Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Anomalous System Uptime

This report provides a list of servers that have not had been rebooted in 30 days or more. Use this report to identify systems that might be vulnerable to attack.

Systems often need to be rebooted after patches are applied. Systems that have not been rebooted might still be vulnerable to compromise. PCI DSS requires that high and/or critical patches be applied within 30 days.

Relevant data sources

Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts.

How to configure this report

  1. Index uptime information captured through scripts from relevant hosts.
  2. Map the uptime data to the following Common Information Model fields: dest, uptime. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the uptime data with "uptime", "performance", and "os".
  4. Set the should_timesync column to true for assets in the asset table that should synchronize their clocks.

Report description

The Anomalous System Update report is populated by the Performance data model and the asset table.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that uptime data is available in Splunk platform. tag=uptime tag=os tag=performance Returns uptime data.
Verify that fields are normalized and available as expected. tag=uptime tag=os tag=performance | fields dest, uptime
or `uptime`
Returns uptime data fields.
Last modified on 25 October, 2016
System Update Status   PCI Command History

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters