PCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS · co nid ence :secured white paper advanced threat protection, security and compliance pci dss 3.2 compliance with tripwire solutions
Post on 08-Nov-2018
216 Views
Preview:
Transcript
WHITE PAPERCONFIDENCE:SECURED
ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE
PCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS
TRIPWIRE ENTERPRISETRIPWIRE LOG CENTER
TRIPWIRE IP360TRIPWIRE PURECLOUD
A UL TRANSACTION SECURITY (QSA) AND TRIPWIRE WHITE PAPER
2 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
CONTENTS TrademarkAcknowledgements-----------------------------------------------------------------------------------------------------------------3
Copyright----------------------------------------------------------------------------------------------------------------------------------------------3
PCIDSSversion--------------------------------------------------------------------------------------------------------------------------------------3
Intendedaudience----------------------------------------------------------------------------------------------------------------------------------4
Authors------------------------------------------------------------------------------------------------------------------------------------------------4
AboutTripwire---------------------------------------------------------------------------------------------------------------------------------------4
Disclaimer---------------------------------------------------------------------------------------------------------------------------------------------4
Introduction------------------------------------------------------------------------------------------------------------------------------------------5
PCIDSSAssessmentProcess---------------------------------------------------------------------------------------------------------------------6
PCIDSSCompliancewithTripwireEnterprise-----------------------------------------------------------------------------------------------7
TRIPWIREEnterpriseFileIntegrityManager-------------------------------------------------------------------------------------------------9
TRIPWIREEnterprisePolicyManager--------------------------------------------------------------------------------------------------------11
PCIDSSCompliancewithTripwireLogCenter---------------------------------------------------------------------------------------------18
PCIDSSCompliancewithTripwireIP360----------------------------------------------------------------------------------------------------23
PCIDSSCompliancewithTripwirePureCloud---------------------------------------------------------------------------------------------28
TechnicalInformationAboutTripwireProductstoComplywithPCIDSS-----------------------------------------------------------32
3PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
TRADEMARK ACKNOWLEDGEMENTS ThefollowingaretrademarksorregisteredtrademarksofTripwire,Inc.:
• Tripwire• LogCenter• IP360
PCISecurityStandardsCouncil,LLC(theCouncil)istheownerofthecopyrightofthematerialknownasPCIDataSecurityStandards(PCIDSS).PCIDSSistheexclusivepropertyoftheCouncil.
COPYRIGHT ©2017ULTransactionSecurityPtyLtdandTripwire,Inc.
Thisdocumentmaybecopiedinitsentiretyanddistributedinanymediumsubjecttothefollowing:allcopyrightsnotices,includingthisnotice,arepreserved;thedocumentmayonlybecopiedinitsentirety;andthedocumentmustnotbemadeavailablefordownloadfromanywebsiteinanyformat.ThisdocumentmaybemadeavailablethroughahyperlinktoULTransactionSecurityPtyLtd’sorTripwire’swebsites.
Exceptassetoutabove,nopartofthisdocumentmaybereproduced,altered,adapted,translated,published,rebrandedorotherwisewithoutthepriorwrittenpermissionofULTransactionSecurityPtyLtdorTripwire,Inc.
PCI DSS VERSION ThiswhitepaperhasbeenbasedonPCIDSSRequirementsandSecurityAssessmentProcedures,Version3.2,andTemplateforReportonComplianceforusewithPCIDSSv3.2.ThesedocumentscanbeobtainedfromthePCISSCwebsiteat
https://www.pcisecuritystandards.org/security_standards/documents.php
ThePCISSCwebsitecontainsanumberofotherdocumentsthatmaybehelpfulininterpretingthePCIDSSspecification.Thesesupportingdocumentscanbedownloadedfromthesamelocation.
4 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
INTENDED AUDIENCE This whitepaper would be a useful guide for security personnel who wants find out how Tripwire® Enterprise, Tripwire Log Center®, Tripwire IP360™ and Tripwire PureCloud could assist in meeting PCI DSS requirements. Qualified Security Assessors (QSAs) might find this document useful as it highlights the areas the PCI DSS requirements that can be verified and met by the Tripwire products reviewed in this paper. Prior knowledge of Tripwire Enterprise, Tripwire Log Center, Tripwire IP360, Tripwire PureCloud and PCI DSS is recommended.
AUTHORS This whitepaper has been prepared by UL’s Transaction Security Division in conjunction with Tripwire.
UL’s Transaction Security division guides companies within the mobile, payments and transit domains through the complex world of electronic transactions. UL is the global leader in ensuring security, compliance and global interoperability. Offering advice, test and certification services, security evaluations and test tools, during the full life cycle of your product development process or the implementation of new technologies. UL’s people pro-‐actively collaborate with industry players to define robust standards and policies. Serving you locally whilst acting globally. UL is recognized by leading industry bodies including Visa, MasterCard, Discover, JCB, American Express, EMVCo, PCI, GCF, ETSI, GSMA, GlobalPlatform, NFC Forum and many others.
For more information, go to UL-‐TS.com
ABOUT TRIPWIRE Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-‐fidelity asset visibility and deep endpoint intelligence combined with business-‐context, and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-‐class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at www.tripwire.com. Get security news, trends and insights at tripwire.com/blog.
DISCLAIMER This document should be treated as a guide only. It does not guarantee that an organization will necessarily be compliant by following the recommendations herein. Professional advice should be sought to determine the organization’s specific situation and exactly what needs to be done for the organization to achieve PCI DSS compliance. The status in regards to PCI DSS compliance will ultimately be determined by the organization’s QSA.
5PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
INTRODUCTION Anyentitythatprocesses,transmitsorstoresaccountdata1,orcanimpactthesecurityofcardholderdataenvironment(CDE)2,isrequiredtobecomplianttothePaymentCardIndustryDataSecurityStandard(PCIDSS).InPCIDSSallsystemcomponents3,processesandpeoplethatareincludedinorconnectedtotheCDE,orcanimpactthesecurityoftheCDE,areconsideredin-scope.PCIDSScomprisesof12highlevelrequirements.Eachhighlevelrequirementincludesanumberoflow-levelrequirementsandeachlow-levelrequirementconsistsofoneormoretestingprocedures.PCIDSSversion3.2includes270+low-levelrequirementsand460+testingprocedures.Thelow-levelrequirementswillbereferredtoasthe“requirements”fromthispointonward.
DuringaPCIDSSassessment,testingproceduresarefollowedbyqualifiedsecurityassessors(QSAs)tovalidateifin-scopesystemcomponents,processesandpeoplemeettheintentsoftherequirements.ThiswhitepaperexaminesthefunctionalitiesprovidedbyTripwireEnterprise,TripwireLogCenter,TripwireIP360andTripwirePureCloudthatcanbeusedtoassistentitiesmeetinganumberofPCIDSSrequirements.
TripwireEnterprise TripwireLogCenter TripwireIP360 TripwirePureCloud
32 18 9 4
Table1:SummaryoftotalnumberofPCIDSSrequirementscoveredbyTripwireproducts
Thisreporthasbeenorganizedasfollows:AbriefdescriptionofthePCIDSSassessmentprocesshasbeenprovidedinthenextsection.ThefollowingfoursectionscovertheoverviewsofTripwireEnterprise,TripwireLogCenter,TripwireIP360andTripwirePureCloud,andhowtheseproductscanbeusedtomeetPCIDSSrequirements.
WhileTripwireproductscanassistentitiestocomplywithcertainPCIDSSrequirements,theseproductsmightbeconsideredtohavesecurityimpactsontheCDEandthereforewouldberequiredtocomplywithapplicablePCIDSSrequirements.ThelastsectionincludestechnicalinformationabouttheseproductswhichwouldbeusefultounderstandhowtheymeetsomekeyPCIDSSrequirements,e.g.defaultusernamesandpassword.
1Accountdataconsistsofthefollowingcomponents:• Cardholderdata(CHD)consistingofprimaryaccountnumber(PAN),cardholdername,expirationdateandservicecode• Cardholderdata(CHD)consistingofprimaryaccountnumber(PAN),cardholdername,expirationdateandservicecode• Sensitiveauthenticationdata(SAD)whichincludesconsistingoffullmagneticstripedataorequivalentonachip,
CAV2/CVC2/CVV2/CIDorPINs/PINblocks2CardholderdataenvironmentorCDEreferstothesystemcomponents(e.g.servers,applications,firewallsetc.),peopleandprocessesthatstore,processortransmitcardholderdataorsensitiveauthenticationdata.AsystemcomponentthathasnotbeensegmentedfromthesystemcomponentswithintheCDEisconsideredpartoftheCDE.3Systemcomponentsrefertoservers,applicationsandnetworkdevicesthatareincludedinorconnectedtotheCDE,orcanimpactthesecurityoftheCDE.
6 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCI DSS ASSESSMENT PROCESS AtthebeginningoftheassessmentprocessaQSAtypicallydefinesthescopeoftheassessment.DuringthisstagetheQSAisrequiredtoidentifyallsystemcomponents,processesandpeoplethatareincludedinorconnectedtotheCDE,orcanimpactthesecurityoftheCDE.Oncethescopeisdetermined,theQSAwouldtypicallyselectarepresentativesampleoftheidentifiedsystemcomponents,processesandpeople.Thenthesampledsystemcomponents,processesandpeoplewouldbeassessedagainstapplicablePCIDSSrequirementsandtestingprocedures.ThefindingsoftheassessmentwouldbedocumentedinatemplatecalledTemplateforReportonCompliance(ROC)forusewithPCIDSS.PCIhaspublishedthistemplatethatoutlinesthetypeofevidence,informationandlevelofdetailaQSAisexpectedtoprovideforrespondingtoeachtestingprocedureintheROC.
Figure1:ExtractfromTemplateforReportonCompliance(ROC)forusewithPCIDSSV3.2
AnextractfromthetemplatehasbeenprovidedinFigure1.TheReportingInstructioncolumn(i.e.2ndcolumninFigure1)containstheinstructionsforQSAstofollowforwritingupthefindingsforaparticularrequirementandtestingprocedure.ThetemplateforROCisavailableonPCISSCwebsiteanditisrecommendedthatthisdocumentisusedbyentitiestounderstandwhattypeofevidenceandinformationaQSAislikelytolookforduringanassessment.
7PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCI DSS COMPLIANCE WITH TRIPWIRE ENTERPRISE TripwireEnterpriseprovidestwoproductcomponents:
• Fileintegritymonitoring(FIM)-knownasTripwireEnterpriseFileIntegrityManager• Compliancemonitoring-knownasTripwireEnterprisePolicyManager
AFIMorsimilartechnologyisrequiredforthreerequirements.TripwireEnterpriseFileIntegrityManagercanbeusedasaFIMtomeettheserequirements.
TripwireEnterprisePolicyManagercanbeusedtomonitorconfigurationsettingsforoperatingsystemsandnetworkdevices,andalertsystem/networkadministratorsifanymonitoredsettingschange.ThisfeaturecanbeusefultodemonstratetoQSAsthatmonitoredsystemcomponentshavebeenconfiguredasperdocumentedstandards.
