Audit trails for all system components
Description
All access to system components and cardholder data must be logged.
⚠️ Risk Impact
Without audit trails, forensic investigation after a breach is impossible.
🔧 Remediation
Enable comprehensive logging across all systems. EchelonGraph monitors audit log configurations.
💀 Real-World Attack Scenario
A payment processor's CDE had logging enabled on application servers but not on the database layer. An attacker who gained database access directly (bypassing the application) accessed cardholder data without triggering any application-level alerts. The breach was detected 9 months later during a PCI DSS audit.
💰 Cost of Non-Compliance
PCI DSS Req 10.1 requires logging on ALL system components. Missing logs in CDE = immediate non-compliance. Breach investigation without logs costs 3x more and takes 2x longer.
📋 Audit Questions
- 1.Which system components in the CDE have logging enabled?
- 2.What events are logged?
- 3.How are logs protected from tampering?
- 4.What is the log retention period? (PCI DSS requires 1 year, 3 months immediately available)
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Application-level logging without database-level query logging
- ⛔Missing logging on network devices within the CDE
- ⛔Log tampering by privileged users with admin access to log systems
📈 Business Value
Comprehensive CDE logging enables rapid breach detection and forensic investigation. It reduces PCI DSS audit scope issues and demonstrates security maturity to card brands.
⏱️ Effort Estimate
8-16 hours to configure logging across all CDE components
EchelonGraph monitors audit log configurations across all cloud accounts
🔗 Cross-Framework References
Automate PCI DSS 10.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →