What Does the Initialization, Stopping, or Pausing of Audit Logs Indicate?
Stopping or pausing audit logs prior to performing malicious activities is a common practice for users hoping to avoid detection, and initialization of audit logs could indicate that the log function was disabled by a user. This is why PCI Requirement 10.2.6 requires that audit trails can reconstruct the initialization, stopping, or pausing of audit logs.
To demonstrate compliance with PCI Requirement 10.2.6, an organization will show an assessor evidence of audit logs for the initialization, stopping, or pausing of audit logs.
The next requirement around logging is that anytime the operations system or an application should stop the logging or the logs, or if the logging mechanism starts, we need to see a log of that. The reason for that can be understood from a hacker’s perspective. If Hacker Joe was in your environment, one of the things that he’s going to try to do is to hide his actions by shutting off the logs. So once again, anytime that the logs are stopped or the logs are starting, we’re going to look to see that particular event is logged.