Logging for PCI DSS Compliance

PCI DSS has had specific requirements for logging and review of those logs for sometime now. The logging requirements (under Requirement 10 ) have a primary objective of supporting forensics in the event of a breach of cardholder data. I believe it is fair to say that PCI DSS has played a large role in bringing into limelight the topic of Log Management, in effect creating an assured market for several vendors who are vying for a piece of the PCI business out there.

While most Log Management vendor solutions are featured enough and support quick deployments (normally a selling point one hears from most vendors), I believe it is important for PCI merchants and service providers to take that with a grain of salt. Granted that most vendor solutions have features for effective log parsing, normalization, reporting, alerting etc… As I am sure anyone that has worked on PCI DSS (or for that matter any Log Management or SIEM deployments) would attest, an effective deployment requires deliberate planning and ground work. And in my view, the most critical step for an effective Log Management solution (and most certainly those focused on PCI DSS Compliance) is the very first step, which is Log Generation (see NIST 800-92 Guide to Computer Security Log Management to learn more about Log Management processes). After all, you can get to managing and analyzing logs only if you generate them and more importantly from a PCI DSS standpoint, generate all the right logs!

To illustrate the point, below is a partial suggested list of events you might want to log on Windows and Active Directory. One really can’t overemphasize the need for various system administrators to work closely with the PCI readiness teams to make this happen. I have also included sample mappings to PCI DSS requirements, the likes of which you can use to demonstrate due diligence to your QSA.

Hope you find this information useful and I welcome your comments!

 

#

Event Description

Windows Event Id#

 

– Vista or Windows Server 2008

PCI DSS (version 1.2.1) Requirements

Logon events  

1

Successful Logon – Privileged users only

4624

6.3.3, 8.1, 8.5.1, 8.5.4, 8.5.6, 10.2.2

2

Logoffs – Privileged users only

4634

6.3.3, 8.1, 8.5.1, 8.5.4, 8.5.6, 10.2.2

3

Failed Logon attempts – All users

4625

6.3.3, 8.1, 8.5.1, 8.5.4, 8.5.6, 10.2.2

4

Account Lockouts – All users

4740

8.5.13, 10.2.4

5

Account Lockout Release – All users  

4767

8.5.13, 10.2.2, 10.2.4 

6

Privilege escalation through “Run as”

?

10.1, 10.2.1, 10.2.2

 

Object access events  

7

All access to folders containing Cardholder Data

5143

10.2.1

8

Changes to access privileges on folders containing Cardholder Data

4670

10.2.1,10.2.2

9

Changes to ownership on folders containing Cardholder Data (“Take Ownership”)

4670

10.2.1,10.2.2

10

All access to files containing Cardholder Data

4663,?

10.2.1

11

Changes to access privileges on files containing Cardholder Data

4670

10.2.1

12

Changes to ownership on files containing Cardholder Data (“Take Ownership”)

4670

10.2.1,10.2.2

13

Creation or deletion of files in folders containing Cardholder Data

4660, 4663  (Delete)

 

10.2.1

14

Access to (Read, Modify or Delete)  Security Event Logs by anyone other than the Windows system or the account used for log collection by the Log Management Solution

?

10.2.2, 10.2.3, 10.2.6, 10.2.7, 10.5

15

Changes to %SYSTEMROOT%\SYSTEM32  folder contents (System Level Object)

5143

10.2.7

16

A registry value was modified (System Level Object)

4657

10.2.7

 

 Account Management 

17

User Account Created

4720

7.1.4, 8.1, 8.5.1,10.2.2

18

 User Account Enabled

4722

7.1.4, 8.1, 8.5.1, 8.5.6,10.2.2

19

Password Change/Reset Attempted

47239(Change), 4724(Reset)

8.5.3, 8.5.9

20

Account Password Set

4738(?)

8.5.3, 8.5.9

21

User Account Disabled

4725

6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2

22

User Account Deleted

4726

6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2

23

User Account Changed

4738

6.3.3, 7.1.4, 8.1, 8.5.1,10.2.2

24

Security Group Created

4727 (Global Group)

4731 (Local Group)

6.3.3, 7.1.1, 7.1.4,10.2.2

25

Security Group Member Added

4728(Global Group)

4732(Local Group)

6.3.3, 7.1.2,10.2.2

26

Security Group Member Removed 

4729(Global Group)

4733(Local Group)

6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2

27

Security Group Deleted

4730(Global Group)

4734(Local Group)

6.3.3, 7.1.4, 8.1, 8.5.1,8.5.4, 8.5.5,10.2.2

 

Directory Service access events  

28

Creation of new group policies

?

10.2.2, 10.2.7

29

Changes to group (Active directory) or server policies

?

10.2.2, 10.2.7

30

Application of group policies to a container

6144(?)

10.2.2, 10.2.7

 

Privilege use events 

 

Privilege use (Failure only) for the following user groups:

 

31

Server or Domain Administrators

4674(?)

10.2.2

32

Account Operators

4674(?)

10.2.2

33

Accounts (User, service or process) with access to Cardholder Data

4674(?)

10.2.2

 

System events  

34

Windows – Starting up

4608

10.2.2

35

Windows – Shutting down

4609

10.2.2

36

An authentication package was loaded by the Local Security Authority.

4610

10.2.5

37

A trusted logon process has registered with the Local Security Authority.

4611

10.2.5

38

Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.

4612

10.2.3, 10.2.6, 10.2.7, 10.5

39

A notification package was loaded by the Security Accounts Manager

4614

10.2.5

40

Server time out of synchronization with Domain Controller

4616(?)

10.4

 

Windows updates 

41

Windows Software Update Services – Successes and Failures

?

6.1

Follow and like us!

4 thoughts on “Logging for PCI DSS Compliance

    • Kamal Govindaswamy Post authorReply

      Anton,

      Great suggestion… Thanks! I updated the post to include event numbers to the extent that I have readily available. I have question marks against some that I’m not sure about yet.

      I’ll need to work with a Windows Admin to come up with the rest. I’ll be looking to make updates as I have them available. As always, I would encourage our readers to fill in the gaps.

  1. Michael Mather Reply

    Thanks for this extensive list.

    It would also be nice if you said how to implement this in Windows. For those of us who are not experts in the subject.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.