PCI File-Integrity Monitoring of Log Data
I'm asking the community since RSA Support wasn't very helpful with this issue. To satisfy PCI Requirement 10.5.5, you need to be alerted if someone attempts to modify log data on the enVision appliance. RSA says they have a solution and it's being marketed on the RSA website as the following:
"RSA enVision is capable of creating alerts which ensure supervisors and others are aware if any changes to the logs take place."
However, support seemed unware of this "Marketing" feature and just pointed me to the Windows Device guide to enable File/Folder auditing. This is not very straightforward since the enVision is a Domain Controller and you have to modify the Default Domain Controller Security policy to enable this option. There aren't very specific steps to configure this for the enVision server itself.
Has anyone been able to get this function to work? Thanks.
Support may have already provided you the answer to this question by now. For the benefit of other community members -
The default correlation rule called CRL-00161 monitors for IPDB integrity. When this rule is enabled, any modification or deletion of data in the IPDB will fire this alert. This is accomplished with built in file integrity monitoring by enVision. Simply the log is hashed to indicate order and integrity. Any error with the log file missing or modified will fire an event that triggers this alert.
If you do not see CRL-00161 in your list of alerts, download and install the latest cumulative event source update.
In addition, our Sales engineer informed me that you still have to enable File Object Access monitoring on the E:\LSNODE\sitename directory folder.