GRCWatch
Sign inStart free trial

PCI DSS 10.2.1.7: Logging System Object Creation and Deletion

System-level object creation and deletion represent critical security events that must be captured in audit logs to maintain accountability and detect unauthorized changes. PCI DSS 10.2.1.7 requires comprehensive logging of these activities across all systems in your cardholder data environment. Without proper logging controls, you cannot detect privilege escalation, malware installation, or unauthorized system modifications.

What this means

This control mandates that your organization captures detailed audit log entries whenever system-level objects (files, directories, accounts, configurations, or other OS-level resources) are created or deleted. These logs must record sufficient detail to identify what object was affected, who performed the action, when it occurred, and from where. The objective is to maintain a complete audit trail that enables forensic investigation and detection of unauthorized or suspicious administrative activities.

How to comply

  1. 1.Enable audit logging at the OS level on all systems handling cardholder data (Windows Event Logging, syslog, auditd, etc.)
  2. 2.Configure logging rules to capture all file and directory creation/deletion events in critical system directories
  3. 3.Log all user and service account creation, modification, and deletion events
  4. 4.Ensure logs capture the source user, timestamp, affected object name, action type, and result status
  5. 5.Centralize logs to a secure, tamper-protected logging system for retention and analysis
  6. 6.Set log retention periods to match PCI DSS requirements (minimum 1 year, 3 months readily available)
  7. 7.Test audit logging configurations regularly to verify events are captured as expected
  8. 8.Review and monitor logs for suspicious patterns of object creation/deletion

Evidence auditors look for

  • Windows Event Viewer logs showing Event ID 4720 (user account created), 4726 (user account deleted), 4742 (computer account changed)
  • Linux auditd logs with rules capturing syscalls like unlink(), rmdir(), and creat() in monitored directories
  • Centralized logging system (Splunk, ELK, syslog server) with indexed object creation/deletion events
  • Log retention policy documentation showing minimum 1-year retention for object lifecycle events
  • Audit log testing reports demonstrating successful capture of test object creation and deletion events
  • Change management records correlating system object changes with approved requests
  • Monthly log review reports highlighting any suspicious or unauthorized object modifications

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the collection and analysis of system object creation and deletion events across your entire infrastructure, eliminating manual log review while generating audit-ready compliance evidence for PCI DSS 10.2.1.7.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 10.2.1 - Audit Log StandardsPCI DSS 10.2.5.3 - Logging of User ActivityPCI DSS 10.3 - Log Protection and RetentionPCI DSS 10.7 - Log Review Procedures