Thursday, August 23, 2007

Ah, Come On, Use the Spirit, Not the Letter!

Somebody commented on PCI (again!?!) Requirement 10.5.5 which says "Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed."

The comment was: "I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too."

Indeed, the req 10.5.5 is phrased funny, because whatever "change detection software" will not STOP the changes, just make them known. However, the req seemingly applies to stored old log files, not the ones currently being appended to. While I saw some folks handle per-record MD5 checksums combined with other-than-append operation detection, PCI doesn't seem to mandate it: just make sure your log management solution keeps checksums on archived log files.

Dr Anton Chuvakin