Hi Team,
I have applied the PCI-DSS profile to my Centos 7 system and there seems to be a false positive with the check "Disable Prelinking". I have checked the Remediation steps and they have been applied but check still marks as a fail. Secondly with this PCI profile how come Rules like enabling or checking SELinux are marked as notselected. Are these notselected rules not part of PCI-DSS requirements or is this due to some other reason.
Benchmark URL ssg-centos7-ds.xml
Benchmark ID xccdf_org.ssgproject.content_benchmark_RHEL-7
Profile ID xccdf_org.ssgproject.content_profile_pci-dss
[cid:image002.png@01D2F011.BA7425D0]
Colin Madigan|UNIX Engineer T02 9344 2705 30 Ross St, Glebe NSW 2037 Colin.Madigan@tpgtelecom.com.aumailto:Colin.Madigan@tpgtelecom.com.au
TPG Telecom (ASX: TPM)
[Description: http://res.tpgi.com.au/img/signature/tpglogo.jpg]
This email and any attachments are confidential and may be subject to copyright, legal or some other professional privilege. They are intended solely for the attention and use of the named addressee(s). They may only be copied, distributed or disclosed with the consent of the copyright owner. If you have received this email by mistake or by breach of the confidentiality clause, please notify the sender immediately by return email and delete or destroy all copies of the email. Any confidentiality, privilege or copyright is not waived or lost because this email has been sent to you by mistake.
Confidentiality: This email and any attachments are confidential and may be subject to copyright, legal or some other professional privilege. They are intended solely for the attention and use of the named addressee(s). They may only be copied, distributed or disclosed with the consent of the copyright owner. If you have received this email by mistake or by breach of the confidentiality clause, please notify the sender immediately by return email and delete or destroy all copies of the email. Any confidentiality, privilege or copyright is not waived or lost because this email has been sent to you by mistake.
Hi Colin,
My reading of PCI-DSS indicates that it is supposed to be stacked on top of an additional known standard. So, for full compliance, you'll need to scan against PCI-DSS here and then pick which of the other baseline standards you want to follow and run that one as well.
You should be able to put together a custom SCAP scenario to do all of the appropriate scans at once but keeping them separate is generally easier so that you don't have to munge with anything upstream.
Thanks,
Trevor
On Tue, Jun 27, 2017 at 11:23 PM, Colin Madigan < Colin.Madigan@tpgtelecom.com.au> wrote:
Hi Team,
I have applied the PCI-DSS profile to my Centos 7 system and there seems to be a false positive with the check “Disable Prelinking”. I have checked the Remediation steps and they have been applied but check still marks as a fail. Secondly with this PCI profile how come Rules like enabling or checking SELinux are marked as notselected. Are these notselected rules not part of PCI-DSS requirements or is this due to some other reason.
Benchmark URL
ssg-centos7-ds.xml
Benchmark ID
xccdf_org.ssgproject.content_benchmark_RHEL-7
Profile ID
xccdf_org.ssgproject.content_profile_pci-dss
Colin Madigan|UNIX Engineer
T02 9344 2705
30 Ross St, Glebe NSW 2037
Colin.Madigan@tpgtelecom.com.au
TPG Telecom (ASX: TPM)
[image: Description: http://res.tpgi.com.au/img/signature/tpglogo.jpg]
This email and any attachments are confidential and may be subject to copyright, legal or some other professional privilege. They are intended solely for the attention and use of the named addressee(s). They may only be copied, distributed or disclosed with the consent of the copyright owner. If you have received this email by mistake or by breach of the confidentiality clause, please notify the sender immediately by return email and delete or destroy all copies of the email. Any confidentiality, privilege or copyright is not waived or lost because this email has been sent to you by mistake.
Confidentiality: This email and any attachments are confidential and may be subject to copyright, legal or some other professional privilege. They are intended solely for the attention and use of the named addressee(s). They may only be copied, distributed or disclosed with the consent of the copyright owner. If you have received this email by mistake or by breach of the confidentiality clause, please notify the sender immediately by return email and delete or destroy all copies of the email. Any confidentiality, privilege or copyright is not waived or lost because this email has been sent to you by mistake.
