Prevent Unauthorized Modifications

PCI Requirement 10.5.3 asks organizations to promptly back up audit trail files to a centralized log server or media that is difficult to alter. The purpose of PCI Requirement 10.5.3 is to support PCI Requirement 10.5 and prevent unauthorized modifications to audit trail files. The PCI DSS guidance also explains, “Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised.”

PCI Requirement 10.5.3 says that you should promptly back up logs to a central logging server or other media that’s difficult to alter. What’s interesting about this is what is meant by “promptly.” From an assessment perspective, we’re looking to make sure that you’re making up those logs as close to real-time as possible and you are backing those up to a central logging server or other media that is difficult to alter. This might mean that you are backing them up onto tape or that you may be writing them to a worm drive or CD drive. The purpose in the intent behind these is to prevent modification of those logs.

Unauthorized vs. Authorized Modifications

PCI Requirement 10.5.2 requires organizations to protect audit trail files from unauthorized modifications. What would an unauthorized modification look like? Audit trails contain all the correct information about events and incidents in critical systems, so malicious individuals will often seek to modify audit trails to hide their actions. What would an authorized modification look like? If an approved individual in an organization finds unencrypted cardholder data or Social Security numbers in a log, they may want to modify the log to encrypt this sensitive data.

During an assessment for PCI Requirement 10.5.2, an assessor may look for a situation where an individual would need to modify an audit trail file, examine the access controls, and review the modification approval process. An assessor really wants to verify that those who shouldn’t or don’t have access to audit trail files actually don’t have access to them.

However and wherever you’re storing your logs, you need to protect audit trail files from unauthorized modifications. There might be situations where you need to modify logs, such as if you found unencrypted cardholder data in the logs or you found Social Security numbers in the logs somewhere – there can be plethora of different scenarios by which you might find log data or need to modify these logs in some way. However, PCI Requirement 10.5.2 requires that you protect these logs from unauthorized modification. Your assessor is going to be looking for those situations where you might need to modify these logs and how that approval process would take place. The assessor might look for the access control, making sure that individuals who do not have access to these logs actually do not have access to them. We’re also going to make sure that these logs are appropriately backed up and that you’re pulling all of those logs that reside out in the DMZ into your internal environment to prevent those individuals that might access those environments, such as Hacker Joe, that might want to modify those logs to hide their tracks. You need to secure those logs once they’ve been created.

Policy of Least Privileges

Protection of audit trails requires strong access controls; once again, the policy of least privileges comes into play. Audit trails contain sensitive information that only some members of an organization should have access to. This is why PCI Requirement 10.5.1 requires organizations to limit viewing of audit trails to those with a job-related need.

It’s important to note that the PCI DSS doesn’t state that only administrators or those with elevated privileges can view audit trails; any individuals who has a business need should have access to audit trails. During an assessment, an assessor will want to see that your organization implements controls to limit viewing of audit trails to those with a job-related need.

This begins with PCI Requirement 10.5.1, and once again, comes back to that policy of least privileges: if one doesn’t need access, they shouldn’t be given access. From time to time, there’s a lot of sensitive information that might reside within that log material, so PCI Requirement 10.5.1 says that only those individuals that have job-related needs should be able to view those logs. Notice that PCI Requirement 10.5.1 does not say that only administrators can view these logs, it’s any individual that would have a business need to view it can view the logs; however, all other individuals should be prohibited from viewing the logs.

Protecting the Integrity of Audit Trails

Now that you’ve complied with other PCI Requirement 10 standards and have established audit trails, that information needs to be secured. Audit trails contain all the correct information about events and incidents, so malicious individuals will often seek to alter audit trails to hide their actions. PCI Requirement 10.5 requires that you secure audit trails so they cannot be altered. Your organization must protect the completeness, accuracy, and integrity of audit trails.

To meet PCI Requirement 10.5, organizations must limit access to audit trails to personnel with business-related needs, protect audit trails from unauthorized modifications, back up audit trail files on a centralized server, write logs for external-facing technologies onto a centralized, internal log server, and use file-integrity monitoring.

Now that we have all of this log material created, it contains all of the correct information that we’ve looked for, and it’s logging all of the correct events, we want to make sure that individuals with malintent, or even by accident, cannot modify these logs in an unauthorized way. There are several requirements that get called out about how we would do that.

Industry-Accepted Time Sources

To ensure that critical system clocks and time are consistent and correct, PCI Requirement 10.4.3 requires that time settings are received from industry-accepted time sources. This could be from something like the U.S. Navy, NASA, Google, or other organizations who use GPS for time synchronizations.

The testing procedures for PCI Requirement 10.4.3 requires assessors to examine systems configurations to verify that the time servers accept time updates from specific, industry-accepted sources. The PCI DSS also states, “Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).”

PCI Requirement 10.4.3 requires that you use industry accepted time servers for management. Part of this, for example, are the the U.S. Navy NTP servers, NASA servers, and Google servers, as well as other organizations who use GPS for time syncs. It’s not really defined what those particular entities are, as long as those time servers and time syncs that you are using are industry accepted.