Exactly which settings need to be enabled for the audit (logging) policy on Windows systems in order to meet the intent of PCI DSS requirements 10.2.x? Trying to understand all the individual events IDs associated with each Windows audit policy is your first step in trying to determine the answer to this question! But after a bit of digging (thank goodness for Google) I found the answer. Both articles provide great information on the details of each event ID and how you can align this with PCI requirements for auditing:
Windows 2003 – http://technet.microsoft.com/en-us/library/cc163121.aspx#EKH
If reading these articles doesn’t quite excite you…Well, here is the quick answer to what audit policies to enable:
- Account Logon – Success and Failure
- Account Management – Success and Failure
- Logon Events – Success and Failure
- Object Access – No Auditing
- Policy Change – Success and Failure
- Privilege Use – No Auditing
- Process Tracking – No Auditing
- System Events – Success and Failure
Account Management provides a wealth of information – including password changes, creation of a new user account and changes to group membership (i.e. Additions to the Domain Admin group).
Object Access auditing is just that – logging when a user accesses an object such as a file, directory or registry key. However, enabling this policy alone will not generate events. A SACL (System Access Control List) has to be specified on the object in addition to enabling this audit policy to generate alerts. In my opinion, a File Integrity Monitoring (FIM) solution is better suited to log and track “object access”.
Don’t be deceived by “Privilege Use” auditing, as it provides minimal value add and enabling this policy quickly fills up the audit logs.
Process Tracking is typically used for debugging purposes and logging of this type of activity is not required for day to day business purposes.
But don’t forget requirement 10.5.3 – sending audit logs to a centralized log server.
Shelina Samji, PCI QSA
Senior Consultant, PCI Compliance Services
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.