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
On 6/28/17 9:48 AM, Trevor Vaughan wrote:
My reading of PCI-DSS indicates that it is supposed to be stacked on top of an additional known standard. So, for full compliance, you'll need to scan against PCI-DSS here and then pick which of the other baseline standards you want to follow and run that one as well.
You should be able to put together a custom SCAP scenario to do all of the appropriate scans at once but keeping them separate is generally easier so that you don't have to munge with anything upstream.
Do you have a pointer for the need for additional standards? The PCI-DSS docs call out specific controls they want to see (e.g. PCI-DSS 8.2.3 - 7 char alpha numeric passwords)... haven't come across the layering concept before.
(I have very little experience with PCI-DSS and can learn from the pointer)
From PCI-DSS 3.2 https://www.pcisecuritystandards.org/document_library?category=pcidss&do... :
Section 2.2
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but are not limited to: * Center for Internet Security (CIS) * International Organization for Standardization (ISO) * SysAdmin Audit Network Security (SANS) Institute * National Institute of Standards Technology (NIST)
Trevor
On Wed, Jun 28, 2017 at 6:51 PM, Shawn Wells shawn@redhat.com wrote:
On 6/28/17 9:48 AM, Trevor Vaughan wrote:
My reading of PCI-DSS indicates that it is supposed to be stacked on top of an additional known standard. So, for full compliance, you'll need to scan against PCI-DSS here and then pick which of the other baseline standards you want to follow and run that one as well.
You should be able to put together a custom SCAP scenario to do all of the appropriate scans at once but keeping them separate is generally easier so that you don't have to munge with anything upstream.
Do you have a pointer for the need for additional standards? The PCI-DSS docs call out specific controls they want to see (e.g. PCI-DSS 8.2.3 - 7 char alpha numeric passwords)... haven't come across the layering concept before.
(I have very little experience with PCI-DSS and can learn from the pointer) _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
On 6/27/17 11:23 PM, Colin Madigan wrote:
Hi Team,
I have applied the PCI-DSS profile to my Centos 7 system and there seems to be a false positive with the check “Disable Prelinking”. I have checked the Remediation steps and they have been applied but check still marks as a fail.
What version of the content?
If downstream in CentOS: $rpm -qv scap-security-guide
If upstream/GitHub, are you using the latest or a prior release?
Secondly with this PCI profile how come Rules like enabling or checking SELinux are marked as notselected. Are these notselected rules not part of PCI-DSS requirements or is this due to some other reason.
Red Hat hired a PCI auditing company (called Neohapsis, now part of Cisco) to consult on broad PCI-DSS compliance efforts. They identified controls needed in a "RHEL for PCI" baseline. IIRC, PCI compliance requires exceptionally few security controls at the infrastructure level. Most was targeted about data management.
Hi Shawn,
Thanks for the quick reply I am using Centos 7 and the version is scap-security-guide-0.1.30-5.el7.centos.noarch. I must admit I have not read the PCI standards in detail recently so will take the experts word. Its great there that there is a PCI profile available now because several years ago they where hard to come by and I had to dig around the NVD for profiles that matched Redhat 5 but where not labelled as PCI.
On 6/28/17 7:44 PM, colin.madigan@tpgtelecom.com.au wrote:
Thanks for the quick reply I am using Centos 7 and the version is scap-security-guide-0.1.30-5.el7.centos.noarch. I must admit I have not read the PCI standards in detail recently so will take the experts word. Its great there that there is a PCI profile available now because several years ago they where hard to come by and I had to dig around the NVD for profiles that matched Redhat 5 but where not labelled as PCI.
We could upload the PCI profile to NIST NCP if useful.
On 6/28/17 8:16 PM, Shawn Wells wrote:
On 6/28/17 7:44 PM, colin.madigan@tpgtelecom.com.au wrote:
Thanks for the quick reply I am using Centos 7 and the version is scap-security-guide-0.1.30-5.el7.centos.noarch. I must admit I have not read the PCI standards in detail recently so will take the experts word. Its great there that there is a PCI profile available now because several years ago they where hard to come by and I had to dig around the NVD for profiles that matched Redhat 5 but where not labelled as PCI.
We could upload the PCI profile to NIST NCP if useful.
aka something like this:
scap-security-guide@lists.fedorahosted.org
-
Colin Madigan -
colin.madigan@tpgtelecom.com.au
-
Shawn Wells -
Trevor Vaughan