ClickOnce verbose - PCI compliance logging
https://stackoverflow.com/questions/12401841
-
01-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is verbose ClickOnce logging considered compliant with PCI DSS 2.0 Requirement 10.2.7, at least as far as its content (Requirement 10.3) goes?
(10.2) Implement automated audit trails for all system components to reconstruct the following events: (10.2.7) Creation and deletion of system-level objects
An analyzed sample of such logging would be especially helpful.
Solution
It is not.
After consulting a QSA company, we came to a view that the key reason why verbose ClickOnce logging cannot serve to fulfill this requirement, is that it does not list all changed assemblies, but only the main executable.
Even if we wanted to interpret the whole ClickOnce application as the system-level object being updated during a ClickOnce deployment, there are other missing bits of information as well.
A sample verbose log here.
