citrusdb

Log all user access and activity

Registered by Paul Yasi on 2009-11-02

log activity to help meet PCI requirements. As far as I have found citrusdb falls under the "back-office" customer service application according to their regulations and is not required to be certified by PA-DSS itself. However, the merchant does need to certify themselves as PCI compliant, which means citrus still should work with what is needed for the merchant to meet that compliance.
10.2.1: accesses to cardholder data (in citrus this is views and edits of customer record, billing record, or card exports)
10.2.2: actions take by root or admin (I think this is on the server and outside the scope of citrus logging)
10.2.4 invalid logical access attempts (already does this using the login failures table)
10.2.5: verify use of id and authentication (I think this means to log successful logins too)
10.2.6: initialize the audit log (since http is stateless, this isn't really possible from citrus)
10.2.7: what is a system level object (citrusdb cannot log system devices, eg: use of printers, disk drives etc)
10.3.1: user identification (show user logins)
10.3.2: type of event included in log entries (show type of event)
10.3.3: date and time in log entries (show date and time)
10.3.4: success or failure of event in log entries (show success or failure)
10.3.5: origination of event (um, like IP address of user?)
10.3.6 identity of data affected (probably will use the account number/billing id)

Blueprint information

Status:: Complete

Approver:: None

Priority:: High

Drafter:: None

Direction:: Needs approval

Assignee:: None

Definition:: Approved

Series goal:: None

Implementation:: Implemented

Milestone target:: 2.0-beta1

Started by: Paul Yasi on 2009-11-14

Completed by: Paul Yasi on 2010-01-28

Related branches

Related bugs

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.