11:46 a.m.
Hi,
Redhat is providing audit rules sample for PCI DSS.
For the requirement 10.2.7 it is written :
## 10.2.7 Creation and deletion of system-level objects
## This requirement seems to be database table related and not audit
However the PCI glossary defines system level objects as :
System-level object:
Anything on a system component that is required for its operation, including but not
limited to database tables, stored procedures, application executables and configuration
files, system configuration files, static and shared libraries and DLLs, system
executables, device drivers and device configuration files,and third-party components.
It seems It should be covered by the FIM solution and not by audit.
However loading and unloading kernel modules should probably be covered by auditd.
Could you tell me which events are generated in that case ?
Are there any others events that should consider for this requirement
Regards
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group
through its holding company.
This e-mail and the documents attached are confidential and intended solely for the
addressee. If you receive this e-mail in error, you are not authorized to copy, disclose,
use or retain it. Please notify the sender immediately and delete this email from your
systems. As emails may be intercepted, amended or lost, they are not secure.
EquensWorldline and the Worldline Group therefore can accept no liability for any errors
or their content. Although equensWorldline and the Worldline Group endeavours to maintain
a virus-free network, we do not warrant that this transmission is virus-free and can
accept no liability for any damages resulting from any virus transmitted. The risks are
deemed to be accepted by everyone who communicates with equensWorldline and the Worldline
Group by email
12:42 p.m.
I have used audit logs instead of a FIM solution for PCI compliance at the
system/OS level. IMO most FIM-only products do not provide a significant
value or reduction in threats.
Farhan
On Mon, Jan 13, 2020 at 12:46 PM MAUPERTUIS, PHILIPPE <
philippe.maupertuis(a)equensworldline.com> wrote:
Hi,
Redhat is providing audit rules sample for PCI DSS.
For the requirement 10.2.7 it is written :
## 10.2.7 Creation and deletion of system-level objects
## This requirement seems to be database table related and not audit
However the PCI glossary defines system level objects as :
System-level object:
Anything on a system component that is required for its operation,
including but not limited to database tables, stored procedures,
application executables and configuration files, system configuration
files, static and shared libraries and DLLs, system executables, device
drivers and device configuration files,and third-party components.
It seems It should be covered by the FIM solution and not by audit.
However loading and unloading kernel modules should probably be covered
by auditd.
Could you tell me which events are generated in that case ?
Are there any others events that should consider for this requirement
Regards
Philippe
equensWorldline is a registered trade mark and trading name owned by the
Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended
solely for the addressee. If you receive this e-mail in error, you are not
authorized to copy, disclose, use or retain it. Please notify the sender
immediately and delete this email from your systems. As emails may be
intercepted, amended or lost, they are not secure. EquensWorldline and the
Worldline Group therefore can accept no liability for any errors or their
content. Although equensWorldline and the Worldline Group endeavours to
maintain a virus-free network, we do not warrant that this transmission is
virus-free and can accept no liability for any damages resulting from any
virus transmitted. The risks are deemed to be accepted by everyone who
communicates with equensWorldline and the Worldline Group by email
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
4:05 p.m.
On Monday, January 13, 2020 12:46:15 PM EST MAUPERTUIS, PHILIPPE wrote:
Redhat is providing audit rules sample for PCI DSS.
For the requirement 10.2.7 it is written :
## 10.2.7 Creation and deletion of system-level objects
## This requirement seems to be database table related and not audit
However the PCI glossary defines system level objects as :
System-level object:
Anything on a system component that is required for its operation,
including but not limited to database tables, stored procedures,
application executables and configuration files, system configuration
files, static and shared libraries and DLLs, system executables, device
drivers and device configuration files,and third-party components.
This seems a lot like overkill.
It seems It should be covered by the FIM solution and not by audit.
There is the aide program which can certainly tell you what's changed. But I
wouldn't exactly call it an audit because it doesn't tell you when something
changed or who did it.
If you had to meet this, then you might want to use:
30-ospp-v42-1-create-success.rules
30-ospp-v42-4-delete-success.rules
That should limit things to creation and deletion but not access or
modification which don't seem to be called out. Expect a dnf update to flood
the system with audit events.
However loading and unloading kernel modules should probably be
covered by
auditd. Could you tell me which events are generated in that case ?
The rules are in 43-module-load.rules and they create a syscall event with a
KERN_MODULE record.
Are there any others events that should consider for this requirement
It depends on your definition of system level objects. Some define it to also
include sockets, shared memory, disk partitions (mounts), IPC, USB devices,
etc. I think a more narrow interpretation is better.
-Steve
1850
days inactive
1850
days old
linux-audit@lists.linux-audit.osci.io
2 comments
3 participants
participants (3)
-
F Rafi -
MAUPERTUIS, PHILIPPE -
Steve Grubb