Deployment Architecture

PCI requirement 10.5.5

trharter1027
Engager

Hello, I am trying to cover PCI requirement 10.5.5:

Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

I assume fschange can help, but how? The log files constantly change. Thanks!

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).

Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.

View solution in original post

interhost
New Member

What if the audit.log file altered or deleted?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This is inherent to the way Splunk works. The original log files are forwarded and stored in the Splunk indexes. Once the log data has been written to the Splunk index, it can not be changed. The only exception is use of the delete command. This is logged in the Splunk audit logs, and its use should be extremely rare. (Note that by default no users, not even admins, have privileges to execute this command.) I would set up an alert on the Splunk internal logs for any use of the delete commands (e.g., alert on "|*delete" on searches.log).

Other than that, mass deletion of an index and index files by a system admin is possible, but that probably falls under system integrity rather than file integrity, and should be logged by the regular system-level activity monitoring (i.e., recording actions of administrators on systems containing compliance data) rather than specifically watching those files for changes.

southeringtonp
Motivator

It's also worth noting that Splunk has an option to sign indexed data at the block level. Arguably you would need to enable signing to achieve compliance. Whether it's truly needed I'll leave to the auditors to haggle over, but you may wish to read this page: http://www.splunk.com/base/Documentation/4.1.4/Admin/ITDataSigning

0 Karma

BunnyHop
Contributor

Here's the manual for setting up fschange:

http://www.splunk.com/base/Documentation/4.1.2/AppManagement/ConfigurationMonitoring

I understand that there's a PCI compliance module in the ESS Suite, which is not free.

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...