11.5 Verify the use of file integrity monitoring products within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities

Man… Tripwire had a field day with PCI DSS v1.0. Their name was removed in PCI DSS v1.1, but they made a lot of money with their inclusion.
Needless to say, this control can be approached ‘for free’ using Microsoft’s own integrity checker (good tool, but unsupported) or you can write your own using MD5/SHA APIs. The problems kick in when you’ve a few hundred servers in scope. Best look at something Enterprise level - eg Tripwire if you need to do this. Bear in mind that logging tools for section 10 often include a log collection agent on which you may already find a FIM tool. Certain host-based IPS tools also support FIM.
Point is, look at IPS and event logging controls when you look at this one - combine all three and away you go.

File Integrity Checker

For smaller installations have a look at this free tool that we use that is hosted on SourceForge: https://sourceforge.net/projects/lightweightfile/

Thank you so much for the post. It’s really useful.

[u]pret personnel[/u]

This application looks really useful, and I would like to implement it myself, but am running into some issues. I have tried this on several XP Pro machines now (with the latest updates), and I keep getting the same error for both cleandb and build:

System.InvalidOperationException: ExecuteNonQuery requires an open and available Connection. The connection's current state is closed. at System.Data.SqlClient.SqlConnection.GetOpenConnection(String method) at System.Data.SqlClient.SqlConnection.ValidateConnectionForExecute(String method, SqlCommand command) at System.Data.SqlClient.SqlCommand.ValidateCommand(String method, Boolean async) at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at _422572.DatabaseCreator.CreateDatabase(Configuration config) Building hash file database... System.Data.SqlClient.SqlException: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005 , this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.SqlClient.SqlConnection.Open() at _422572.databaseTableAdapters.FileHashesTableAdapter.DeleteQuery() at _422572.CleanProcess.process(Configuration config) at _422572.Program.Main(String[] args)Any idea what I am doing wrong? Thanks!

HI,

Is there a list of what constitutes a critical system or content file? for say SCO unix or even XP?

Sorry I didn’t see your post until now.

Do you have SQL Express installed? We will no matter what release a new version within a month.

Macafee "applicaiton control’ for file integrity check

hi ,
has any one explored mcafee tool named “applicaiton control” for deploying file integrity check? I guess if we can remove default behaviour or write protect of the file to ‘notify only’, it may prove useful tool.

Does PCI DSS requires that files integrity should be checked in real time?

thanks in advance,

regards
rakesh

FIM and Desktops

Does anyone think that this section refers to the desktop also? Or does it apply to the payment system or environment? If you have bespoke applications on the desktop that are used to take the payment details and pass to the payment gateway for processing does this mean the desktop is in scope for 11.5 and FIM should be deployed to these desktops?

Surely if you have appropriate compensating controls that locks down the desktop so the user is unable to make core changes such as installing software, end point lockdown, AV, yada yada yada, it negates the need.

Anyones view on this would be appreciated.