6 Replies Latest reply on May 1, 2014 9:20 AM by Jeff Campbell

    PCI FIM File List

    Jeff Campbell

      For PCI FIM on the Windows OS critical files, does anyone have a file list they are using to meet this requirement?

        • 1. Re: PCI FIM File List
          Neil Karani

          Anything under Windows and Windows/system32 are critical files to monitor. Detecting critical binaries changes, critical file permission modifications and presence of new files in specific directories are the key objectives.


          • 2. Re: PCI FIM File List
            Christopher Blanks



            I think that you are probably correct in many respects, but I would think that there are many files in the %WINDIR% and %WINDIR%\system32 that would change as a normal operation (log files, registries, etc) or could come and go (cache files).  I, too, would be interested in at least a base file list (or method like "recursively search %WINDIR%\system32 for all .exe, .dll, .ocx, and .sys files excluding directories named LogFiles") but have been unable to find one.  I realize that this will differ from situation to situation, but I have to believe that there is a solidly defined starting point out there somewhere.  On the other hand, I have been wrong many times before...



            • 3. Re: PCI FIM File List
              Bill Robinson

              the fim templates that are in the contrib list have a basic list of directory parts w/ the includes and excludes i think.


              does PCI provide a list ?

              • 4. Re: PCI FIM File List
                Christopher Blanks

                Thanks for the response, Bill.


                In reviewing the PCI Security Standards Document v3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf), they state this:




                Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.




                For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).



                Based on this, I looked to BMC's BSA to be "pre-configured with critical files for the related operating system".  I haven't been able to find this though...


                Sorry if I hi-jacked your question, Cambel.  ;0$

                • 5. Re: PCI FIM File List
                  Sean Berry

                  There's sample templates in the 8.1 Contrib Content: 8.1 Contrib Content


                  I believe for Windows, for example, we were looking at including things in %WINDIR% like *.exe, *.inf, *.dll etc.

                  • 6. Re: PCI FIM File List
                    Jeff Campbell

                    Has anyone looked at Microsoft's Windows Resource Protection or tried to use it in a manner of meeting this requirement?  It is available starting with Windows Server 2008.  I wonder if there is a way to determine what files this process monitors and leverage that to meet the requirement?