System Misconfigurations
This report provides a view of all identified system misconfigurations on PCI-relevant assets in your cardholder environment. Use this report to compare the identified misconfigurations with the defined hardening policy to determine the level of risk to the asset.
Malicious individuals often use vendor default configuration settings to compromise systems and applications. These settings are well known in hacker communities and leave systems highly vulnerable to attack. This report ensures your organization's system configuration standards and related processes specifically address security settings and parameters that have known security implications.
Relevant data sources
Relevant data for this report includes data from configuration assessment tools that identify a misconfigured setting on an endpoint.
How to configure this report
- Index misconfiguration data in Splunk platform.
- Map the data to the following Common Information Model fields.
host, ids_type, category, signature, severity, src, dest, vendor_product
. CIM-compliant add-ons for these data sources perform this step for you. - Tag misconfiguration events with "misconfiguration".
Report description
The data in the system misconfiguration report is populated by the IDS Attack and Vulnerabilities CIM data models
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that data is present. |
|
Returns system misconfiguration data. |
Verify that fields are normalized and available. | `ids_attack` | search tag=misconfiguration | tags outputfield=tag | table _time,host,sourcetype,dvc,ids_type,category,signature,severity,src,dest,tag,vendor_product |
Returns a table of system misconfiguration fields. |
Additional information
This report uses default source types from the Splunk Add-on for Unix and Linux and the Splunk Add-on for Microsoft Windows.
Prohibited Services | Weak Encrypted Communication |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!