Date post: | 19-Jun-2015 |
Category: |
Technology |
Upload: | cfengine |
View: | 670 times |
Download: | 1 times |
PCI Solution
Product, Process, Consulting
INTERNAL ONLY - CONFIDENTIAL
PCI High Level Overview- Payment Application Data Security Standard
- Pin Transaction Security
- Data Security Standard:
INTERNAL ONLY - CONFIDENTIAL
Using CFEngine to maintain PCI compliant IT infrastructure
BUILD
MANAGEAUDIT
DEPLOY
PCI POLICY
Provision PCI Compliant
Infrastructure
Provision PCI Compliant
Infrastructure
Hardened Operating Systems
Hardened Operating Systems
Maintain Compliance in
Real Time
Maintain Compliance in
Real Time
MonitoringReporting
Audit
MonitoringReporting
Audit
INTERNAL ONLY - CONFIDENTIAL
Approaches to PCI-DSS compliance
● Reactive (traditional)● Manual changes, scripts, inconsistencies● Scanners/detection-scripts (band-aid)
● Proactive (CFEngine)● Desired-state● Automation, consistency● Always maintained and provable
INTERNAL ONLY - CONFIDENTIAL
CFEngine examples
• Extended history setting in shell (/etc/profile)
• NTP configuration (/etc/ntp.conf)
• File integrity check
• SSH configuration (/etc/ssh/sshd_config)
• Useradd settings (/etc/default/useradd)
• Password definitions (/etc/login.defs)
• Password expiration on personal users
• User interaction timeout (/etc/profile)
• Sudo configuration (/etc/sudoers)
• Syslog configuration (/etc/syslog.conf)
• Management of services (whitelist & blacklist)
• Locking of inactive users
PCI-DSS requires strict OS hardening,and a system to maintain the hardeningover time.
CFEngine is uniquely capable to keep systems compliant with desired state and provide reporting to validate this.
INTERNAL ONLY - CONFIDENTIAL
File integrity (manage){
"activated": true,
"params": {
"watch": [
"/etc",
"/boot",
"/bin",
"/usr/sbin",
"/sbin",
"/lib",
],
"hash_algorithm": "sha256",
"ifelapsed": "1440"
},
"tags": [
"pcidss",
"pcidss_v2",
"pcidss_v2_sec_11_5"
]
}
Sketch Security::file_integrityParams pcidss_v2.json
Knowledge is keptwith configuration
INTERNAL ONLY - CONFIDENTIAL
File integrity (audit)
INTERNAL ONLY - CONFIDENTIAL
SSH Configuration (manage){ "activated": true, "params": { "Protocol": "2", "PermitEmptyPasswords": "no", "ClientAliveInterval": "900", "ClientAliveCountMax": "0" }, "tags": [ "pcidss", "pcidss_v2", "pcidss_v2_sec_2_1", "pcidss_v2_sec_2_2_3", "pcidss_v2_sec_8_5_15" ]}
Sketch Security::SSHParams pcidssv2.json
Which sections was this for?
INTERNAL ONLY - CONFIDENTIAL
SSH Report (audit)
Host Failing promise Time
comp1.ex.com sshd_set_config Sept 21, 2012
log1.ex.com sshd_restart Sept 21, 2012
log1.ex.com sshd_set_config Sept 19, 2012
app1.ex.com sshd_copy_config Sept 20, 2012
app2.ex.com sshd_restart Sept 18, 2012
● Available through web interface, PDF, CSV and REST API● Scheduling, emailing and archiving possible● SQL-based, extremely flexible
INTERNAL ONLY - CONFIDENTIAL
Conclusions – what you get
● CFE software to maintain PCI-DSS compliance● 9 out of 10 largest banks does it
● Content to do it out-of-the-box (on-going effort)● Design Center sketches
● Report and audit with CFE 3 Enterprise
INTERNAL ONLY - CONFIDENTIAL
Links
● CFEngine 3 Enterprise (manage, report and audit)● http://cfengine.com/enterprise
● Design Center (content)● https://github.com/cfengine/design-center● Work-in-progress
● Learning CFEngine 3● https://cfengine.com/getting-started