Is verbose ClickOnce logging considered compliant with PCI DSS 2.0 Requirement 10.2.7, at least as far as its content (Requirement 10.3) goes?
(10.2) Implement automated audit trails for all system components to reconstruct the following events: (10.2.7) Creation and deletion of system-level objects
An analyzed sample of such logging would be especially helpful.
It is not.
After consulting a QSA company, we came to a view that the key reason why verbose ClickOnce logging cannot serve to fulfill this requirement, is that it does not list all changed assemblies, but only the main executable.
Even if we wanted to interpret the whole ClickOnce application as the system-level object being updated during a ClickOnce deployment, there are other missing bits of information as well.
A sample verbose log here.