0

I am involved in a project which deals with PCI-DSS compliance. Particularly, there is a requirement to implement FIM (File Integrity Monitoring) for critical devices.

Within these devices, there are unix-based firewall and routers, with specific vendors that are specifically NOT recommending installation of 3rd party agents. Their position is understandable, since 3rd party software shouldn't be supported by them and could be prone to vulnerabilities and/or bugs.

I am however tasked in finding out if it's possible to implement such functionality within these devices, with 2 possibilities. I am using Wazuh as a reference for this exercise:

  1. Using an "agentless" solution, which connects via SSH to a specific device and checks periodically if a file was modified (not created or deleted, only modified; the solution apparently only allows that).

  2. Using Syslog, and particularly syslog-ng, in order to send logs to the device and, using a specific ruleset, create alerts for specific events. Regarding this, I am unaware if it's possible to implement it in some way, since logs are only regarding traffic and network events.

I'd like your input or advice on how to implement this feature on this kind of devices which are "restricted" by the various vendors, possibly limiting impact on functionality and performance.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Alessandro
  • 59
  • 2
  • 10
  • I'm a little confused about what your question is. You have described two general agentless approaches that meet your requirements. What would you like to know? Syslog manages logs, you first need something to create the logs you want. – schroeder Sep 23 '20 at 08:57
  • 1
    I have never encountered an auditor that asked for evidence of FIM monitoring on networking devices. That is covered by change management. I always place FIM on Windows/Linux systems I fully control for which Wazuh is perfect. Which PCI requirement number are you specifically referring to? But if you really want to, you can always connect to the machine via SSH, download the relvant files via SSH/TFTP and check that their SHA hash matches. Can be automated by python or any other scripting lang. – zyked Sep 23 '20 at 09:01
  • Hello Schroeder, Zyked. Thanks for your inputs. Regarding Syslog, I don't really know how to implement such a functionality, since network devices are not designed to perform that check and generate a log. I welcome Zyked's input based on experience, because this is completely new to me. Requirement specification would be 10.5.5. I guess the agentless system is the way to go in this case. – Alessandro Sep 23 '20 at 09:33
  • 2
    I think you're talking about 11.5 there @Alessandro. It is also very permissive in letting you decide which critical files should be monitored. 10.5.5 is about detecting an attacker covering his tracks by deleting logs. See https://wazuh.com/resources/Wazuh_PCI_DSS_Guide.pdf for 10.5.5. – zyked Sep 23 '20 at 12:19
  • Thanks Zyked. I noticed by your file that the requirement might also be 1.2.2 and 1.1.1, which pertain directly to firewall and network devices. – Alessandro Sep 24 '20 at 06:57

1 Answers1

2

PCI DSS requirement 11.5 requires a change detection mechanism (ie it doesn’t have to be FIM) for modification of files, not devices.

11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

The intent is that critical files are monitored or unauthorised changes. This is one of the rare detective controls in PCI DSS.

As the comments above indicate, this requirement is generally not intended to apply to network devices where the 'operating system' of the device is generally read-only, but to general purpose computers where critical files could be modified by an attacker.

The change control (i.e. a protective control) for firewall/router configuration files is covered in requirement 1.1.1 and requirement 1.2.2 requires that such files are secured. I'd also expect that change control would cover something like a firmware update to a network device. The standard's demands for change control are detailed in requirement 6.4

Generally when someone says "PCI DSS requires X" - always ask "which PCI DSS requirement" and then check that is indeed what the standard says. It is not uncommon for people - accidentally and sometimes deliberately - to misrepresent what a requirement says and so validating what the standard says (and reading the Guidance column) can be really helpful. The standard is freely available and can be downloaded from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

withoutfire
  • 1,000
  • 4
  • 7
  • Thanks withoutfire, your input is well-received. Especially the advice on asking which PCI-DSS requirement should cover each request. It might be trivial, but it can surely be beneficial. I will go ahead and continue with this project, bearing this in mind. – Alessandro Sep 30 '20 at 18:58