Log all user access and activity

Registered by Paul Yasi on 2009-11-02

log activity to help meet PCI requirements. As far as I have found citrusdb falls under the "back-office" customer service application according to their regulations and is not required to be certified by PA-DSS itself. However, the merchant does need to certify themselves as PCI compliant, which means citrus still should work with what is needed for the merchant to meet that compliance.
10.2.1: accesses to cardholder data (in citrus this is views and edits of customer record, billing record, or card exports)
10.2.2: actions take by root or admin (I think this is on the server and outside the scope of citrus logging)
10.2.4 invalid logical access attempts (already does this using the login failures table)
10.2.5: verify use of id and authentication (I think this means to log successful logins too)
10.2.6: initialize the audit log (since http is stateless, this isn't really possible from citrus)
10.2.7: what is a system level object (citrusdb cannot log system devices, eg: use of printers, disk drives etc)
10.3.1: user identification (show user logins)
10.3.2: type of event included in log entries (show type of event)
10.3.3: date and time in log entries (show date and time)
10.3.4: success or failure of event in log entries (show success or failure)
10.3.5: origination of event (um, like IP address of user?)
10.3.6 identity of data affected (probably will use the account number/billing id)

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
milestone icon 2.0-beta1
Started by
Paul Yasi on 2009-11-14
Completed by
Paul Yasi on 2010-01-28

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.