I saw some history of this in chats, but nothing s...
# generald
Daniel Cross
10/27/2022, 4:26 AMI saw some history of this in chats, but nothing super recent so will bring it up again:
Anyone successfully using OSQuery as part of meeting PCI lvl1 requirements?
Our environment is entirely linux, and largely ephemeral, so I figure FIM + tables such as listening_sockets, users, processes_snapshot, and a few others, being sent to SIEM + automated alerting should meet 11.5
Change detection solutions, such as file integrity monitoring (FIM) tools, control changes, additions, and deletions of critical files and notify authorized personnel when these changes are detected.s
seph
10/27/2022, 1:14 PM
Kolide has customers doing SOC2, but that’s not quite the same.
seph
10/27/2022, 1:15 PM
Some of this should be a conversation with your auditor. You mention ephemeral (and I assume VMs) and in that context I’d try to see if FIM can simply be excluded.
seph
10/27/2022, 1:17 PM
But generally speaking, I think osquery can help meet a lot of the endpoint things, but compliance is going to require a solid SIEM, and audit trails. What are you using there?
seph
10/27/2022, 1:20 PM
Generally I imagine people would help brainstorm specific requirements, but it’s a bit hard to speak for the whole standard.
d
Daniel Cross
10/28/2022, 3:59 AMThanks @seph. yeah, so it’s looking like a path of integrate threat intel + asset info + ‘normal/expected’ into SIEM and correlate.
We utilise logstash + opensearch as the core components of our SIEM. OSQ logs out to journald, which gets to opensearch. Alerting upon FIM and various searches upon results from tables as a start.
Daniel Cross
10/28/2022, 4:00 AMTotally agree too - convo with auditor + specific requirements. I’m coming more from a position of the guy running the osq project while two teams over and one rung up people are conversing with auditors. Trying to get ahead of things a bit.
3 Views