Re: PCI "Read Access" + MIMIX question

Rob and Steve,

Thanks for your input. Speaking of *CHANGE access, most of my client's
objects (most = 172,000+) are already set for *CHANGE. We are cranking it
to *ALL for the critical PCI-related files so we can track read accesses.
Even though I'm a proponent of "Log everything if you can get away with it"
on most days, in this case I believe it to be excessive. I guess we can
continue to let it all get sent over to the log consolidator and let them
worry about it. they asked for logs; they're getting logs.

A side-bar related to the object auditing is that when I suggested that we
reduce the non-critical objects to *USRPRF OBJAUD (thus, only the profiles
being audited will write audit journal entries when those objects are
accessed), I was told that MIMIX required *CHANGE in order to send changes
to the target system. In my other current client's shop, there are 6 boxes
running MIMIX (3 production MIMIX pairs) and the most "PCI in-scope" box of
the bunch currently has a mere 24 objects with any kind of OBJAUD value set.
Their MIMIX implementation works just fine that way, as they do tons of
reporting from the back-end boxes all the time.

Does MIMIX absolutely require *CHANGE on everything that needs to be part of
the HA environment? If so, then I wonder how my client B's MIMIX
implementation is working. Perhaps I need to go to a class. Doh!

Best regards,

Steven W. Martinson, CISA, CISM, CISSP
Security Consultant
Cypress, Texas

Smart-Consultant@xxxxxxxxxxxxx
Mobile: 713.277.5845
Fax: 281.758.2429