Figure2:TripwireEnterprisearchitecture
8 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
TripwireEnterprisecanbeinstalledwitheitherofthefollowingmodes:
1. Withasingle-systeminstallation,wheretheTripwireEnterpriseConsolesoftwareandTripwireEnterprisedatabase4arebothinstalledonthesamesystem(theTripwireEnterpriseServer)
2. Withadistributedinstallation,wheretheTripwireEnterpriseConsolesoftwareisinstalledontheTripwireEnterpriseServer,andtheTripwireEnterprisedatabaseonanothersystem
Inadistributedinstallation,theTripwireEnterprisedatabaseisalsoreferredtoasaremotedatabase.Aremotedatabaseserveristhesystemonwhicharemotedatabaseisinstalled.
Forsometypesofsystems(e.g.Windows,Solaris,Oracledatabase)TripwireEnterpriserequiresaTripwireagenttorunonthetargetsystemtocollectinformation(e.g.systemsettings,hashesoffiles)andsendtheinformationbacktotheTripwireEnterpriseServertoanalyze.Forothersystems(e.g.networkdevices,customapplications,HPNonStop)TripwireEnterpriseneedstobeusedinagentlessmode.InthismodeTripwireEnterpriseServerwouldneedtoconnecttothetargetsystemusingausernameandpasswordwithappropriateprivilegethatwouldallowittoruncommands/scriptstoretrieveinformationtobeanalyzedwithinTripwireEnterpriseserver.
4ATripwireEnterprisedatabasestoresalldatageneratedbyTripwireEnterpriseConsole.
9PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
TRIPWIRE ENTERPRISE FILE INTEGRITY MANAGER ThecapabilitiesoftheTripwireEnterpriseFileIntegrityManagerwerereviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingimplementingtheTripwireEnterpriseFileIntegrityManagerhavebeenhighlightedinboldintheROCReportingInstructioncolumn.Tocomplywitharequirement,theitemsthathavenotbeenboldedalsoneedtobemetaspertheROCReportingDetailscolumn,e.g.throughinterview,reviewdocumentationsetc.
PCIDSSRequirements
TestingProcedures ROCReportingInstruction Remarks
11.5Deployachange-detectionmechanism(forexample,file-integritymonitoringtools)toalertpersonneltounauthorizedmodification(includingchanges,additionsanddeletions)ofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.
11.5.aVerifytheuseofachange-detectionmechanismwithinthecardholderdataenvironmentbyobservingsystemsettingsandmonitoredfiles,aswellasreviewingresultsfrommonitoringactivities.Examplesoffilesthatshouldbemonitored:• Systemexecutables• Applicationexecutables• Configurationandparameterfiles• Centrallystored,historicalor
archived,logandauditfiles• Additionalcriticalfilesdeterminedby
entity(i.e.,throughriskassessmentorothermeans)
Describethechange-detectionmechanismdeployed.Identifytheresultsfrommonitoredfilesreviewedtoverifytheuseofachange-detectionmechanism.Describehowthefollowingverifiedtheuseofachange-detectionmechanism:
• Systemsettings• Monitoredfiles
TripwireEnterpriseFileIntegrityManagercouldbeusedtodemonstratetoaQSAthatafile-integritymonitoringsolutionisusedtomonitorchangestocriticalsystemfiles,configurationfiles,orcontentfiles.TripwireEnterpriseFileIntegrityManagercanbeconfiguredtocheckchanges(e.g.modification,deletion)tofilesonascheduledorreal-timebasisandsendalertsifchangesaredetected.
11.5.bVerifythemechanismisconfiguredtoalertpersonneltounauthorizedmodification(includingchanges,additionsanddeletions)ofcriticalfiles,andtoperformcriticalfilecomparisonsatleastweekly.
Describehowsystemsettingsverifiedthatthechange-detectionmechanismisconfiguredto:
• Alertpersonneltounauthorizedmodification(includingchanges,additionsanddeletions)ofcriticalfiles.
• Performcriticalfilecomparisonsatleastweekly.
12.10.3Designatespecificpersonneltobeavailableona24/7basistorespondtoalerts.
12.10.3Verifythroughobservation,reviewofpolicies,andinterviewsofresponsiblepersonnelthatdesignatedpersonnelareavailablefor24/7incidentresponseandmonitoringcoverageforanyevidenceofunauthorizedactivity,detectionofunauthorizedwirelessaccesspoints,criticalIDSalerts,and/orreportsofunauthorizedcriticalsystemorcontentfilechanges.
Identifytheresponsiblepersonnelinterviewedwhoconfirm24/7incidentresponseandmonitoringcoveragefor:
• Anyevidenceofunauthorizedactivity.• Detectionofunauthorizedwirelessaccess
points.• CriticalIDSalerts.• Reportsofunauthorizedcriticalsystemor
contentfilechanges.Describehowitwasobservedthatdesignatedpersonnelareavailablefor24/7incidentresponseandmonitoringcoveragefor:
• Anyevidenceofunauthorizedactivity.• Detectionofunauthorizedwirelessaccess
points.• CriticalIDSalerts.• Reportsofunauthorizedcriticalsystemor
contentfilechanges.
Thisrequirementisrelatedtorespondingtoalertsreceivedfromvarioussources,e.g.fileintegritymonitoring,intrusiondetectionorprevention.AQSAwouldwanttoseethatadocumentedprocessexiststomonitorandrespondtoalertsTheQSAwouldalsocheckthatdocumentedprocessisbeingfollowed.AlertsfromTripwireEnterpriseFileIntegrityManagercanbeusedasanevidencetodetectunauthorizedchangestocriticalsystemorcontentfiles.
