Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PCI requirement 10.5.5

trharter1027
Engager
‎05-12-2010 07:05 PM

Hello, I am trying to cover PCI requirement 10.5.5:

Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

I assume fschange can help, but how? The log files constantly change. Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-13-2010 05:03 PM

This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).

Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.

View solution in original post

Reply
Solved! Jump to solution

interhost
New Member
‎08-28-2014 03:07 AM

What if the audit.log file altered or deleted?

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-13-2010 05:03 PM

This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).

Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-04-2010 03:10 AM

It's also worth noting that Splunk has an option to sign indexed data at the block level. Arguably you would need to enable signing to achieve compliance. Whether it's truly needed I'll leave to the auditors to haggle over, but you may wish to read this page: http://www.splunk.com/base/Documentation/4.1.4/Admin/ITDataSigning

0 Karma
Reply
Solved! Jump to solution

BunnyHop
Contributor
‎05-12-2010 07:34 PM

Here's the manual for setting up fschange:

http://www.splunk.com/base/Documentation/4.1.2/AppManagement/ConfigurationMonitoring

I understand that there's a PCI compliance module in the ESS Suite, which is not free.

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top