Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Configure Interesting Services list

For PCI DSS, some services are required to be running within the PCI environment. This might include a patch service (for example, Windows Update service) or other services that should be on the systems within the environment.

To view the "Interesting Services" list and see the current list of required services, do the following:

1. Go to Configure > General > Lists and Lookups.

2. Click the Interesting Services list. The Interesting Services lookup file (interesting_services.csv) appears in the Lookup editor. 

app,dest,dest_pci_domain,is_required,is_prohibited,is_secure,note
portmap,*,*,false,true,,Unix RPC portmapper service is prohibited. 
xinetd,*,*,false,true,,Unix xinetd services are prohibited.
Fax,*,*,false,true,,Windows Fax service is prohibited.
RemoteRegistry,*,*,false,true,,Windows remote registry service is prohibited.
SNMPTRAP,*,*,false,true,,Windows SNMP trap service is prohibited.
ssh,*,*,false,false,true,Unix Secure shell is permitted.
W32Time,*,*,true,false,,Windows time service is required.
wuauserv,*,*,true,false,,Windows automatic update service is required.
yum-updatesd,*,*,true,false,,Unix automatic update service is required.

The first line in the file describes the fields in the file.

Field Description Example
app The application that is the source of the activity. Win32Time
dest The host that is the destination of the activity. * to match all hosts, or the host name (for example "ACME_host_001")
dest_pci_domain The source domain of of the activity. cardholder
is_required Should the given service be required to be running? for example, true or false
is_prohibited Is the service/traffic/port prohibited? for example, true or false
is_secure Is the traffic for the given service encrypted? for example, true or false
note This can be whatever the user wants.

Add to or modify this list using the editor. Click Save when you are done.

There is no file checking or verification for this editor, so any typo might break the lookup file.

Configure secure and insecure services

Many services are considered insecure (for example, Telnet) and should never be run within a cardholder data environment. Splunk software populates a list of insecure services by default, but a solution administrator or compliance manager might need to modify this list.

To modify the "Interesting Services" list, do the following:

1. Go to Configure > Lists and Lookups.

2. Click Interesting Services and the Interesting Services lookup file (interesting_services.csv) appears in the editor.

Add to or modify this list to identify secure and insecure services. Click Save when you are done.

There is no file checking or verification for this editor, so any typo might break the lookup file.

Last modified on 26 October, 2015
Configure Prohibited Traffic list   Configure Interesting Processes list

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters