Session recording

Bill McGonigle bill at bfccomputing.com
Thu Apr 3 12:10:05 EDT 2008


On Apr 2, 2008, at 12:15, Kenny Lussier wrote:

> We are
> dealing with PCI (Payment Card Industry) compliance.

Just one of the reasons this is such a braindead standard - there's a  
requirement for tamper-proof logs (at least in the last version I did  
an audit for).

I attempted to get the auditor to tell me what a 'tamper-proof' log  
was, attacking each suggestion with a tamper.  We wound up with a  
pair of line printers on isolated networks as fulfilling the  
requirement.  These would generate 600 pounds of snort logs a day.   
We then decided that was ridiculous and made up some bullshit to get  
through the audit.

If your auditor is less 'flexible' then you might run into trouble on  
that one with your solution.  I don't think there's a linux way to do  
tamper-proof logs that meets the letter of the standard.  But it's  
similar to how we were going to have to fall back from md5 passwords  
to crypt passwords because PCI required specifically encrypted  
passwords.  We refused so the auditor declared that hashing was  
encryption.  I swear the standard was written by a college intern.    
Anyway, I ranted some more about the whole business here:

   http://blog.bfccomputing.com/articles/2008/03/18/eliminating- 
credit-card-fraud

so I'll stop. :)

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf



More information about the gnhlug-discuss mailing list