Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PCI requirement 10.5.5

trharter1027
Engager
‎05-12-2010 07:05 PM

Hello, I am trying to cover PCI requirement 10.5.5:

Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

I assume fschange can help, but how? The log files constantly change. Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-13-2010 05:03 PM

This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).

Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.

View solution in original post

Reply
Solved! Jump to solution

interhost
New Member
‎08-28-2014 03:07 AM

What if the audit.log file altered or deleted?

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-13-2010 05:03 PM

This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).

Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-04-2010 03:10 AM

It's also worth noting that Splunk has an option to sign indexed data at the block level. Arguably you would need to enable signing to achieve compliance. Whether it's truly needed I'll leave to the auditors to haggle over, but you may wish to read this page: http://www.splunk.com/base/Documentation/4.1.4/Admin/ITDataSigning

0 Karma
Reply
Solved! Jump to solution

BunnyHop
Contributor
‎05-12-2010 07:34 PM

Here's the manual for setting up fschange:

http://www.splunk.com/base/Documentation/4.1.2/AppManagement/ConfigurationMonitoring

I understand that there's a PCI compliance module in the ESS Suite, which is not free.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...