PCI Command History
This report provides visibility into the commands that are run on PCI assets. Monitor this report on a daily basis to ensure that no excessively privileged commands are being run. You should investigate unexpected commands further.
When configuring privileged IDs on systems, make sure you assign individuals only the least privileges needed for the task at hand. Assigning least privileges helps prevent users without sufficient training from incorrectly or accidentally changing operational configuration or altering security settings. Least privilege can also help to minimize the amount of damage from unauthorized access to a privileged ID.
Relevant data sources
Populates from data from Splunk_TA_nix bash history file. The *nix app includes props/transforms and inputs for facilitating this.
How to configure this report
1. Index bash history data in Splunk Enterprise.
2. Populate the field bash_command, bash_user, and bash_user_root.
The data in the 'PCI Command History' report is populated by an ad-hoc search against the bash_history sourcetype:
This report uses default source types that ship with Splunk_TA_Nix deployment package.
Verify that data is present:
Verify that fields are normalized and available:
sourcetype=bash_history | table bash_user bash_user_root bash_command
Anomalous System Uptime
PCI Resource Access
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1