Anomalous System Uptime
This report provides a list of servers that have not had been rebooted in 30 days or more. Use this report to identify systems that might be vulnerable to attack.
Systems often need to be rebooted after patches are applied. Systems that have not been rebooted might still be vulnerable to compromise. PCI DSS requires that high and/or critical patches be applied within 30 days.
Relevant data sources
Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts.
How to configure this report
- Index uptime information captured through scripts from relevant hosts.
- Map the uptime data to the following Common Information Model fields:
dest, uptime
. CIM-compliant add-ons for these data sources perform this step for you. - Tag the uptime data with "uptime", "performance", and "os".
- Set the
should_timesync
column to true for assets in the asset table that should synchronize their clocks.
Report description
The Anomalous System Update report is populated by the Performance data model and the asset table.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that uptime data is available in Splunk platform. | tag=uptime tag=os tag=performance | Returns uptime data. |
Verify that fields are normalized and available as expected. | tag=uptime tag=os tag=performance | fields dest, uptime or `uptime` |
Returns uptime data fields. |
System Update Status | PCI Command History |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!