Sub-Requirements 10.2.3, 10.2.6, 10.5 and 10.6

10.2 Implement automated audit trails for all system components to reconstruct the following events:

  • 10.2.3 Access to all audit trails
  • 10.2.6 Initialization of the audit logs

10.5 Secure audit trails so they cannot be altered, including the following:

  • 10.5.1 Limit viewing of audit trails to those with a job-related need
  • 10.5.2 Protect audit trail files from unauthorized modifications
  • 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter
  • 10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)

10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

Note: Log collection, parsing, and alerting tools may be used to meet compliance with Requirement 10.6

Illustrative Controls and the TIBCO LogLogic Solution

A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. To realize this benefit, administrators must ensure that security tools and applications are tested and monitored proactively. These controls should be reaccredited periodically to ensure the approved security level is maintained.

Access to the logging information must be in line with business requirements in terms of access rights and retention requirements, and security administrators must monitor and log security activity, and identify security violations to report to senior management. To satisfy this requirement, administrators must review the user access logs on a daily basis for any access violations or unusual activity. In addition, administrators must ensure that all relevant log sources are logging properly to a centralized log management system.

TIBCO LogLogic’s solution is developed from the ground up to be a regulatory compliance solution. All log messages, once received by the Appliances, will be transferred via TCP to ensure reliability. All log files stored on the ST, LX and MX Appliances have a separate MD5 signature, stored separately from the file, to ensure no files are tampered so that they can be detected.

Reports and Alerts

  • Use the following link/reference to see the 10.2.3 reports and alerts: 10.2.3 on page 136.
  • Use the following link/reference to see the 10.2.6 reports and alerts: 10.2.6 on page 137.
  • Use the following link/reference to see the 10.5 reports and alerts: 10.5 on page 142.
  • Use the following link/reference to see the 10.6 reports and alerts: 10.6 on page 142.