PCI Command History
This report provides visibility into the commands that are run on PCI assets. Monitor this report on a daily basis to ensure that no excessively privileged commands are being run. You should investigate unexpected commands further.
When configuring privileged IDs on systems, make sure you assign individuals only the least privileges needed for the task at hand. Assigning least privileges helps prevent users without sufficient training from incorrectly or accidentally changing operational configuration or altering security settings. Least privilege can also help to minimize the amount of damage from unauthorized access to a privileged ID.
Relevant data sources
Bash history collected by the Splunk Add-on for Unix and Linux.
How to configure this report
- Index bash history data in Splunk platform.
- Populate the fields:
bash_command
,bash_user
, andbash_user_root
.
Report description
The data in the PCI Command History report is populated by a search against the bash_history sourcetype, sourcetype=bash_history
.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that data is present. | sourcetype=bash_history
|
Data is present. |
Verify that fields are normalized and available. | table bash_user bash_user_root bash_command | Fields are available and match the data model. |
Additional information
This report uses default source types that ship with the Splunk Add-on for Unix and Linux.
Anomalous System Uptime | PCI Resource Access |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!