10 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingInstruction Remarks
12.10.5Includealertsfromsecuritymonitoringsystems,includingbutnotlimitedtointrusion-detection,intrusion-prevention,firewalls,andfile-integritymonitoringsystems.
12.10.5VerifythroughobservationandreviewofprocessesthatmonitoringandrespondingtoalertsfromsecuritymonitoringsystemsarecoveredintheIncidentResponsePlan.
DescribehowprocesseswerereviewedtoverifythatmonitoringalertsfromsecuritymonitoringsystemsarecoveredintheIncidentResponsePlan.DescribehowprocesseswerereviewedtoverifythatrespondingtoalertsfromsecuritymonitoringsystemsarecoveredintheIncidentResponsePlan.
AlertsfromTripwireEnterpriseFileIntegrityManagercanbeusedasoneoftheinputsfortheincidentresponseplan.
11PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
TRIPWIRE ENTERPRISE POLICY MANAGER TheTripwireEnterprisePolicyManagercontainsasetofpoliciesthatcanbeusedtomonitorvariousconfigurationsettings.Itstartsbyperformingascanofconfigurationsettingsofthemonitoredsystemcomponents(e.g.servers,databasesandnetworkdevices)toproduceabaselineconfigurationstate,theknownstate.ThenitcomparesthebaselineconfigurationsettingsagainstsettingsspecifiedinaselectedTripwirecompliancepolicy.TripwireEnterprisePolicyManagerthengeneratesascorecardthatshowshowconfigurationsmeasureupagainstpolicy.Italsoallowsdrilldownfromthescorecardforspecificfailures,andprovidesremediationguidancewithstep-by-stepinstructionstogetfailedconfigurationsintoacompliantstate.
ThefeaturesoftheTripwireEnterprisePolicyManagerwerereviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingimplementingtheTripwireEnterprisePolicyManagerhavebeenhighlightedinboldintheROCReportingInstructioncolumn.Tocomplywitharequirement,theitemsthathavenotbeenboldedalsoneedtobemetaspertheROCReportingDetailscolumn,e.g.throughinterview,reviewdocumentationsetc.
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks2.1Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.
2.1.bForthesampleofsystemcomponents,verifythatallunnecessarydefaultaccounts(includingaccountsusedbyoperatingsystems,securitysoftware,applications,systems,POSterminals,SNMP,etc.)areremovedordisabled.
Foreachiteminthesampleofsystemcomponentsindicatedat2.1.a,describehowallunnecessarydefaultaccountswereverifiedtobeeither:
• Removed• Disabled
TripwireEnterprisePolicyManagercanbeconfiguredtocheckifdefaultaccountshavebeenremoved,renamedordisabled.AQSAwouldalsocheckthatifanydefaultpasswordandSNMPstringisused.AQSAwouldtypicallyperformthistestbyobservingovertheshoulderofanadministratorwhetherloginattemptswithdefaultpasswordsfail.
2.2.2Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
2.2.2.aSelectasampleofsystemcomponentsandinspectenabledsystemservices,daemons,andprotocolstoverifythatonlynecessaryservicesorprotocolsareenabled.
Identifythesampleofsystemcomponentsselected.Foreachiteminthesample,describehowtheenabledsystemservices,daemons,andprotocolsverifiedthatonlynecessaryservicesorprotocolsareenabled.
TripwireEnterprisePolicyManagercanbeusedtotakeasnapshotofalltheservicesandprocessesrunning,andportsthatareinLISTENmode.Thissnapshotcanbeusedtomonitorifthelisthasbeenchanged.AsTripwireEnterprisePolicyManagerwouldbecheckingagainstasnapshot,alertswillbegeneratedassoonasthelistchanges,e.g.ifaprocessendsandstartswithanewprocessID.
2.2.2.bIdentifyanyenabledinsecureservices,daemons,orprotocolsandinterviewpersonneltoverifytheyarejustifiedperdocumentedconfigurationstandards.
Foreachiteminthesampleofsystemcomponentsfrom2.2.2.a,indicatewhetheranyinsecureservices,daemons,orprotocolsareenabled.(yes/no)If“no,”marktheremainderof2.2.2.band2.2.3as“NotApplicable.”If“yes,”identifytheresponsiblepersonnelinterviewedwhoconfirmthatadocumentedbusinessjustificationwaspresentforeachinsecureservice,daemon,orprotocol
Alistofinsecureservices,processesandportscanbelistedinarule.Ifasystemcomponentisfoundtoberunningaserviceorprocess,orlisteningonaportthathasbeenlistedinthisrule,thiswouldbedetectedbytheTripwireEnterprisePolicyManagersothatappropriateactioncanbetakentoresolve
12 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks2.2.3Implementadditionalsecurityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure.
2.2.3.aInspectconfigurationsettingstoverifythatsecurityfeaturesaredocumentedandimplementedforallinsecureservices,daemons,orprotocols.
Describehowconfigurationsettingsverifiedthatsecurityfeaturesforallinsecureservices,daemons,orprotocolsare:
• Documented• Implemented
thisissue.Documentedbusinessjustificationsmustexistforallinsecureservices,processesandports.Securityfeaturesmustbeimplementedtoensureinsecureservices,processesandportscanbeusedtocompromisecardholderdataorsystemcomponentsthatstore,processortransmitaccountdata.
2.2.4Configuresystemsecurityparameterstopreventmisuse.
2.2.4.cSelectasampleofsystemcomponentsandinspectthecommonsecurityparameterstoverifythattheyaresetappropriatelyandinaccordancewiththeconfigurationstandards.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowthecommonsecurityparametersverifiedthattheyaresetappropriatelyandinaccordancewiththeconfigurationstandards.
