Java Reference
In-Depth Information
Figure 9.1
Server logs available for viewing through crafted Google queries.
or Forced Browsing. Figure 9.1 is a screen capture of a crafted Google search query yielding
several results for Web server logs.
9.3 Security Compliance and Web Application Logging
Logs and audit trails have featured prominently on any regulatory or security compliance
requirements. HIPAA, SOX, and PCI, among several others, mandate the maintenance of
audit logs for all system components in the scoped environment. However, most of their rules
in this regard do not specify any particular requirement for audit logging except for the PCI
Standards. In HIPAA, however, it is generally seen that audit trails are to be maintained for
6 years. Let us explore some of the speciic logging requirements of the PCI Standards with
respect to logging and log management:
Requirement 10.1 mandates the enabling of automated audit trails for all system components
in the scoped environment. System components include servers, workstations, network
devices, and applications that come in contact with cardholder information and are present
in the cardholder environment.
Requirement 10.2 delves into the type of information that has to be captured as part of the
audit trail. Information relating to the following are to be captured by the audit trails:
individual access to cardholder information, access to audit trails, invalid access attempts,
all administrative actions and root privilege actions, initialization of audit logs, and use of
identiication and authentication mechanisms. he standard has focused on most of the
requirements that were discussed in Section 9.2.1.
Requirement 10.3 of the standard speciies the kind of information that each log entry
should capture including username/IP address, system afected, time and date, success
or failure indication, origination of event, and name of the afected resource or system
component.
Search WWH ::
Custom Search