DSS/HIPPA/SOX Unalterable Audit Logs?

analogrithems writes "Recently I was asked by one of the suits in my company to come up with a method to comply with the new PCI DSS policy that requires companies to have write once, read many logs. In short the requirement is for a secure method to make sure that once a log is written it can never be deleted or changed. So far I've only been able to find commercial and hardware-based solutions. I would prefer to use an open source solution. I know this policy is already part of HIPPA and soon to be part of SOX. It seems like there ought to be a way to do this with cryptography and checksums to ensure authenticity. Has anyone seen or developed such a solution? Or how have you made compliance?"

USB Card punch

[www.sorehands.com]

And you thought there was no use for a USB card punch.

Hard to change punched cards. Just don't trip with your box of cards.

Re:USB Card punch

I've once seen a car passing me in a highway bend, get unstable, turn over and card boxes dropping on the tarmac out of open doors. The man was in a hurry but I had no urge to collect the cards between highway traffic. There's more to security than data overwritten.

Tattoos

Start tattooing everyone in the office with data. Encode it in some nice optical way (a la barcodes) for easy reading later.

Ontop of the obvious benefits, it provides a good deal of job security, if they get fired, they take away some important data, your employees will be thrilled with their newfound sense of security.

Re:Sometimes, the old ideas are the best

Paper is easy to delete. They sell the tools at every drug store in I've ever seen. It's called a lighter.

Write-Only Memory

[jmv]

That's all you need

Re:Go with commercial hardware solution

[feepness]

unless you want to spend the next 6 months explaining to your auditors how your homegrown solution works and then the next 6 months building something new that your auditors do understand (or worse, like losing your job). I dunno, I can lose my job WAY faster than 6 months.

Re:Write them to a DVD jukebox

[//rhi]

I always thought that WORM stood for "Write Once, Read Maybe"
//rhi - Enjoy the American Dream - You have to be asleep to believe it.

How come nobody mentioned this ?

Of all the solutions I have the one that would work, and I can't beleave the /. crowd have not mantioned it yet. Email your logs to gmail Have gmail automaticaly fwd your logs to hotmail Have Hotmail automaticaly fwd your logs to Yahoo You want to put more stuff into the mix, ensure your chain of emailing includes anonymous fwding or whatever other features you want. Every account has a password. If any email is disputed, I can log you in another account to prove its correctness. You get them time stamped What else do you want? G

Re:Question... What's to stop

[More_Cowbell]

/kill people who saw this form (difficult) or reverse a cryptographic hash (even more difficult).

So you find it easier to kill people than to run computer programs... Remind me not to get on your shit list. :p

Re:Syslog

[kars]

That's easy; feed the paper coming out of the printer through some sort of OCR machine.

Re:Write them to a DVD jukebox

I think the Flintstones got it right by hiring monkeys to chisel out logs in stone.

Re:use a line printer

[amiga500]

The NASD has a requirement that a firm must keep a copy of all email sent and received for three years. We figured the NASD must have the same requirement, so a simple solution would be to forward copies of all our email to the NASD, and let them worry about retaining it. I was proposing solutions for another bank on how they could meet the PCI DSS requirements, and the business users decided it would just be easier if we didn't log anything at all. That we we didn't have to worry about them getting tampered or falling into the wrong hand.