PCI Requirement 10.5.5 – Use File-Integrity Monitoring or Change-Detection Software on Logs to Ensure that Existing Log Data Cannot be Changed Without Generating Alerts
PCI Requirement 10.5.5 requires organizations to use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). The PCI DSS guidance explains that file-integrity monitoring or change-detection systems check for changes to critical files and provide notification when such changes are noted. Organizations usually monitor files that don’t regularly change, but when they do change, indicate a possible compromise.
You should expect an assessor to spend time examining how your organization logs, where you log, and what your logging methodologies are.
There’s a couple places within the PCI Requirements that calls out the need for using file-integrity monitoring, and PCI Requirement 10.5.5 is one of them. PCI Requirement 10.5.5 says that where you have all of these logs being generated, we need to make sure that we are reviewing these logs with a file-integrity monitoring solution or something that has the ability to determine whether or not these logs have been modified. What we look for from an assessor perspective is that you have a file-integrity monitoring system, or other systems available, and that all logs that are being generated are being monitored. If you have a central logging server, it gets pretty hard to put a file-integrity monitoring solution on the file-integrity monitoring database, but there’s a lot of times that you might have a Linux system and you’re writing your logs out to the VAR log file. The assessor should expect to spend some time with you talking about your logging methodologies, how are you logging, and where they are getting the logging to. Assessors will then spend some time with the individuals that are managing your file-integrity monitoring solution, making sure that those particular logs are being monitored such that if those logs have been modified, somebody gets notified of that event at least weekly.