File Intregrity Monitoring for Linux CentOS - what are you monitoring for regulatory obligations?

PCI "10.5.5 Verify the use of file integrity monitoring or change detection software for logs by examining system settings and monitored files and results from monitoring activities"  and  "11.5 verify the use of file-integrity monitoring products within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: System executables, Application executables, configuration and parameter files, centrally stored, historical or archived, log and audit files."

These requirements are causing us some grief because everyone has a different opinion as to what should be monitored and how.

The files are on Linux with CentOS.

Can you please tell me how you are satisfying this requirement? Are you using any special software, custom scripts, etc?  Which directories and/or files are you monitoring?

Any recommendations or suggestions you can offer would be greatly appreciated.

Thanks again Experts!

Steph M
LVL 1
Steph_MAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
OSSEC is what we use, for win32 and *nix. It has most of the default file locations and logs covered, but you would have to tailor the config to suite specific or non standard install locations. Tripwire, and others are available, even splunk can do FIM and naturally log monitoring, but they cost more than OSSEC, which is free, however there are paid versions available from TrendMicro of the OSSEC product.
-rich
0
upanwarCommented:
Since we are in financial domain so we are more concern about that and we are using etrust in our environment. But it is paid.
0
dead_philosopherCommented:
Ultimately this is a question of requirements and cost. I have used Splunk, AIDE, CFengine2, and OSSEC to pass multiple PCI assessments with different customers. If you have the budget I would recommend Splunk, if budget is tight I would recommend OSSEC. If you have no budget and no time then AIDE is probably a good starting point. The other tools I mention are also capable of passing PCI assessment provided you have the correct configuration.

Samhain:
HIDS and file integrity tool.
http://www.la-samhna.de/samhain/

AIDE:
Excellent tool check out Hal Pomeranz's scripts, etc. for additional usage and ideas.
http://aide.sourceforge.net/

CFengine2
Excellent tool that is capable of much more than file monitoring.
http://www.cfengine.org

OSSEC:
HIDS solution that is multi-platform
http://www.ossec.net

Splunk:
Exhaustive and expensive tool, has the ability to mask PCI data in logs and alert on it's presence. Very complete solution when deployed using LWF agents.
http://www.splunk.com 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steph_MAuthor Commented:
OSSEC was chosen.

Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.