Monday, February 11, 2008

MUST-DO Logging for PCI?

Somebody asked me a few days ago: EXACTLY what logging we absolutely MUST do for PCI DSS compliance? Since this is a common question, I am broadcasting it here.

The honest answer to the above question is that there is no list of what EXACTLY you MUST be logging due to PCI or, pretty much, any other recent "compliance thingy" (as we all know, PCI DSS rules are more specific than most others). However, the above does NOT mean that you CAN log nothing.

Is this bizarre or what? Yes, it is :-)

But that is exactly why vendors and consultants tell you what you SHOULD be logging. There is no easy "MUST-log-this" list; it is pretty much up to individual auditor, consultant, vendor, engineer, etc to interpret (again, not simply 'read', but interpret!) the PCI DSS guidance (e.g. Requirement 10 that is dedicated to logging) in your own environment.

Our field engineers do interpret it for our log management platform customers; I provided an interpretation in my PCI book, etc. But, there is still no MUST list; just the following route:

PCI DSS guidance -> consultant, vendor engineer, etc -> your very own logging recommendations.

A few folks wondered: why not ask the auditor? Well, these critters :-) will tell you whether "yours is OK" or "OMG, no!", but will not write your logging policy for you. With them, the best approach is: define your logging policy, then show to auditor, if they are happy - now you know what you MUST do.

As a final word: still, I dislike the above compliance-induced daze as much as the next guy. I much prefer that people think what they want from their logs as well as how they need to use them and then log that!

UPDATE: here are some useful pointers to PCI logging as well, that I mentioned on this blog before.

UPDATE2: really insightful follow-up from Martin here.

Technorati tags: , , ,

Dr Anton Chuvakin