is always a good choice, whether for PCI DSS or other uses for log data.

Section 10.5 covers log protection. In particular, 10.5.1 touches on log confidentiality: “Limit viewing of audit trails to those with a job-related need.” What is so sensitive about logs? One of the obvious reasons is that authentication-related logs will always contains usernames. Sometimes, due to users mistyping their credentials, it is not uncommon for passwords themselves to show up in logs. Next comes “integrity.” As per section 10.5.2 of PCI DSS, one needs to “protect audit trail files from unauthorized modifications.” This one is fairly obvious, since if logs can be modified by anybody,  they stop being an objective audit  records of activities. LogLogic does not allow the logs to be deleted and logs all access to logs, as mandated by PCI DSS.

However, one needs to preserve the logs not only from malicious users, but also from system failures and consequences of system configuration errors. This touches upon both the “availability” and “integrity” of log data. Specifically, Section 10.5.3 of PCI DSS covers that one needs to “promptly back-up audit trail files to a centralized log server or media that is difficult to alter.” Indeed, centralizing logs to a log management appliance is essential for both log protection as well as increasing usefulness of log data. Further, Requirement 10.5.5 calls for the “use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts.” LogLogic appliances include built-in cryptographic log integrity checking to satisfy this requirement.

Next comes the most important requirements: daily log review. As we mention above, 10.6 states that the PCI organization must, as per PCI DSS, “review logs for all system components at least daily. Log reviews must include those servers that perform security functions like IDSes and AAA servers.” Given that a large organization  IT environment might produce gigabytes of logs per day, it is impossible for a human to read all of the logs. That is why a note was added to this requirement that states that “Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.” Indeed, log management tools such as LogLogic are the only way to satisfy this requirement!

The final requirement (10.7) deals with another important logging question— log retention. It says: “retain audit trail history for at least one year, with a minimum of three months online availability.” Thus, if you are not able to go back one year and look at the logs, you are in violation.

Next time we will cover other key PCI DSS logging requirements.

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.