10.3.2 Audit log files are protected to prevent modifications by individuals.
Defined Approach Requirements
10.3.2 Audit log files are protected to prevent modifications by individuals.
Customized Approach Objective
Stored activity records cannot be modified by personnel.
Defined Approach Testing Procedures
10.3.2 Examine system configurations and privileges and interview system administrators to verify that current audit log files are protected from modifications by individuals via access control mechanisms, physical segregation, and/or network segregation.
Purpose
Often a malicious individual who has entered the network will try to edit the audit logs to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise. Therefore, audit logs should be protected on the originating systems as well as anywhere else they are stored.
Good Practice
Entities should attempt to prevent logs from being exposed in public-accessible locations.
purpose
Synchronize system clocks for accurate log timestamps.
compliance strategies
- NTP server configuration
- Time sync monitoring
typical policies
- Time Synchronization Policy
common pitfalls
- Unsynced clocks
- Drifted timestamps
type
Technical Control
difficulty
Low
key risks
- Logs unusable for investigation
recommendations
- Use redundant, secure NTP sources
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy