PCI DSS 10.2.1.5: Logging Changes to System-Level Objects
System-level object changes represent a critical attack vector and must be captured in audit logs to detect unauthorized modifications. PCI DSS 10.2.1.5 requires comprehensive logging of all additions, deletions, and changes to system-level objects. Failing to maintain these logs leaves your organization blind to privilege escalation and persistence mechanisms attackers commonly exploit.
What this means
This control mandates that your organization maintain detailed audit logs capturing every change made to system-level objects—including files, configurations, registry entries, and permissions. You must log not only modifications but also the addition of new objects and deletion of existing ones. These logs serve as the forensic foundation for detecting unauthorized access, configuration drift, and malicious activity at the operating system level.
How to comply
- 1.Enable operating system audit logging on all systems that store, process, or transmit cardholder data
- 2.Configure audit policies to capture all modifications, additions, and deletions of system-level objects
- 3.Ensure audit logs include the user ID, timestamp, nature of change, and affected object identifier
- 4.Implement centralized log collection to prevent tampering and ensure audit trail integrity
- 5.Retain system-level object change logs for at least one year, with at least three months available online
- 6.Regularly review audit logs to identify and investigate suspicious object modifications
- 7.Test your logging configuration to confirm system-level changes are being captured accurately
Evidence auditors look for
- Windows Event Viewer logs (Event ID 4657 for registry modifications, 4720+ for user account changes)
- Linux/Unix audit daemon (auditd) logs tracking inode changes and permission modifications
- File integrity monitoring reports showing system-level object additions and deletions
- Centralized syslog or SIEM records demonstrating continuous capture of system changes
- Change management records correlated with audit log entries for validation
- Log retention documentation proving 12-month retention with 3-month online availability
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically aggregates audit logs from Windows, Linux, and cloud systems into a unified compliance dashboard, flagging unauthorized system-level object changes and maintaining PCI DSS-compliant log retention without manual log management.
See how GRCWatch handles this control automatically
Start free trial