Thursday, August 23, 2007

Ah, Come On, Use the Spirit, Not the Letter!

Somebody commented on PCI (again!?!) Requirement 10.5.5 which says "Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed."

The comment was: "I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too."

Indeed, the req 10.5.5 is phrased funny, because whatever "change detection software" will not STOP the changes, just make them known. However, the req seemingly applies to stored old log files, not the ones currently being appended to. While I saw some folks handle per-record MD5 checksums combined with other-than-append operation detection, PCI doesn't seem to mandate it: just make sure your log management solution keeps checksums on archived log files.


Mestizo said...

Its the last part of that, which causes the confusion for me: (although new data being added should not cause an alert).

In my mind, I interpret that as integrity monitoring SHOULD be done on current log files, but SHOULD NOT generate an alert.

My point is that the spec is vague in many areas and should be rewritten or clarified.

The arguement of "Use the spirit, not the letter" is only good until I spend thousands of dollars for a failed PCI audit because the Auditor was not interpreting the Spec in the same "spirit" as I was.

Things of this nature should be speficially spelled out and carefully worded. Leaving them open to interpretation can and will cause problems. This is especially concerning when Govt Agencies (Texas) start adapting this Spec as State Law.

Anton Chuvakin said...

>The arguement of "Use the
>spirit, not the letter" is
>only good until I spend
>thousands of dollars for a
>failed PCI audit because the
>Auditor was not interpreting
>the Spec in the same "spirit"
>as I was.

Well, this is indeed very true! Sadly true, in fact. This highlights the places where neither "the letter" nor "the spirit" work... More details OR a good rapport with your auditors are needed...

Dr Anton Chuvakin