If change-detection mechanisms are not implemented properly, a malicious individual could take advantage and could add, remove, or alter configuration file contents, operating system programs, or application executables. This is why PCI Requirement 11.5 says, “Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
During an assessment, an assessor will examine your change-detection mechanism and review the results from monitoring activities. The PCI DSS gives us a good idea of what types of files should be monitored, like system executables, application executables, configuration and parameter files, log and audit files, and any other critical files.
There are two places within the PCI DSS that talk about change control. There is PCI Requirement 10.5.5 that talks about file integrity monitoring of logging, and PCI Requirement 11.5 is the second place that we talk about that. PCI Requirement 11.5 requires that you have a file integrity monitoring system that monitors all your critical files and all of the applications files within your environment.
From an assessment perspective, your assessor is going to be pulling all the configurations from your file integrity monitoring systems and looking at what files are going to be monitored. One of the areas that we find most organizations struggle with PCI Requirement 11.5 is that they install Tripwire or OSSEC or another type of file integrity monitoring system and, by default, they will watch the operating system files. They’re pretty good about the system files; however, these applications do not have the cognitive ability to know what applications have been installed. One of the biggest areas that we see clients often struggle with PCI Requirement 11.5 is that they have not gone in and customized that file integrity monitoring solution to monitor those specific files for that specific server.