Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

PCI Command History

This report provides visibility into the commands that are run on PCI assets. Monitor this report on a daily basis to ensure that no excessively privileged commands are being run. You should investigate unexpected commands further.

When configuring privileged IDs on systems, make sure you assign individuals only the least privileges needed for the task at hand. Assigning least privileges helps prevent users without sufficient training from incorrectly or accidentally changing operational configuration or altering security settings. Least privilege can also help to minimize the amount of damage from unauthorized access to a privileged ID.

Relevant data sources

Populates from data from Splunk_TA_nix bash history file. The *nix app includes props/transforms and inputs for facilitating this.

How to configure this report

1. Index bash history data in Splunk Enterprise.

2. Populate the field bash_command, bash_user, and bash_user_root.

Report description

The data in the 'PCI Command History' report is populated by an ad-hoc search against the bash_history sourcetype: sourcetype=bash_history.

Additional information

This report uses default source types that ship with Splunk_TA_Nix deployment package.

Verify that data is present: sourcetype=bash_history

Verify that fields are normalized and available: sourcetype=bash_history | table bash_user bash_user_root bash_command

Last modified on 26 October, 2015
Anomalous System Uptime
PCI Resource Access

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters