• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1549
  • Last Modified:

File Intregrity Monitoring for Linux CentOS - what are you monitoring for regulatory obligations?

PCI "10.5.5 Verify the use of file integrity monitoring or change detection software for logs by examining system settings and monitored files and results from monitoring activities"  and  "11.5 verify the use of file-integrity monitoring products within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: System executables, Application executables, configuration and parameter files, centrally stored, historical or archived, log and audit files."

These requirements are causing us some grief because everyone has a different opinion as to what should be monitored and how.

The files are on Linux with CentOS.

Can you please tell me how you are satisfying this requirement? Are you using any special software, custom scripts, etc?  Which directories and/or files are you monitoring?

Any recommendations or suggestions you can offer would be greatly appreciated.

Thanks again Experts!

Steph M
0
Steph_M
Asked:
Steph_M
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
OSSEC is what we use, for win32 and *nix. It has most of the default file locations and logs covered, but you would have to tailor the config to suite specific or non standard install locations. Tripwire, and others are available, even splunk can do FIM and naturally log monitoring, but they cost more than OSSEC, which is free, however there are paid versions available from TrendMicro of the OSSEC product.
-rich
0
 
upanwarCommented:
Since we are in financial domain so we are more concern about that and we are using etrust in our environment. But it is paid.
0
 
dead_philosopherCommented:
Ultimately this is a question of requirements and cost. I have used Splunk, AIDE, CFengine2, and OSSEC to pass multiple PCI assessments with different customers. If you have the budget I would recommend Splunk, if budget is tight I would recommend OSSEC. If you have no budget and no time then AIDE is probably a good starting point. The other tools I mention are also capable of passing PCI assessment provided you have the correct configuration.

Samhain:
HIDS and file integrity tool.
http://www.la-samhna.de/samhain/

AIDE:
Excellent tool check out Hal Pomeranz's scripts, etc. for additional usage and ideas.
http://aide.sourceforge.net/

CFengine2
Excellent tool that is capable of much more than file monitoring.
http://www.cfengine.org

OSSEC:
HIDS solution that is multi-platform
http://www.ossec.net

Splunk:
Exhaustive and expensive tool, has the ability to mask PCI data in logs and alert on it's presence. Very complete solution when deployed using LWF agents.
http://www.splunk.com 
0
 
Steph_MAuthor Commented:
OSSEC was chosen.

Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now