CommonsecurityparameterswhicharedocumentedcanbespecifiedinrulessothatTripwireEnterprisePolicyManagercanbeusedtoautomaticallymonitorthecompliancestatusofoperatingsystems,databasesandnetworkdevices.IfaQSAcanverifythatTripwireEnterprisePolicyManagerhasbeenconfiguredtomonitorcommonsecurityparametersforallin-scopesystemcomponents,thentheQSAcouldusethecompliancestatusreportasanevidenceforthistestingprocedure.
2.2.5Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems,andunnecessarywebservers.
2.2.5.aSelectasampleofsystemcomponentsandinspecttheconfigurationstoverifythatallunnecessaryfunctionality(forexample,scripts,drivers,features,subsystems,filesystems,etc.)isremoved.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowconfigurationsverifiedthatallunnecessaryfunctionalityisremoved.
Rulescanbecreatedtocheckthefunctionalitiesenabled(e.g.webserver,DNS)inanoperatingsystemagainstabaseline.Thebaselineneedstobedocumented.
2.2.5.bExaminethedocumentationandsecurityparameterstoverifyenabledfunctionsaredocumentedandsupportsecureconfiguration.
Describehowthesecurityparametersandrelevantdocumentationverifiedthatenabledfunctionsare:
• Documented• Supportsecureconfiguration
2.2.5.cExaminethedocumentationandsecurityparameterstoverifythatonlydocumentedfunctionalityispresentonthesampledsystemcomponents.
Identifydocumentationexaminedforthistestingprocedure.Describehowthesecurityparametersverifiedthatonlydocumentedfunctionalityispresentonthesampledsystemcomponentsfrom2.2.5.a.
2.3Encryptallnon-consoleadministrativeaccessusingstrongcryptography.
2.3.aObserveanadministratorlogontoeachsystemandexaminesystemconfigurationstoverifythatastrongencryptionmethodisinvokedbeforetheadministrator’spasswordisrequested.
Describehowtheadministratorlogontoeachsystemverifiedthatastrongencryptionmethodisinvokedbeforetheadministrator’spasswordisrequested.Describehowsystemconfigurationsforeachsystemverifiedthatastrongencryptionmethodisinvokedbeforetheadministrator’spasswordisrequested.Identifythestrongencryptionmethodusedfornon-consoleadministrativeaccess.
TripwireEnterprisePolicyManagercanbeusedtomonitorifasecureloginprotocol(e.g.SSH)issupportedbyoperatingsystemsornetworkdevices.IfSSHorTerminalServiceisused,itmightbepossibletocreaterulestomonitorthesecuritysettingsassociatedwiththeseprotocols.AQSAismightwanttoobservethatpasswordsareenteredonlywhenasecureloginprotocolisused.
2.3.bReviewservicesandparameter Describehowservicesandparameterfileson TripwireEnterprisePolicy
13PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction RemarksfilesonsystemstodeterminethatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.
systemsverifiedthatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.
Managercanbeconfiguredtocheckifanyinsecureservice(e.g.Telnet)isenabledonanoperatingsystemornetworkdevice.
2.3.cObserveanadministratorlogontoeachsystemtoverifythatadministratoraccesstoanyweb-basedmanagementinterfacesisencryptedwithstrongcryptography.
Describehowtheadministratorlogontoeachsystemverifiedthatadministratoraccesstoanyweb-basedmanagementinterfaceswasencryptedwithstrongcryptography.Identifythestrongencryptionmethodusedforanyweb-basedmanagementinterfaces.
TripwireEnterprisePolicyManagercanbeconfiguredtocheckifawebserviceisrunningandsecuritysettings(e.g.version,enabledciphersuites)associatedwiththewebservice.
4.1Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:• Onlytrustedkeysand
certificatesareaccepted.
• Theprotocolinuseonlysupportssecureversionsorconfigurations.
• Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.
4.1.anIdentifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Examinedocumentedstandardsandcomparetosystemconfigurationstoverifytheuseofsecurityprotocolsandstrongcryptographyforalllocations.
Identifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Identifythedocumentedstandardsexamined.
1. 2. Describehowthedocumentedstandardsandsystem
configurationsbothverifiedtheuseof:• Securityprotocolsforalllocations• Strongcryptographyforalllocations
AQSAneedstoidentifyallpossiblemethods/URLsusedfortransmittingaccountdataoveropen,publicnetworks.ForeachofthemethodsTripwireEnterprisePolicyManagercanbeconfiguredtocheckifsecureconfigurationsareused,andinsecureversions(e.g.onlytheversionofTLSisenabledwhichisnotvulnerabletoanyknownvulnerabilities)orconfigurations(e.g.weakciphersuites)arenotenabled.
4.1.eExaminesystemconfigurationstoverifythattheprotocolisimplementedtouseonlysecureconfigurationsanddoesnotsupportinsecureversionsorconfigurations.
ForallinstanceswherecardholderdataIstransmittedorreceivedoveropen,publicnetworks,describehowsystemconfigurationsverifiedthattheprotocol:
• Isimplementedtouseonlysecureconfigurations.
• Doesnotsupportinsecureversionsorconfigurations.
TripwireEnterprisePolicyManagercanbeconfiguredtocheckifstrongciphersuite,secureversionofprotocolandappropriateciphers/keylengthhavebeenenabled.AQSAwouldexaminevendorrecommendations/bestpracticesforencryptionstrengthtobeusedforeachtransmissionmethod.
4.1.fExaminesystemconfigurationstoverifythattheproperencryptionstrengthisimplementedfortheencryptionmethodologyinuse.(Checkvendorrecommendations/bestpractices.)
