Tackling the log management requirements in section 10 of the PCI DSS can be greatly simplified by using Intersect Alliance’s SNARE software (an acronym for System iNtrusion Analysis and Reporting Environment). SNARE is a comprehensive Event Log Management toolkit, designed to collect and report on activities from within a monitored system.
Its ability to collect from a wide variety of computing devices and operating systems makes this a powerful tool for Auditing and Reporting. There are 12 main requirements in the PCI DSS, and although SNARE is designed specifically for Requirement 10 (Track and monitor all access to network resources and cardholder data), it can be a complimentary tool to support compliance with a variety of the other requirements, including the necessity for generating passwords to be changed on a regular basis, authentication mechanisms, tracking access to sensitive information, and much more.
Two versions of the SNARE solution are available to the end-user, the open source version (GPL licensing) and the commercial version. With the use of the commercial agents, one is given the ability to transmit the data via TCP with caching, so in the event of either the host not being able to communicate with the server, or a network outage, the events are queued and then transmitted when the connection is re-established.
PCI DSS Requirement 10 can be quite challenging, due to the amount of log data that is required to be collected and proactively monitored.
The specific log-related requirements in this section are as follows:
10.1. Establish a process for linking all access to system components (especially access done with administrative privilege such as root) to each individual user
10.2. Implement automated audit trails for all system components to reconstruct the following events:
- All individual access to cardholder data
- All actions taken by any individual with root or administrative privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of identification and authentication mechanisms (dependent on how SNARE is setup)
- Creation and deletion of system level objects
10.3. Record the following audit train entries for all system componentsfor each event:
- User identification
- Type of event
- Date and time
- Success or failure of indication
- Origination of event
- Identity of name affected data, system, component, or resource
10.4. Synchronize all critical system closes and times.
10.5. Secure audit trails so they cannot be altered
- Limit viewing of audit trails to those with a job-related need
- Protect audit trail from unauthorized modifications
- Promptly back up audit trail files to a centralized log server or media that is difficult to alter
- Copy logs for wireless networks onto a log server on the internal LAN
- Use of file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts
10.6. Review logs for all system components at least daily.
10.7. Retain audit trail history for at least one year, with a minimum of three months available online.
For further details on Intersect Alliance’s SNARE system visit their main site:
http://www.intersectalliance.com/
Watch for further details about SNARE as we go through actual deployments and sample configurations
Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCEE, CCSE, MCSE, MCITP, RSASE
Senior Consultant, Security Solutions Services
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.