Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

PCI Command History

This report provides visibility into the commands that are run on PCI assets. Monitor this report on a daily basis to ensure that no excessively privileged commands are being run. You should investigate unexpected commands further.

When configuring privileged IDs on systems, make sure you assign individuals only the least privileges needed for the task at hand. Assigning least privileges helps prevent users without sufficient training from incorrectly or accidentally changing operational configuration or altering security settings. Least privilege can also help to minimize the amount of damage from unauthorized access to a privileged ID.

Relevant data sources

Bash history collected by the Splunk Add-on for Unix and Linux.

How to configure this report

  1. Index bash history data in Splunk platform.
  2. Populate the fields: bash_command, bash_user, and bash_user_root.

Report description

The data in the PCI Command History report is populated by a search against the bash_history sourcetype, sourcetype=bash_history.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that data is present. sourcetype=bash_history Data is present.
Verify that fields are normalized and available. table bash_user bash_user_root bash_command Fields are available and match the data model.

Additional information

This report uses default source types that ship with the Splunk Add-on for Unix and Linux.

Last modified on 25 October, 2016
Anomalous System Uptime   PCI Resource Access

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters