GRCWatch
Sign inStart free trial

PCI DSS 10.3.4: File Integrity Monitoring on Audit Logs

Audit logs are only valuable if they remain trustworthy. PCI DSS 10.3.4 requires file integrity monitoring to detect when unauthorized parties attempt to tamper with or delete audit log data. Without these safeguards, attackers can cover their tracks by modifying logs after a breach.

What this means

File integrity monitoring (FIM) uses cryptographic hashing and change-detection mechanisms to identify any unauthorized modifications, deletions, or additions to audit log files. When audit logs are altered—intentionally or accidentally—FIM immediately alerts your security team. This control ensures the authenticity and completeness of your audit trail, which is critical for breach investigations, forensic analysis, and compliance audits.

How to comply

  1. 1.Deploy file integrity monitoring software that uses cryptographic hashing (MD5, SHA-256, or stronger) to establish baseline signatures of audit log files
  2. 2.Configure FIM to monitor all audit log storage locations, including on-premise servers and cloud repositories
  3. 3.Set monitoring to detect changes in real-time or at defined intervals (hourly or more frequent)
  4. 4.Generate alerts when unauthorized modifications are detected and route them to security personnel
  5. 5.Establish and document a response procedure for when FIM detects unauthorized changes to logs
  6. 6.Test FIM systems regularly to ensure they function correctly and capture all log modifications
  7. 7.Maintain audit trails of FIM activities and alerts for historical review

Evidence auditors look for

  • File integrity monitoring tool configuration reports showing enabled monitoring for audit log directories
  • Alert logs demonstrating FIM detection of file modifications with timestamps and change details
  • Baseline hash values and change-detection mechanism documentation
  • Incident response records showing actions taken when unauthorized log modifications were detected
  • FIM system test results validating detection capabilities
  • Centralized logging of all FIM alerts routed to SIEM or monitoring dashboard

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically configures and monitors file integrity monitoring rules for your audit logs, generates timestamped change alerts, and maintains compliance evidence—eliminating manual FIM setup and validation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

10.3.1 - Restrict direct access to audit logs10.3.2 - Promptly protect audit log files from unauthorized modifications10.3.3 - Promptly back up audit log files to a centralized, secure location10.3.5 - Restrict access to audit log management tools10.4.1 - Implement automated audit trail for access to audit trails