PCI DSS 10.3.4: File Integrity Monitoring on Audit Logs
Audit logs are only valuable if they remain trustworthy. PCI DSS 10.3.4 requires file integrity monitoring to detect when unauthorized parties attempt to tamper with or delete audit log data. Without these safeguards, attackers can cover their tracks by modifying logs after a breach.
What this means
File integrity monitoring (FIM) uses cryptographic hashing and change-detection mechanisms to identify any unauthorized modifications, deletions, or additions to audit log files. When audit logs are altered—intentionally or accidentally—FIM immediately alerts your security team. This control ensures the authenticity and completeness of your audit trail, which is critical for breach investigations, forensic analysis, and compliance audits.
How to comply
- 1.Deploy file integrity monitoring software that uses cryptographic hashing (MD5, SHA-256, or stronger) to establish baseline signatures of audit log files
- 2.Configure FIM to monitor all audit log storage locations, including on-premise servers and cloud repositories
- 3.Set monitoring to detect changes in real-time or at defined intervals (hourly or more frequent)
- 4.Generate alerts when unauthorized modifications are detected and route them to security personnel
- 5.Establish and document a response procedure for when FIM detects unauthorized changes to logs
- 6.Test FIM systems regularly to ensure they function correctly and capture all log modifications
- 7.Maintain audit trails of FIM activities and alerts for historical review
Evidence auditors look for
- File integrity monitoring tool configuration reports showing enabled monitoring for audit log directories
- Alert logs demonstrating FIM detection of file modifications with timestamps and change details
- Baseline hash values and change-detection mechanism documentation
- Incident response records showing actions taken when unauthorized log modifications were detected
- FIM system test results validating detection capabilities
- Centralized logging of all FIM alerts routed to SIEM or monitoring dashboard
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically configures and monitors file integrity monitoring rules for your audit logs, generates timestamped change alerts, and maintains compliance evidence—eliminating manual FIM setup and validation.
See how GRCWatch handles this control automatically
Start free trial