Splunk® App for PCI Compliance

Installation and Configuration Manual

System Misconfigurations

This report provides a view of all identified system misconfigurations on PCI-relevant assets in your cardholder environment. Use this report to compare the identified misconfigurations with the defined hardening policy to determine the level of risk to the asset.

Malicious individuals often use vendor default configuration settings to compromise systems and applications. These settings are well known in hacker communities and leave systems highly vulnerable to attack. This report ensures your organization's system configuration standards and related processes specifically address security settings and parameters that have known security implications.

Relevant data sources

Relevant data for this report includes data from configuration assessment tools that identify a misconfigured setting on an endpoint.

How to configure this report

  1. Index misconfiguration data in Splunk platform.
  2. Map the data to the following Common Information Model fields. host, ids_type, category, signature, severity, src, dest, vendor_product. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag misconfiguration events with "misconfiguration".

Report description

The data in the system misconfiguration report is populated by the IDS Attack and Vulnerabilities CIM data models

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that data is present.

`ids_attack` | search tag=misconfiguration

Returns system misconfiguration data.
Verify that fields are normalized and available.
`ids_attack` | search tag=misconfiguration | tags outputfield=tag | table _time,host,sourcetype,dvc,ids_type,category,signature,severity,src,dest,tag,vendor_product
Returns a table of system misconfiguration fields.

Additional information

This report uses default source types from the Splunk Add-on for Unix and Linux and the Splunk Add-on for Microsoft Windows.

Last modified on 14 February, 2022
Prohibited Services   Weak Encrypted Communication

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters