In the Cisco White Paper titled 'Meeting CISP Requirements:Cisco Recommendations', it references that MARS can address Requirement 10.5. Requirement 10 asks the vendor to track and monitor all access to cardholder data. More specifically, 10.5 states that vendor must Secure audit trails so that they cannot be altered.
Cisco States that this can be accomplished through a combination of MARS and CSA in sub requirement 10.5.5. 10.5.5 says vendor maust use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts. Could someone explain how this works to satisfy the requirement since I believe MARS changes the format of some logs?
Not familiar with the PCI requirements...but I would assume they're talking about the integrity of the logs on the actual host where CSA resides. In this context the CSMARS is the monitoring piece only, CSA on the host protects the log files from unauthorized modification.
Thank you for not making promises on the current capabilities of either CSA or MARS. It helps us all when the limitations as well as the accomplishments of CSA and MARS are discussed in these forums.
It is my understanding that MARS keeps a set of original raw logs. The output of queries, reports and incidents modifies the log format. As far as integrity of the MARS logs, I am not sure. The raw logs are available to read but I am sure if or how logs could be modified. I am guessing there is some sort of root access to the appliance. Something to general user does not have access to. I have no idea if there is a checksum done on the logs.
Another way to ensure your log integrity is to configure CSA to monitor those log files, protect them against un-authorized access and send alerts when tampering is suspected.
The MARS logs do not have their own file integrity checking that I know of, but MARS can export the logs to an NFS share at periodic times. you could then use CSA on the NFS server to ensure the log file integrity.
Our Auditor found this to be an acceptable use of the products together. CSA could be used to monitor any log files on any server that CSA is running on.
The idea that CSMARS "raw logs" could be used for this purpose is laughable to me. The syslog messages are okay, if you don't mind them being truncated. The non-syslog raw messages are just horrible.
The CSMARS appliance is a linux variant (from protego) that contains OpenSSH and Apache. It seems like the device itself is not secure due to the nature of the device not being able to patch itself like a normal linux device to keep current with the latest security threats, the long and short of it is the device is extremely vulnerable to standard Linux process vulnerabilites. We used our tools to lock the device down via very scrutinized ACL's to the MARS and that was about all we could do. Service updates do not update services on these devices that would be suceptible to attack at this time (IE OpenSSH).
NFS backed by CSA is your best bet for offloading log security. I would send notifications to administrators via email with file access rules garnering that file system (using file sets, user sets, etc.).You can even probably get away with Object Change NT Event Logs if thats your flavor.The auditors were more than happy with this policy.
I'm going to throw in some input here as we're dealing with PCI compliance right now and have to answer the same requirement. 10.5.5 requires that you monitor any files which hold card holder data and maintain a log which states whose access the data and if it's been changed. The requirement does not speak to that actual integrity of the log, but rather the integrity of the file and ensuring access to the file(s) is logged.
CSA with MARS can accomplish this. Through CSA, you can set a "Monitor" policy on the PCI sensitive data. This will watch the files for an read/write attempts and log them to the CSAMC when this occurs. Now MARS is definitely not required, but can augment the logging by sending it to a central console (the MARS appliance). You could write a report on MARS that would look for any hits against the monitor rule you have set above (each rule in CSA has a rule number that indentifies the rule to MARS). Certainly is a lot to take in. CSA is helping fill the gaps we currently have with respect to PCI compliance. It can be a hurdle but feel free to ask if you have questions.