• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 22 subscribers
  • Views 483 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

PCI DSS & LEM

byrona

I just finished reviewing the PCI DSS control objectives and as best I can tell LEM will address the following objectives: 10.2, 10.3, 10.5, 10.6, and 10.7.  The document locate HERE indicates that it will address 10.4 through I am not sure how?

I would like to get confirmation that this all sounds correct and know if I have missed anything, thanks!

  • 0

    Are we the only ones using LEM (or at least looking at using LEM) for PCI?

  • 0 in reply to byrona

    Nope.  We use LEM and Tripwire for FIM.

  • FormerMember
    0 FormerMember

    10.4 is synchronizing changes to clock, which we can help detect changes to if it's reported by the system. Windows, for example, will log when the clock times are adjusted or changed to a non-synchronized source. You can also do something like build a filter for detection times reported in the past, or see in real-time as data's being misreported.

    Not an actual solution to help synchronize clocks, but one that can alert to changes being made unexpectedly that might affect that.

  • 0 in reply to FormerMember

    Thanks for that Nicole!  Two follow-up questions...

    Would you agree with LEM being able to satisfy the other PCI control objectives that I referenced above?

    What specifically do I need to watch for to identify clock changes?

  • FormerMember
    0 FormerMember in reply to byrona

    I am not sure how I missed some of these responses, must be buried. Yes, I agree about 10.2, 10.3, 10.5, and 10.7 (also listed in the blog).

    On Windows, the clock sync fail events come from w32time (EventID w32time 11, 14, 17, 18, 22, 24, 25, 26, 27, 29, 31, 36, 38, 45, 46, 47, 48, 49, 51, 54, 63, 129, 131, 132, 133, 134, 135 all show problems with clock synchronization, though some might be the NTP server and not the NTP client, it's hard to tell). The out of the box rule template specifically looks for "unable to synchronize time" which is w32time 38.

    For non-Windows, it probably depends on whether the device/OS/service logs it. I know some systems will, especially where time matters. You could also build filters or rules for excessive DetectionTimes older than a certain date, though it's not a relative date so it'd need to be someone whose clock was wayyyyy off. That might also be significant load for the rules engine, since it has to check every event's timestamp again to compare to your rule, but I can't say I've tried it. You could also build a filter for DetectionTime > InsertionTime to detect when an event timestamp in the log is newer than the system timestamp, but on Windows you'd expect both to be wrong if the clock is off.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.