Apps:Splunk for PCI Compliance
From Splunk
The Splunk PCI application offers a set of reports, saved searches, and dashboards, as well as corresponding alerts that you can use to satisfy PCI requirements such as secure remote access, file integrity monitoring, secure log collection, daily log review, audit trail retention, and PCI control reporting. Watch the Splunk for PCI Compliance video.
Contents
Contents
- 57 reports
- more than 91 saved searches
- dashboard and corresponding control objective monitors (alerts)
Screenshots
The Splunk PCI dashboard shows your current PCI compliance posture. Control objective monitors are used to monitor the environment and alert on each violation. The Overview dashboard then summarizes all the violations. Each of the requirement areas also has its own dashboard where the violations of that requirement are summarized. This makes it easy to quickly assess the impact of the violations.
Splunk can easily show unsuccessful logins to cardholder systems to address PCI Requirement 10. This graph shows the top failed logins by username, with failed root logins occurring most frequently. The high number of failed root logins is alarming. This indicates a possible misconfiguration or a serious security attack which needs immediate investigation.
Splunk's ability to correlate events by time provides powerful and concise views of activity on cardholder systems. This graph shows the failed logins over time to fulfill PCI Requirement 10. Clearly, there are individual spikes in failed root logins, which warrant investigation. The user names are also worrisome. Several of the account names should not show up, which indicates clear attack behavior.
Splunk fully addresses requirements for file integrity monitoring (PCI Requirement 11.5) through continuous monitoring of critical system files and re-indexing files on every change. This graph reveals updates, additions or deletions to files on systems containing cardholder data, providing an audit trail for file access activities. This bar chart shows when file system changes were detected and delineates changes by host. Each file change should be mapped against a change request. If no change request exists, the file change should be regarded as suspicious.
The Splunk PCI dashboard shows your current PCI compliance posture. Control objective monitors are used to monitor the environment and alert on each violation. This is another Overview dashboard that summarizes all the violations.
Installation
Install the application
To install the Splunk PCI application, unpack the tarball inside $SPLUNK_HOME/etc/apps.
To feed data into the PCI applicaiton, make sure you install some of the other applications, such as Splunk for UNIX, Splunk for PIX, etc.
Configure the application
There are four issues you must consider when you configure this application: data sources, host tags, event types, and alerts.
Note: The PCI application may require additional services to be customized for your environment.
There are two types of searches included:
- Regular searches that are owned by admin.
- Summary indexing searches (ones that start with "PCI-SI") are not scheduled by default. You need to manually enable all the searches that you need for your environment.
The dashboard included in the application splits searches into a group of active and a group of inactive searches. That way you can easily partition all of the searches into ones that you are interested in (and you have data for) and ones that you do not care about. To turn a search into an inactive one, change its name to start with "PCI - " instead of "PCI-".
Apply host tags
You must apply host tags that correspond to a host's duties where they intersect with the PCI standard. To apply these tags, do the following:
- Determine which of your hosts are subject to PCI compliance, and which work with cardholder data.
- For those hosts that are subject to PCI compliance, add the host tag pci.
- For those hosts that deal with cardholder information, add the host tag cardholder, cardholder-dest, and cardholder-src.
The full list of host tags this application uses are as follows:
| Tag | Description |
| cardholder | All systems that store or process cardholder data |
| cardholder-dest | Systems that are destinations for cardholder data. |
| cardholder-src | Systems that are sources for cardholder data. |
| dns_server | DNS servers |
| domain-controller | Domain controllers |
| internal | All machines on the internal network |
| mail_server | Mail servers |
| pci | All systems subject to PCI compliance. |
| network | Layer 2 or layer 3 network appliances such as firewalls and switches |
| server | All servers |
| web_server | Web servers |
Adjust event types
You may have to adjust some event types to ensure that they properly match your data. To edit these, open the application's eventtypes.conf file. Be sure to read the comments in the file that explain each group of stanzas and edit where needed to make the event types meet your own needs.
Set up alerts
Some of the saved searches in this application have alerts associated with them. All of the alerts are disabled by default. You need to enable the ones that you need. These alerts are set to send an email to an administrator, by default admin@example.com. Change this address to the address of your system administrator(s). The easiest way to do this is to use the savedsearches.conf_local file and place it in $SPLUNK_HOME/etc/apps/local/savedsearches.conf. Edit the file with the following information:
- on lines starting with action_email, change admin@example.com to the email address of the administrator who should be receiving the respective alerts.
- change the enableSched=0 of the searches that you want to enable to enableSched=1
- update the schedule lines of the searches that you want to schedule and configure the schedule that you need
Adjust search owners
All the searches are owned by the user with ID 1, which is the admin user. You can update the savedsearches.conf file that you copied into your local directory (see "set up alerts") by changing the lines with userid to the user that should own the searches.