Wednesday, August 08, 2007

PCI Shortcomings

Often times I run across security recommendation from security individuals that plainly have no operational experience. While in theory they sound good, they don't really work from an operational standpoint. Much to my dismay, it appears that these same sort of individuals played a large role in composing the PCI DSS 1.1 spec.

There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:

10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?

For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?

Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?

5 Comments:

Blogger Rob said...

Hey Mestizo,

My company makes a solution specifically for addressing this issue. It was developed with exactly this in mind. If you'd like to drop me a mail, I'd be happy to set something up.

Rob.

Wednesday, August 08, 2007 2:02:00 PM  
Blogger Rob said...

I won't try to sell you anything you don't need either by the way.

I'm a product manager, not a salesman.

Rob Newby.

Wednesday, August 08, 2007 3:58:00 PM  
Anonymous Anonymous said...

I interpret this requirement not to apply to logfiles currently being generated but old logfiles that should not change for any reason.

If you configure logging to create a new logfile every X hours, generate the checksum, you should be in good shape.

Monday, August 13, 2007 12:03:00 PM  
Anonymous Anonymous said...

howdy.

You only need to generate the checksum of the archived logs, nothing else. I know of at least one open source tool that does that (AFAIK):

http://ossec.net

http://www.ossec.net/wiki/index.php/Know_How:LogSign

-b

Thursday, August 23, 2007 10:36:00 PM  
Anonymous pci compliance said...

I've just came across to your blog.
Helpful blog!
Cheers..:-)

Sunday, June 28, 2009 11:06:00 PM  

Post a Comment

Links to this post:

Create a Link

<< Home