PCI DSS and Regulatory Compliance Blog

Track and monitor all access to network resources and cardholder data

July 31st, 2006 Posted in Audit log, PCI DSS

The PCI DSS requirement to enable audit logging is a difficult item to address when read strictly as is. Many people see the word “All” in there so often in terms of what they should log and feel it is impossible to accomplish. Many UNIX administrators have said, “In order to log ALL access I would need to install a kernel-level keystroke monitor” while DBAs have said, “This means I need to enable auditing on the database which will create an audit log larger than the database itself!” These are not the intended extremes the requirement has been interpreted to mean.

The intent of the requirement is stated in the very first lines where it says, “Establish a process for linking all access to system components … to an individual user.” This requirement is mean to show: Who did What and When, in order to (1) alert on suspicious activity and (2) facilitate a forensic investigation. If you can remember this then the rest of the requirement should be clear and straightforward. (Notice I did not say it would be easy.)

This level of logging usually entails aggregating logs from multiple sources in order to track and alert on user access throughout the enterprise. This means aggregating events from the following locations:

  • Network (i.e. Routers/switches, VPN, IDS, Wireless, etc.)
  • Operating system (i.e. UNIX, WinTel, mid-mainframe, su/su-do logs, etc.)
  • Application (i.e. web server, database server, POS application, or proprietary payment application)
  • Database applications (in some instances when access cannot be tracked through any of the above three methods.)

The most common audit log to not be present is the application log because many in-house or commercial off the shelf (COTS) applications do not support event logging. Sometimes the audit logs on show critical events such as “application failed [*timestamp*]” as if you needed a log to tell you that. In these instances where the application does not log user access many companies will rely on the database log. This does not mean that you need to log every SQL query into the database; instead you should look to track what events were performed when.

Think about database logging logically. The intent is not to track one individual user to a specific credit card number because what will that give you? Many people within the department or throughout the corporation may have access to the same individual account numbers during the period of a day, week, or month. Even with specific event logging how can such granular access link an individual to the single card compromise. The level of logging should provide accountability at a reasonable level to support the two original goals of audit logging. If you can accomplish these two objectives then you are logging to a sufficient degree.

Similarly the requirement for event log review is to meet one of the original two requirements of “alerting on suspicious activity.” If it is not possible to review all audit logs on a daily basis then either delegate responsibility such that no one individual is responsible for reviewing all event logs or review the logs on a less frequent basis but still one that meets the control objective. Also, consider compensating controls that may exist such as departmental log review independent of the enterprise log review or automated alerts generated based on preconfigured critical event flags. Each of these items may alerts on suspicious activity without the requirement for a daily review of audit logs.

Update: Visa has provided a clarification 10.2-10.3 of PCI DSS v1.0:

The intent of these logging requirements is twofold: 1) logs, when properly implemented and reviewed, are a widely accepted control to detect unauthorized access, and 2) adequate logs provide good forensic evidence in the event of a compromise.

Each and every log does not necessarily have to log all the data as specified in the details under 10.2 and 10.3, as long as the specified log items and events can be easily gathered in the event of a compromise from the various logs and/or logging tools in use.

There is an additional clarification specifically for requirement 10.2.1, which states “Log all individual accesses to cardholder data.” The intent of requirement 10.2.1 is that if an individual (person) accesses cardholder data on their own, with their own user ID, and does not go through an application (or stored procedure, etc.) for this access, that should be logged. This requirement is often confused to mean that if an individual accesses cardholder data through an application, then all application access to cardholder data needs to be logged. It is not necessary to log all application access to cardholder data if the following is true (and verified by assessors):

  • Applications that provide access to cardholder data do so only after making sure the users are authorized
  • Such access is authenticated via requirements 7.1 and 7.2, with user IDs set up in accordance with requirement 8, and
  • Application logs exist to provide evidence in the event of a “compromise.”
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 12 Responses to “Track and monitor all access to network resources and cardholder data”

  2. By anonymous on Jul 31, 2006

    One open source option for event log management is SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data. Agents are available for Linux, Windows, Solaris, IIS, Lotus Notes, Irix, AIX, ISA/IIS + more

  3. By Jason on May 29, 2007

    Here’s a brief summary of where I lead people to as a starting point for PCI logging:

    http://blog.tevora.com/LoggingMeaningfulOrMeaningless.aspx

    …and for the record, SNARE is a solid solution in my opinion. A bit under-recognized in my opinion.

    Cheers,
    Jason

  4. By cdb on Jun 20, 2007

    So if an application authenticates a user and provides transaction logs it is not necessary to log that information again.

    Well is it a requirement to ‘monitor / review the application transaction logs’ on a daily basis?

    Or should you review the other security logs and simply save the app logs in the case of a forensic investigation

  5. By HJL on Aug 19, 2007

    Where does this visa quote come from?

  6. By Brian on Oct 5, 2007

    Does the auditd system in the RHEL5 qualify in the same way that Snare would?

  7. By dglosser on Jun 30, 2008

    http://usa.visa.com/download/merchants/pci_clarification_assessors.pdf

  8. By Michael Dahn on Jun 30, 2008

    @dglosser thanks for the link. It’s nice to see more clarification documents like this. Eventually people will get the point.

  9. By Cara O'Sullivan on Sep 2, 2008

    Is it appropriate to ask for recommendations in this forum? The current website content management (manages production infromation, etc.) application we use in our Ecommerce web sites does not have an audit log feature that tracks and stores administrator activity. To develop this feature is very costly for the vendor. The vendor has never had a customer ask them about being PCI compliant or asked for this feature–all of the vendor’s customers use mechanisms such as Pay Pal. Is there a web application out there that has this feature that anyone can suggest we look into? Thank you in advance.

  10. By Randy Crum on Oct 8, 2008

    You say:

    “Think about database logging logically. The intent is not to track one individual user to a specific credit card number because what will that give you? Many people within the department or throughout the corporation may have access to the same individual account numbers during the period of a day, week, or month. Even with specific event logging how can such granular access link an individual to the single card compromise.”

    Actually such loggig would give you quite a bit of useful information!

    While within probably all companies there are people who have a legitimate business need to look at credit card numbers, in fact most access attempts for a single individual card number should be very small or nonexistant. For many merchants, credit card transactions come in electronically with no human intervention. The only reason that a human being would need to look at a credit card number for such a transaction is if a refund or exchange is needed.

    In those cases, if a specific card number was compromised, detailed logging might very well reveal that only a single individual had looked at that particular card number. Such information would make a forensic analysis very easy.

  11. By Michael Dahn on Oct 10, 2008

    Yes, in some instances I agree it would be necessary to log such access information. Trying to track an action down to an individual employee is excellent for prosecuting that employee and removing them from the environment. The question is, can you track it back to one user? What is the risk/reward ratio of monitoring such events? It is something each company will have to determine individually.

  1. 2 Trackback(s)

  2. Sep 21, 2006: (IN)SECURE Magazine covers PCI « PCI and Data Security Compliance
  3. Feb 23, 2007: Think Outside the Dodecahedron at PCI and Data Security Compliance

Post a Comment