What is a System-Level Object?
PCI Requirement 10.2.7 requires that audit trails can reconstruct the creation and deletion of system-level objects. The PCI SSC defines a system-level object as anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components. Malware often creates or replaces system-level objects on the target system in order to control a specific function on that system. The purpose of PCI Requirement 10.2.7 is to make it easier to determine whether those modifications have been made and approved to system-level objects.
During an assessment, an assessor may ask an individual to create or delete a folder, then verify if that event was logged. This ensures that the organization is logging the creation and deletion of system-level objects.
PCI Requirement 10.2.7 requires that anytime a system-level object is created or deleted, that particular event should be logged. A lot of times, what we do as assessors, is ask an individual to create a file or folder, delete the folder, and then we look at the logs to see that it’s there. Your assessor might have different ways of assessing the PCI Requirement 10.2.7, but at the end of the day, when a system-level object is created or deleted, there needs to be a log of that.