09-12-2012, 03:54 PM
| | Re: does pcidss compliance require UNIX auditing?
dkoleary <firstname.lastname@example.org> writes:
>>>Most likely, this will be of the form of Jim in A/R ran the batch queue t=
>o post charges against this set of credit-cards. Your audit requirements ar=
>e that you log that Jim's account accessed this card # at this timestamp.=
>That's the part that I'm unclear on. Outside of full blown auditing, from =
>the OS level, does anyone know how that can be done? =20
Well, credit card data doesn't really live in the OS, it typically
lives in a database, and you have applications that access that database.
That is where you need to be logging access, in the application level.
For instance, in the system I need to maintain (albiet not on unix),
each user has their login into the billing application. The
application logs every major action they do. Ie. Jim expired these services.
Jim ran this credit card batch. The batch comprised of these customers.
At any given time, and admin can login to the application and pull an
audit log on Jim's actions for the day, or a audit log of what credit
card data was accessed.
While I do have a Unix application interface to this secure system, it
can't even access credit-card data due to security levels on the DB
server, but it does require unique user logins. If it could access
secure data, it would have to be recoded in such a way to have audit
logs of the actions of each of those users, and what actions they did
as well. Those logs would have to be secure and unalterable in a
Also, PCI/DSS requires credit-card data to be stored encrypted, even
within a database, so you'll need some sort of column encryption.
>It also doesn't help that I'm not all that clear on the application that my=
> client's using. If the only people that require a login access to the uni=
>x system are the admins, then this suddenly gets a lot easier - it's the ap=
>plication that has to ensure that it logs Jim accessed this card # at this =
Yes, application logging should be the main thrust.
As another wrench, PCI/DSS also requires machine functions to be
dedicated to the main task. Ie. a DB server should be only a DB
server. A web front end should only be a web front end, not a file
server, mail server, etc. etc.
So, theoritically, only the admins should have access to any DB server
that holds credit-card data, and there should be no user logins there
And in the end, we see time and time again that all of these items are
not followed even in the biggest sites.