logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sicker <boa...@gmail.com>
Subject Re: Logging requirement for PCI (payment card industry)
Date Mon, 08 Sep 2014 23:41:10 GMT
How secure does it need to be? Because there are usually ways around Java
security (hence all the security patches). Oftentimes, a misconfigured
policy file is enough to let the house of cards come tumbling down!


On 8 September 2014 18:36, Ralph Goers <ralph.goers@dslextreme.com> wrote:

> Christian,
>
> I started work on Log4j 2 primarily for use by my employer at the time,
> who performs internet banking activities. As such, losing audit events is
> not acceptable in that environment.
>
> I am not really clear on what you are asking.  If you don’t specify a
> monitorInterval on your configuration then you will not be able to
> reconfigure logging during execution, which sounds like what you are
> wanting. If you want a start and stop message one way to do that is to
> specify a start and stop message in the header and footer elements of the
> PatternLayout.  If you are running in a servlet container you can also use
> a ServletContextListener to do that.
>
> Ralph
>
> On Sep 8, 2014, at 8:22 AM, Christian Müller <christian.mueller@gmail.com>
> wrote:
>
> > Hello list!
> >
> > For PCI requirement 10.2.6 (Initialization, stopping, or pausing of the
> > audit logs) [1], I'm wondering what the best solution would be from your
> > point of view?
> >
> > The PCI requirement are detailed further in the spec:
> > Verify the following are logged:
> > - Initialization of audit logs
> > - Stopping or pausing of audit logs
> >
> > Turning the audit logs off (or pausing them) prior to performing illicit
> > activities is a common practice for malicious users wishing to avoid
> > detection. Initialization of audit logs could indicate that the log
> > function was disabled by a user to hide their actions.
> >
> > The PCI auditor told us, "it's enoght" if the application logs when it's
> > started and when it's stopped.
> >
> > [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
> >
> > Thanks in advance,
> > Christian
> > -----------------
> >
> > Software Integration Specialist
> >
> > Apache Member
> > V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer
> > Apache Incubator PMC Member
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-user-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-user-help@logging.apache.org
>
>


-- 
Matt Sicker <boards@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message