Hi All, has anyone using Splunk as a file integrity monitoring system for PCIDSS? We currently use a fantastic product called Tripwire however the cost is exorbitant and I'm looking to find an alternative.
Hi servebase - Hopefully someone who actually uses it in this capacity will answer. In the meantime, I'll point out generally that we have lots of customers using our Universal Forwarder, which includes an FSChange monitor, to meet PCI requirement 11.5 (and possibly 10.5.5 depending on your environment). Our PCI Compliance solution (http://www.splunk.com/view/pci-compliance/SP-CAAACPS) includes built-in reports to use this information or consume data from Tripwire or other FIM solutions.
If you want more information on FSChange, check this out:
Dear servebase - my company is actually the very first Splunk reseller - something we are very proud of and are very familiar with PCI-DSS 2.0 We have a comprehensive FIM function as part of our Reliant Security Splunk app that leverages a scheduled SSH stream that can be direected and configured centrally to monitor any file ot folder path. or more information please contact me directly at firstname.lastname@example.org
From consulting people I hear about Tripwire providing FIM and sending it to Splunk. Don't see Splunk used as the FIM provider - Splunk is better at other things, not FIM.
The point is though that it CAN do FIM, which often can be enough to make people happy.
The FIM functionality is now sadly being deprecated though, so it's hard to keep on recommending people to consider using Splunk for FIM.
This is an old thread but in case somebody stumples across this.
You don't want to use fschange and there are good reasons splunk discourages the use of fschange now.
Either use Tripwire or other FIM solutions or try to figure out how to do it with se-linux 😉