Audit4j and PCI-DSS compliance -> add trace audit4j started and ended
22 views
Skip to first unread message
Franck Benault
Jan 14, 2018, 5:29:59 AM1/14/18
to Audit4j
For my understanding, Audit4j is not yet fully compliant with PCI-DSS compliance
if we look at the PCI documentation (PCI DSS Quick Reference Guide version 3.2)
topic 10.2
Implement automated audit trails for all system components for reconstructing these events:
all individual user accesses to cardholder data; all actions taken by any individual with root
or administrative privileges; access to all audit trails; invalid logical access attempts; use of
and changes to identification and authentication mechanisms (including creation of new
accounts, elevation of privileges), and all changes, additions, deletions to accounts with root or
administrative privileges; initialization, stopping or pausing of the audit logs; creation and deletion
of system-level objects
"initialization, stopping or pausing of the audit logs"
We should add a trace when Audit4j is started and is stopped.
What do you think ?
Regards Franck
if we look at the PCI documentation (PCI DSS Quick Reference Guide version 3.2)
topic 10.2
Implement automated audit trails for all system components for reconstructing these events:
all individual user accesses to cardholder data; all actions taken by any individual with root
or administrative privileges; access to all audit trails; invalid logical access attempts; use of
and changes to identification and authentication mechanisms (including creation of new
accounts, elevation of privileges), and all changes, additions, deletions to accounts with root or
administrative privileges; initialization, stopping or pausing of the audit logs; creation and deletion
of system-level objects
"initialization, stopping or pausing of the audit logs"
We should add a trace when Audit4j is started and is stopped.
What do you think ?
Regards Franck
Janith Bandara
Jan 17, 2018, 11:19:51 AM1/17/18
to Audit4j
Hi Franck,
Do you aware about PCI-PA-DSS complience? Is there any additional features to be implemented to comply with PCI-PA-DSS?
Thanks for mentioning this. Yes, It is better to have audit logs related to initialization and stopping and pausing.
I have gone through the compliance document and other features are implemented except this feature.
Do you aware about PCI-PA-DSS complience? Is there any additional features to be implemented to comply with PCI-PA-DSS?
This can be easily implemented in audit4j core.
Regards,
Regards,
Janith
Franck Benault
Jan 17, 2018, 12:33:04 PM1/17/18
to Audit4j
Hello,
one main additionnal point about PCI-DSS is
10.3.4 Success or failure indication
Verify success or failure indication is included in log entries.
So we are back to the issue
https://github.com/audit4j/audit4j-core/issues/64 (Success Call or Failure Call)
Regards Franck
Janith Bandara
Jan 26, 2018, 11:07:59 PM1/26/18
to Audit4j
Hi Franck,
I was busy last few days,
Shall we include these two features in 2.7.0 release?
Regards,
Janith
Franck Benault
Jan 27, 2018, 2:17:35 PM1/27/18
to Audit4j
Hi
I am also quite busy
so I really understand that you cannot take this point now
If I have time I will prepare a fix in a fork.
Regards Franck
I am also quite busy
so I really understand that you cannot take this point now
If I have time I will prepare a fix in a fork.
Regards Franck
Reply all
Reply to author
Forward
0 new messages