System Misconfigurations

This report provides a view of all identified system misconfigurations on PCI-relevant assets in your cardholder environment. Use this report to compare the identified misconfigurations with the defined hardening policy to determine the level of risk to the asset.

Malicious individuals often use vendor default configuration settings to compromise systems and applications. These settings are well known in hacker communities and leave systems highly vulnerable to attack. This report ensures your organization's system configuration standards and related processes specifically address security settings and parameters that have known security implications.

Relevant data sources

Relevant data for this report includes data from configuration assessment tools that identify a misconfigured setting on an endpoint.

How to configure this report

Index misconfiguration data in Splunk platform.
Map the data to the following Common Information Model fields. host, ids_type, category, signature, severity, src, dest, vendor_product. CIM-compliant add-ons for these data sources perform this step for you.
Tag misconfiguration events with "misconfiguration".

Report description

The data in the system misconfiguration report is populated by the IDS Attack and Vulnerabilities CIM data models

Useful searches for troubleshooting


Troubleshooting Task	Search/Action	Expected Result
Verify that data is present.	`ids_attack` \| search tag=misconfiguration	Returns system misconfiguration data.
Verify that fields are normalized and available.	`ids_attack` \| search tag=misconfiguration \| tags outputfield=tag \| table _time,host,sourcetype,dvc,ids_type,category,signature,severity,src,dest,tag,vendor_product	Returns a table of system misconfiguration fields.

Additional information

This report uses default source types from the Splunk Add-on for Unix and Linux and the Splunk Add-on for Microsoft Windows.

Documentation