Wednesday, January 13, 2010

More on PCI DSS and Logging

Despite my older post on this (“MUST-DO Logging for PCI?”), people continue to harass me to create an “authoritative”  guide on logging for PCI DSS: what events to log? what details to log? what logs to retain? what logs to review? how to review? etc, etc. BTW, the quotation signs above are there since only your QSA holds an authoritative view on the subject; the rest have to settle on “defensible” view, such as the one from my very self :-)

So, OK, I will [eventually] share my entire defensible guide on logging for PCI DSS, even thought it doesn’t sound anywhere near as glam as an authoritative guide would :-).  In this guide, I analyze all the PCI DSS logging requirements (in Requirement 1, 5,10,12 and all others too) and translate them info a logging policy and more-or-less-actionable tasks and operational procedures, while making few assumptions here and there about your organization. What it more important, I cover both PCI logging requirements that you need to achieve PCI DSS compliance, stay compliant with these requirements and what you need to [most likely - see the comment about QSAs above] get validated. It goes without saying that such logging will be actually useful, following the traditional "compliance+" model.

Still, no externally-created guide will ever be fully effective in defining logs and logging for your organization, for your applications, for your in-scope PCI environment. Indeed, the only way to get it right is to hire a consultant and have him customize and “operationalize” the document by replacing the assumptions with actual facts about your organization [oh-nos, I started to sound like a consultant already :-)]
The document will be shared later this year (unless I roll it into my upcoming book on log management..oops!.. that was a secret :-)) If you want it sooner, you can hire me to do this for you organization as some other people just did. Here are some examples of what I built for this F1000 consulting client:

Logging Policy
In light of the above, a PCI-derived logging policy must at least contain the following:
  • Adequate logging, that covers both logged event types and details
  • Central log aggregation
  • Log  retention (1 year)
  • Log protection and security
  • Daily log review
Let’s now focus on log review in depth. PCI DSS states that “Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).“ It then adds that “Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6”
PCI DSS testing and validation procedures for log review mandate that a QSA should “obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required.” QSA must also ”through observation and interviews, verify that regular log reviews are performed for all system components.”
Below [in the full document, not here – A.C.] we document PCI Application Log Review Procedures and workflows that cover:
  1. Log review practices, patterns and tasks
  2. Exception investigation and analysis
  3. Validation of these procedures and management reporting.
The procedures will be provided for using automated log management tools as well as manually when tools are not available or not compatible with log formats produced by the application.”

Possibly related posts:

Dr Anton Chuvakin