What is a System-Level Object?

PCI Requirement 10.2.7 requires that audit trails can reconstruct the creation and deletion of system-level objects. The PCI SSC defines a system-level object as anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components. Malware often creates or replaces system-level objects on the target system in order to control a specific function on that system. The purpose of PCI Requirement 10.2.7 is to make it easier to determine whether those modifications have been made and approved to system-level objects.

During an assessment, an assessor may ask an individual to create or delete a folder, then verify if that event was logged. This ensures that the organization is logging the creation and deletion of system-level objects.

PCI Requirement 10.2.7 requires that anytime a system-level object is created or deleted, that particular event should be logged. A lot of times, what we do as assessors, is ask an individual to create a file or folder, delete the folder, and then we look at the logs to see that it’s there. Your assessor might have different ways of assessing the PCI Requirement 10.2.7, but at the end of the day, when a system-level object is created or deleted, there needs to be a log of that.

What Does the Initialization, Stopping, or Pausing of Audit Logs Indicate?

Stopping or pausing audit logs prior to performing malicious activities is a common practice for users hoping to avoid detection, and initialization of audit logs could indicate that the log function was disabled by a user. This is why PCI Requirement 10.2.6 requires that audit trails can reconstruct the initialization, stopping, or pausing of audit logs.

To demonstrate compliance with PCI Requirement 10.2.6, an organization will show an assessor evidence of audit logs for the initialization, stopping, or pausing of audit logs.

The next requirement around logging is that anytime the operations system or an application should stop the logging or the logs, or if the logging mechanism starts, we need to see a log of that. The reason for that can be understood from a hacker’s perspective. If Hacker Joe was in your environment, one of the things that he’s going to try to do is to hide his actions by shutting off the logs. So once again, anytime that the logs are stopped or the logs are starting, we’re going to look to see that particular event is logged.

What is PCI Requirement 10.2.5?

PCI Requirement 10.2.5 requires that organizations implement automated audit trails to reconstruct the use of and changes to identification and authentication mechanisms — including but not limited to creation of new accounts and elevation of privileges — and all changes, additions, or deletions to accounts with root or administrative privileges. The guidance on PCI Requirement 10.2.5 explains that without knowing which users were logged on at the time of an incident, it is impossible to identify which accounts that may have been used.

To verify compliance with PCI Requirement 10.2.5, an assessor will observe the use of and changes to identification and authentication mechanisms and logs of accounts with root or administrative privileges.

Anytime anybody uses an authentication mechanism or tool, we need to see a log of that. Whether that be an application, VPN, or logging into a local work station, we need to see a log of that. Anytime anybody attempts to authenticate, whether it’s successful or not, we need to see a log of that event.

Is There a Log of That?

Invalid logical access attempts are often an indication of a malicious user attempting to access something they don’t have permission to. This is why PCI Requirement 10.2.4 requires that organizations implement automated audit trails to reconstruct invalid logical access attempts. Misspell your password? There should be a log of that. Someone tries to view a file that they don’t have permission to? There should be a log of that. User tries to execute permission they do not have? There should be a log of that. Anytime there’s invalid logical access attempts, there should be a log of that.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

PCI Requirement 10.2.4 is often misunderstood. What it calls out is that any invalid logical access attempt gets logged. For example, if somebody logs into an operating system and they happen to fat-finger it, we get a log of it. What about when there’s a file sitting out on a repository somewhere and this individual doesn’t have the rights to view that file, and they try to anyway? That should create a log. What about when you have an application that might have specific permissions that are not allocated to a user and that user tries to execute those permissions? In these situations, we look to see that logs are being generated. Once again, when somebody performs this type of activity or when somebody executes or tries to attempt to access something that they don’t have permission to access, that should create a log.

[/av_toggle]

[/av_toggle_container]

Examine Audit Trails

PCI Requirement 10.2.3 requires that organizations implement automated audit trails to reconstruct access to audit trails. What’s the purpose of this? Guidance for PCI Requirement 10.2.3 states, “Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel.”

From an assessment perspective, an assessor will need to interview responsible personnel and examine audit trails to ensure that access to all audit trails is logged.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

If somebody accesses the audit logs, whether this be the logs being stored in a native file perspective or the logs residing over in some type of central logging server (some type of CLS). Anytime anyone accesses logs is a means to create a log. From an assessment perspective, we’re going to ask to see logs when somebody’s accessed these.

[/av_toggle]

[/av_toggle_container]