Daniel Cross

10/27/2022, 4:26 AM
I saw some history of this in chats, but nothing super recent so will bring it up again: Anyone successfully using OSQuery as part of meeting PCI lvl1 requirements? Our environment is entirely linux, and largely ephemeral, so I figure FIM + tables such as listening_sockets, users, processes_snapshot, and a few others, being sent to SIEM + automated alerting should meet 11.5
Change detection solutions, such as file integrity monitoring (FIM) tools, control changes, additions, and deletions of critical files and notify authorized personnel when these changes are detected.
Not so sure about 11.4, might need some work on our network level to meet that one 🤔 Keen to hear peoples experience (no sales pitches at this stage pls)


10/27/2022, 1:14 PM
Kolide has customers doing SOC2, but that’s not quite the same.
1:15 PM
Some of this should be a conversation with your auditor. You mention ephemeral (and I assume VMs) and in that context I’d try to see if FIM can simply be excluded.
1:17 PM
But generally speaking, I think osquery can help meet a lot of the endpoint things, but compliance is going to require a solid SIEM, and audit trails. What are you using there?
1:20 PM
Generally I imagine people would help brainstorm specific requirements, but it’s a bit hard to speak for the whole standard.

Daniel Cross

10/28/2022, 3:59 AM
Thanks @seph. yeah, so it’s looking like a path of integrate threat intel + asset info + ‘normal/expected’ into SIEM and correlate. We utilise logstash + opensearch as the core components of our SIEM. OSQ logs out to journald, which gets to opensearch. Alerting upon FIM and various searches upon results from tables as a start.
4:00 AM
Totally agree too - convo with auditor + specific requirements. I’m coming more from a position of the guy running the osq project while two teams over and one rung up people are conversing with auditors. Trying to get ahead of things a bit.