PCI DSS has had specific requirements for logging and review of those logs for sometime now. The logging requirements (under Requirement 10 ) have a primary objective of supporting forensics in the event of a breach of cardholder data. I believe it is fair to say that PCI DSS has played a large role in bringing into limelight the topic of Log Management, in effect creating an assured market for several vendors who are vying for a piece of the PCI business out there.
While most Log Management vendor solutions are featured enough and support quick deployments (normally a selling point one hears from most vendors), I believe it is important for PCI merchants and service providers to take that with a grain of salt. Granted that most vendor solutions have features for effective log parsing, normalization, reporting, alerting etc… As I am sure anyone that has worked on PCI DSS (or for that matter any Log Management or SIEM deployments) would attest, an effective deployment requires deliberate planning and ground work. And in my view, the most critical step for an effective Log Management solution (and most certainly those focused on PCI DSS Compliance) is the very first step, which is Log Generation (see NIST 800-92 Guide to Computer Security Log Management to learn more about Log Management processes). After all, you can get to managing and analyzing logs only if you generate them and more importantly from a PCI DSS standpoint, generate all the right logs!
To illustrate the point, below is a partial suggested list of events you might want to log on Windows and Active Directory. One really can’t overemphasize the need for various system administrators to work closely with the PCI readiness teams to make this happen. I have also included sample mappings to PCI DSS requirements, the likes of which you can use to demonstrate due diligence to your QSA.
Hope you find this information useful and I welcome your comments!
# |
Event Description |
Windows Event Id#
– Vista or Windows Server 2008 |
PCI DSS (version 1.2.1) Requirements |
||
Logon events |
|||||
1 |
Successful Logon – Privileged users only |
4624 |
6.3.3, 8.1, 8.5.1, 8.5.4, 8.5.6, 10.2.2 |
||
2 |
Logoffs – Privileged users only |
4634 |
6.3.3, 8.1, 8.5.1, 8.5.4, 8.5.6, 10.2.2 |
||
3 |
Failed Logon attempts – All users |
4625 |
6.3.3, 8.1, 8.5.1, 8.5.4, 8.5.6, 10.2.2 |
||
4 |
Account Lockouts – All users |
4740 |
8.5.13, 10.2.4 |
||
5 |
Account Lockout Release – All users |
4767 |
8.5.13, 10.2.2, 10.2.4 |
||
6 |
Privilege escalation through “Run as” |
? |
10.1, 10.2.1, 10.2.2 |
||
|
Object access events |
||||
7 |
All access to folders containing Cardholder Data |
5143 |
10.2.1 |
||
8 |
Changes to access privileges on folders containing Cardholder Data |
4670 |
10.2.1,10.2.2 |
||
9 |
Changes to ownership on folders containing Cardholder Data (“Take Ownership”) |
4670 |
10.2.1,10.2.2 |
||
10 |
All access to files containing Cardholder Data |
4663,? |
10.2.1 |
||
11 |
Changes to access privileges on files containing Cardholder Data |
4670 |
10.2.1 |
||
12 |
Changes to ownership on files containing Cardholder Data (“Take Ownership”) |
4670 |
10.2.1,10.2.2 |
||
13 |
Creation or deletion of files in folders containing Cardholder Data |
4660, 4663 (Delete)
|
10.2.1 |
||
14 |
Access to (Read, Modify or Delete) Security Event Logs by anyone other than the Windows system or the account used for log collection by the Log Management Solution |
? |
10.2.2, 10.2.3, 10.2.6, 10.2.7, 10.5 |
||
15 |
Changes to %SYSTEMROOT%\SYSTEM32 folder contents (System Level Object) |
5143 |
10.2.7 |
||
16 |
A registry value was modified (System Level Object) |
4657 |
10.2.7 |
||
|
Account Management |
||||
17 |
User Account Created |
4720 |
7.1.4, 8.1, 8.5.1,10.2.2 |
||
18 |
User Account Enabled |
4722 |
7.1.4, 8.1, 8.5.1, 8.5.6,10.2.2 |
||
19 |
Password Change/Reset Attempted |
47239(Change), 4724(Reset) |
8.5.3, 8.5.9 |
||
20 |
Account Password Set |
4738(?) |
8.5.3, 8.5.9 |
||
21 |
User Account Disabled |
4725 |
6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2 |
||
22 |
User Account Deleted |
4726 |
6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2 |
||
23 |
User Account Changed |
4738 |
6.3.3, 7.1.4, 8.1, 8.5.1,10.2.2 |
||
24 |
Security Group Created |
4727 (Global Group) 4731 (Local Group) |
6.3.3, 7.1.1, 7.1.4,10.2.2 |
||
25 |
Security Group Member Added |
4728(Global Group) 4732(Local Group) |
6.3.3, 7.1.2,10.2.2 |
||
26 |
Security Group Member Removed |
4729(Global Group) 4733(Local Group) |
6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2 |
||
27 |
Security Group Deleted |
4730(Global Group) 4734(Local Group) |
6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2 |
||
|
Directory Service access events |
||||
28 |
Creation of new group policies |
? |
10.2.2, 10.2.7 |
||
29 |
Changes to group (Active directory) or server policies |
? |
10.2.2, 10.2.7 |
||
30 |
Application of group policies to a container |
6144(?) |
10.2.2, 10.2.7 |
||
|
Privilege use events |
||||
|
Privilege use (Failure only) for the following user groups:
|
||||
31 |
Server or Domain Administrators |
4674(?) |
10.2.2 |
||
32 |
Account Operators |
4674(?) |
10.2.2 |
||
33 |
Accounts (User, service or process) with access to Cardholder Data |
4674(?) |
10.2.2 |
||
|
System events |
||||
34 |
Windows – Starting up |
4608 |
10.2.2 |
||
35 |
Windows – Shutting down |
4609 |
10.2.2 |
||
36 |
An authentication package was loaded by the Local Security Authority. |
4610 |
10.2.5 |
||
37 |
A trusted logon process has registered with the Local Security Authority. |
4611 |
10.2.5 |
||
38 |
Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages. |
4612 |
10.2.3, 10.2.6, 10.2.7, 10.5 |
||
39 |
A notification package was loaded by the Security Accounts Manager |
4614 |
10.2.5 |
||
40 |
Server time out of synchronization with Domain Controller |
4616(?) |
10.4 |
||
|
Windows updates |
||||
41 |
Windows Software Update Services – Successes and Failures |
? |
6.1 |
0 Comments