Configure Interesting Services list
For PCI DSS, some services are required to be running within the PCI environment. This might include a patch service like Windows Update service or other services that should be on the systems within the environment.
View the "Interesting Services" list and view the current list of required services.
- Select Configure > Content > Content Management.
- Click the Interesting Services lookup. The Interesting Services lookup file (
interesting_services.csv
) appears in the lookup editor.
app,dest,dest_pci_domain,is_required,is_prohibited,is_secure,note portmap,*,*,false,true,,Unix RPC portmapper service is prohibited. xinetd,*,*,false,true,,Unix xinetd services are prohibited. Fax,*,*,false,true,,Windows Fax service is prohibited. RemoteRegistry,*,*,false,true,,Windows remote registry service is prohibited. SNMPTRAP,*,*,false,true,,Windows SNMP trap service is prohibited. ssh,*,*,false,false,true,Unix Secure shell is permitted. W32Time,*,*,true,false,,Windows time service is required. wuauserv,*,*,true,false,,Windows automatic update service is required. yum-updatesd,*,*,true,false,,Unix automatic update service is required.
The first line in the file describes the fields in the file.
Field | Description | Example |
---|---|---|
app | The application that is the source of the activity. | Win32Time |
dest | The host that is the destination of the activity. Use a wildcard * to match all hosts.
|
ACME_host_* |
dest_pci_domain | The source domain of of the activity. | cardholder |
is_required | Should the given service be required to be running? | true false |
is_prohibited | Is the service prohibited? | true false |
is_secure | Is the traffic for the given service encrypted? | true false |
note | A description about the app or service. | Windows time service is required. |
Add to or modify this list using the editor. Click Save when you are done.
There is no file checking or verification for this editor, so any typo might break the lookup file.
Configure secure and insecure services
Many services are considered insecure and should never be run within a cardholder data environment. The Splunk App for PCI Compliance populates a list of insecure services by default, but a solution administrator or compliance manager might need to modify this list.
Modify the "Interesting Services" list.
- Select Configure > Content > Content Management.
- Click Interesting Services. The Interesting Services lookup file (
interesting_services.csv
) opens in the editor. - Modify this list to identify secure and insecure services.
- Click Save when you are done.
There is no file checking or verification for this editor, so any typo might break the lookup file.
Configure Prohibited Traffic list | Configure Interesting Processes list |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2
Feedback submitted, thanks!