Foreachencryptionmethodologyinuse,Identifyvendorrecommendations/bestpracticesforencryptionstrength.Identifytheencryptionstrengthobservedtobeimplemented.
4.1.gForTLSimplementations,examinesystemconfigurationstoverifythatTLSisenabledwhenevercardholderdataistransmittedorreceived.
IndicatewhetherTLSisimplementedtoencryptcardholderdataoveropen,publicnetworks.(yes/no)If‘no,’marktheremainderof4.1.gas‘notapplicable.’If“yes,”forallinstanceswhereTLSisusedtoencryptcardholderdataoveropen,publicnetworks,describehowsystemconfigurationsverifiedthatTLSisenabledwhenevercardholderdataistransmittedorreceived.
5.1Deployanti-virussoftwareonallsystemscommonlyaffectedbymalicioussoftware(particularlypersonalcomputersandservers).
5.1Forasampleofsystemcomponentsincludingalloperatingsystemtypescommonlyaffectedbymalicioussoftware,verifythatanti-virussoftwareisdeployedifapplicableanti-virustechnologyexists.
Identifythesampleofsystemcomponents(includingalloperatingsystemtypescommonlyaffectedbymalicioussoftware)selectedforthistestingprocedure.Foreachiteminthesample,describehowanti-virussoftwarewasobservedtobedeployed.
AQSAwouldidentifyalloperatingsystems(e.g.Windows)commonlyaffectedbymalicioussoftware.TripwireEnterprisePolicyManagercanbeconfiguredtocheckthelistofservices/processesrunningtoensureananti-virusservice/processexists.
7.2.1Coverageofallsystemcomponents.
7.2.1Confirmthataccesscontrolsystemsareinplaceonallsystemcomponents.
Identifyvendordocumentationexamined.Describehowsystemsettingsandthevendor
TripwireEnterprisePolicyManagercanbeusedtocheckif
14 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarksdocumentationverifiedthataccesscontrolsystemsareinplaceonallsystemcomponents.
• Acentralizedaccesscontrolsystemhasbeendeployedonoperatingsystemsandnetworkdevices.
• ThecentralizedaccesscontrolsystemhasbeenconfiguredasperthepolicyspecifiedinTripwireEnterpriseCompliancePolicyManager
7.2.2Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.
7.2.2Confirmthataccesscontrolsystemsareconfiguredtoenforceprivilegesassignedtoindividualsbasedonjobclassificationandfunction.
Describehowsystemsettingsandthevendordocumentationat7.2.1verifiedthataccesscontrolsystemsareconfiguredtoenforceprivilegesassignedtoindividualsbasedonjobclassificationandfunction.
7.2.3Default“deny-all”setting.
7.2.3Confirmthattheaccesscontrolsystemshaveadefault“deny-all”setting.
Describehowsystemsettingsandthevendordocumentationat7.2.1verifiedthataccesscontrolsystemshaveadefault“deny-all”setting.
8.1.4Remove/disableinactiveuseraccountswithin90days.
8.1.4Observeuseraccountstoverifythatanyinactiveaccountsover90daysoldareeitherremovedordisabled.
Describehowuseraccountswereobservedtoverifythatanyinactiveaccountsover90daysoldareeitherremovedordisabled.
TripwireEnterprisePolicyManagercanbeconfiguredtomonitoraccountexpiry/lockoutsettingsonsupportedsystemcomponentstoensureuseraccountsinactiveformorethan90daysaredisabled/removed/locked.
8.1.6LimitrepeatedaccessattemptsbylockingouttheuserIDafternotmorethansixattempts.
8.1.6.aForasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatauthenticationparametersaresettorequirethatuseraccountsbelockedoutafternotmorethansixinvalidlogonattempts.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatauthenticationparametersaresettorequirethatuseraccountsbelockedafternotmorethansixinvalidlogonattempts.
TripwireEnterprisePolicyManagercanbeconfiguredtocheckaccountlockoutthresholdanddurationsettingsonsupportedsystems.
8.1.6.bAdditionalprocedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentation,andobserveimplementedprocessestoverifythatnon-consumercustomeruseraccountsaretemporarilylocked-outafternotmorethansixinvalidaccessattempts.
Additionalprocedureforserviceproviderassessmentsonly,identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythatnon-consumercustomeruseraccountsaretemporarilylocked-outafternotmorethansixinvalidaccessattempts.Describehowimplementedprocesseswereobservedtoverifythatnon-consumercustomeruseraccountsaretemporarilylocked-outafternotmorethansixinvalidaccessattempts.
8.1.7Setthelockoutdurationtoaminimumof30minutesoruntilanadministratorenablestheuserID.
8.1.7Forasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatpasswordparametersaresettorequirethatonceauseraccountislockedout,itremainslockedforaminimumof30minutesoruntilasystemadministratorresetstheaccount.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpasswordparametersaresettorequirethatonceauseraccountislockedout,itremainslockedforaminimumof30minutesoruntilasystemadministratorresetstheaccount.
8.1.8Ifasessionhasbeenidleformorethan15minutes,requiretheusertore-authenticatetore-activatetheterminalorsession.
8.1.8Forasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatsystem/sessionidletimeoutfeatureshavebeensetto15minutesorless.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatsystem/sessionidletimeoutfeatureshavebeensetto15minutesorless.
TripwireEnterprisePolicyManagercanbeconfiguredtochecksessionidletime-outsettingonsupportedsystems.ThesettingsrelatedtoscreenlockoutwithpasswordprotectioncanalsobecheckedwithTripwireEnterprisePolicyManageronsupportedoperatingsystems(e.g.Windows).
15PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks8.2.1Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
8.2.1.aExaminevendordocumentationandsystemconfigurationsettingstoverifythatpasswordsareprotectedwithstrongcryptographyduringtransmissionandstorage.
Identifythevendordocumentationexaminedtoverifythatpasswordsareprotectedwithstrongcryptographyduringtransmissionandstorage.Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpasswordsareprotectedwithstrongcryptographyduringtransmission.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpasswordsareprotectedwithstrongcryptographyduringstorage.
TripwireEnterprisePolicyManagercanbeconfiguredtomonitorsettingsforloginmethods(e.g.SSH,TerminalService)andpasswordstorage(e.g.DoNotStoreLanManagerPasswordHashforWindows)inoperatingsystemsandnetworkdevices.
8.2.3.aPasswords/passphrasesmustmeetthefollowing:• Requireaminimum
lengthofatleastsevencharacters.
• Containbothnumericandalphabeticcharacters.
Alternatively,thepasswords/passphrasesmusthavecomplexityandstrengthatleastequivalenttotheparametersspecifiedabove.
8.2.3.aForasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatuserpassword/passphraseparametersaresettorequireatleastthefollowingstrength/complexity:• Requireaminimumlengthofat
leastsevencharacters.• Containbothnumericand
alphabeticcharacters.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatuserpassword/passphraseparametersaresettorequireatleastthefollowingstrength/complexity:• Requireaminimumlengthofatleastseven
characters.• Containbothnumericandalphabetic
characters.
TripwireEnterprisePolicyManagercanbeconfiguredtocheckpasswordlengthandcomplexitysettingonsupportedsystems.
8.2.3.bAdditionalprocedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentationtoverifythatnon-consumercustomerpasswords/passphrasesarerequiredtomeetatleastthefollowingstrength/complexity:• Requireaminimumlengthofat
leastsevencharacters.• Containbothnumericand
alphabeticcharacters.
• Additionalprocedureforserviceproviderassessmentsonly:Identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythatnon-consumercustomerpasswords/passphrasesarerequiredtomeetatleastthefollowingstrength/complexity:• Aminimumlengthofatleastsevencharacters.• Non-consumercustomer
passwords/passphrasesarerequiredtocontainbothnumericandalphabeticcharacters.
Describehowinternalprocesseswereobservedtoverifythatnon-consumercustomerpasswords/passphrasesarerequiredtomeetatleastthefollowingstrength/complexity:• Aminimumlengthofatleastseven
characters.• Non-consumercustomer
passwords/passphrasesarerequiredtocontainbothnumericandalphabeticcharacters.
8.2.4Changeuserpasswords/passphrasesatleastonceevery90days.
8.2.4.aForasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatuserpassword/passphraseparametersaresettorequireuserstochangepasswords/passphrasesatleastonceevery90days.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatuserpassword/passphraseparametersaresettorequireuserstochangepasswords/passphrasesatleastonceevery90days.
TripwireEnterprisePolicyManagercanbeconfiguredtomonitorpasswordexpirysettingonsupportedsystems.
8.2.4.bAdditionalprocedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentationtoverifythat:• Non-consumercustomeruser
passwords/passphrasesarerequiredtochangeperiodically;and
• Non-consumercustomerusersaregivenguidanceastowhen,andunderwhatcircumstances,
Additionalprocedureforserviceproviderassessmentsonly,identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythat:• Non-consumercustomeruser
passwords/passphrasesarerequiredtochangeperiodically;and
• Non-consumercustomerusersaregivenguidanceastowhen,andunderwhatcircumstances,passwords/passphrasesmustchange.
16 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarkspasswords/passphrasesmustchange.
Describehowinternalprocesseswereobservedtoverifythat:• Non-consumercustomeruser
passwords/passphrasesarerequiredtochangeperiodically;and
• Non-consumercustomerusersaregivenguidanceastowhen,andunderwhatcircumstances,passwords/passphrasesmustchange.
8.2.5Donotallowanindividualtosubmitanewpassword/passphrasethatisthesameasanyofthelastfourpasswords/passphrasesheorshehasused.
8.2.5.aForasampleofsystemcomponents,obtainandinspectsystemconfigurationsettingstoverifythatpassword/passphrasesparametersaresettorequirethatnewpasswords/passphrasescannotbethesameasthefourpreviouslyusedpasswords/passphrases.
Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpassword/passphraseparametersaresettorequirethatnewpasswords/passphrasescannotbethesameasthefourpreviouslyusedpasswords/passphrases.
TripwireEnterprisePolicyManagercanbeconfiguredtocheckpasswordhistorysettingonsupportedsystems.
8.2.5.bAdditionalProcedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentationtoverifythatnewnon-consumercustomeruserpasswords/passphrasescannotbethesameasthepreviousfourpasswords/passphrases.
Additionalprocedureforserviceproviderassessmentsonly,identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythatnewnon-consumercustomeruserpasswords/passphrasescannotbethesameasthepreviousfourpasswords/passphrases.Describehowinternalprocesseswereobservedtoverifythatnewnon-consumercustomeruserpasswords/passphrasescannotbethesameasthepreviousfourpasswords/passphrases.
10.2.2Allactionstakenbyanyindividualwithrootoradministrativeprivileges.
10.2.2Verifyallactionstakenbyanyindividualwithrootoradministrativeprivilegesarelogged.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedallactionstakenbyanyindividualwithrootoradministrativeprivilegesarelogged.
LogsettingsonsupportedsystemscanbemonitoredwithTripwireEnterprisePolicyManagertoensurefollowingeventsarecaptured:• Actionstakenwith
privilegedaccess,e.g.changingsecuritysettings,adding/modifyinguseraccounts,installingapplications,changinglogsettingsetc.
