Re: PCI System level object

From: F Rafi <farhanible@gmail.com>
To: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@equensworldline.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: PCI System level object
Date: Mon, 13 Jan 2020 13:42:40 -0500	[thread overview]
Message-ID: <CABXp1csAJ5HFPU-Xz+TrMGE5XTjUganT+8VFr8p7o-xxzvnmCw@mail.gmail.com> (raw)
In-Reply-To: <5F4EE10832231F4F921A255C1D954298261DA3@DEERLM99EX7MSX.ww931.my-it-solutions.net>

[-- Attachment #1.1: Type: text/plain, Size: 2424 bytes --]

I have used audit logs instead of a FIM solution for PCI compliance at the
system/OS level. IMO most FIM-only products do not provide a significant
value or reduction in threats.

Farhan

On Mon, Jan 13, 2020 at 12:46 PM MAUPERTUIS, PHILIPPE <
philippe.maupertuis@equensworldline.com> wrote:

> Hi,
>
> Redhat is providing audit rules sample for PCI DSS.
>
> For the requirement 10.2.7 it is written :
>
> ## 10.2.7 Creation and deletion of system-level objects
>
> ## This requirement seems to be database table related and not audit
>
>
>
> However the PCI glossary defines system level objects as :
>
> System-level object:
>
> Anything on a system component that is required for its operation,
> including but not limited to database tables, stored procedures,
> application executables and configuration files, system configuration
> files, static and shared libraries and DLLs, system executables, device
> drivers and device configuration files,and third-party components.
>
> It seems It should be covered by the FIM solution and not by audit.
>
> However loading and unloading kernel modules  should probably be covered
> by auditd.
>
> Could you tell me which events are generated in that case ?
>
> Are there any others events that should consider for this requirement
>
>
>
> Regards
>
> Philippe
>
> equensWorldline is a registered trade mark and trading name owned by the
> Worldline Group through its holding company.
> This e-mail and the documents attached are confidential and intended
> solely for the addressee. If you receive this e-mail in error, you are not
> authorized to copy, disclose, use or retain it. Please notify the sender
> immediately and delete this email from your systems. As emails may be
> intercepted, amended or lost, they are not secure. EquensWorldline and the
> Worldline Group therefore can accept no liability for any errors or their
> content. Although equensWorldline and the Worldline Group endeavours to
> maintain a virus-free network, we do not warrant that this transmission is
> virus-free and can accept no liability for any damages resulting from any
> virus transmitted. The risks are deemed to be accepted by everyone who
> communicates with equensWorldline and the Worldline Group by email
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Type: text/html, Size: 3987 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]