Session recording
Bill McGonigle
bill at bfccomputing.com
Thu Apr 3 12:10:05 EDT 2008
On Apr 2, 2008, at 12:15, Kenny Lussier wrote:
> We are
> dealing with PCI (Payment Card Industry) compliance.
Just one of the reasons this is such a braindead standard - there's a
requirement for tamper-proof logs (at least in the last version I did
an audit for).
I attempted to get the auditor to tell me what a 'tamper-proof' log
was, attacking each suggestion with a tamper. We wound up with a
pair of line printers on isolated networks as fulfilling the
requirement. These would generate 600 pounds of snort logs a day.
We then decided that was ridiculous and made up some bullshit to get
through the audit.
If your auditor is less 'flexible' then you might run into trouble on
that one with your solution. I don't think there's a linux way to do
tamper-proof logs that meets the letter of the standard. But it's
similar to how we were going to have to fall back from md5 passwords
to crypt passwords because PCI required specifically encrypted
passwords. We refused so the auditor declared that hashing was
encryption. I swear the standard was written by a college intern.
Anyway, I ranted some more about the whole business here:
http://blog.bfccomputing.com/articles/2008/03/18/eliminating-
credit-card-fraud
so I'll stop. :)
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list