- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- PCI requirement 10.5.5
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am trying to cover PCI requirement 10.5.5:
Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
I assume fschange can help, but how? The log files constantly change. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).
Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if the audit.log file altered or deleted?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).
Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's also worth noting that Splunk has an option to sign indexed data at the block level. Arguably you would need to enable signing to achieve compliance. Whether it's truly needed I'll leave to the auditors to haggle over, but you may wish to read this page: http://www.splunk.com/base/Documentation/4.1.4/Admin/ITDataSigning
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the manual for setting up fschange:
http://www.splunk.com/base/Documentation/4.1.2/AppManagement/ConfigurationMonitoring
I understand that there's a PCI compliance module in the ESS Suite, which is not free.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