• Failedloginattempts
10.2.4Invalidlogicalaccessattempts.
10.2.4Verifyinvalidlogicalaccessattemptsarelogged.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatinvalidlogicalaccessattemptsarelogged.
10.25Useofandchangestoidentificationandauthenticationmechanisms-includingbutnotlimitedtocreationofnewaccountsandelevationofprivileges-andallchanges,additions,ordeletionstoaccountswithrootoradministrativeprivileges.
10.2.5.aVerifyuseofidentificationandauthenticationmechanismsislogged.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatuseofidentificationandauthenticationmechanismsislogged.
10.2.5.bVerifyallelevationofprivilegesislogged.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatallelevationofprivilegesislogged.
10.2.5.cVerifyallchanges,additions,ordeletionstoanyaccountwithrootoradministrativeprivilegesarelogged.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatallchanges,additions,ordeletionstoanyaccountwithrootoradministrativeprivilegesarelogged.
10.2.6Initialization,stopping,orpausingoftheauditlogs.
10.2.6Verifythefollowingarelogged:• Initializationofauditlogs.• Stoppingorpausingofauditlogs.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatinitializationofauditlogsislogged.Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatstoppingandpausingofauditlogsislogged.
10.2.7Creationanddeletionofsystem-levelobjects.
10.2.7Verifycreationanddeletionofsystemlevelobjectsarelogged.
Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatcreationanddeletionofsystemlevelobjectsarelogged.
10.4Usingtime-synchronizationtechnology,synchronizeallcriticalsystemclocksandtimesandensurethatthefollowingisimplementedforacquiring,distributing,andstoring
10.4Examineconfigurationstandardsandprocessestoverifythattime-synchronizationtechnologyisimplementedandkeptcurrentperPCIDSSRequirements6.1and6.2.
Identifythetimesynchronizationtechnologiesinuse.(IfNTP,includeversion)Identifythedocumentedtime-synchronizationconfigurationstandardsexaminedtoverifythattimesynchronizationtechnologyisimplementedandkeptcurrentperPCIDSSRequirements6.1and6.2.
TripwireEnterprisePolicyManagercanbeusedtocheckthelistofservices/processesrunningtocheckiftimesynchronizationserviceisrunningandwherepossiblegettheversioninfoaswell.
17PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarkstime.Note:OneexampleoftimesynchronizationtechnologyisNetworkTimeProtocol(NTP).
Describehowprocesseswereexaminedtoverifythattimesynchronizationtechnologiesare:• Implemented.• Keptcurrent,perthedocumentedprocess.
AQSAwouldalsoaskfor• Documentsthatdefine
processestokeepthetimesynchronizationtechnologypatchedasperrequirements6.1and6.2,andcurrent.
• Evidencethatthedocumentedprocessesarefollowed
10.4.1Criticalsystemshavethecorrectandconsistenttime.
10.4.1.bObservethetime-relatedsystem-parametersettingsforasampleofsystemcomponentstoverify:• Onlythedesignatedcentraltime
server(s)receivetimesignalsfromexternalsources,andtimesignalsfromexternalsourcesarebasedonInternationalAtomicTimeorUTC.
• Wherethereismorethanonedesignatedtimeserver,thedesignatedcentraltimeserver(s)peerwithoneanothertokeepaccuratetime.
• Systemsreceivetimeonlyfromdesignatedcentraltimeserver(s).
Identifythesampleofsystemcomponentsselectedfor10.4.1.b-10.4.2.bForallitemsinthesample,describehowthetime-relatedsystem-parametersettingsverified:• Onlythedesignatedcentraltimeserver(s)
receivetimesignalsfromexternalsources,andtimesignalsfromexternalsourcesarebasedonInternationalAtomicTimeorUTC.
• Wherethereismorethanonedesignatedtimeserver,thedesignatedcentraltimeserver(s)peerwithoneanothertokeepaccuratetime.
• Systemsreceivetimeonlyfromdesignatedcentraltimeserver(s).
TimeconfigurationsettingscanbemonitoredbyTripwireEnterprisePolicyManagertoensure• Onlydesignated
externaltimesourcesareusedbyinternaltimeservers
• Eachinternalsystemreceivestimeonlyfromdesignatedinternaltimerservers.
10.4.2Timedataisprotected.
10.4.2.aExaminesystemconfigurationsandtime-synchronizationsettingstoverifythataccesstotimedataisrestrictedtoonlypersonnelwithabusinessneedtoaccesstimedata.
Forallitemsinthesamplefrom10.4.1,describehowconfigurationsettingsverifiedthataccesstotimedataisrestrictedtoonlypersonnelwithabusinessneedtoaccesstimedata.
Accessrightsassignedtogroups/usersofthehostsystemcanbemonitoredbyTripwireEnterprisePolicyManagertoensureonlyauthorizedgroups/userscanmakechangestotimesettings
10.4.2.bExaminesystemconfigurations,timesynchronizationsettingsandlogs,andprocessestoverifythatanychangestotimesettingsoncriticalsystemsarelogged,monitored,andreviewed.
Forallitemsinthesamplefrom10.4.1,describehowconfigurationsettingsandtimesynchronizationsettingsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.Forallitemsinthesamplefrom10.4.1,describehowtheexaminedlogsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.Describehowtimesynchronizationprocesseswereexaminedtoverifychangestotimesettingsoncriticalsystemsare:• Logged• Monitored• Reviewed
LogsettingsofthehostsystemcanbemonitoredbyTripwireEnterprisePolicyManagertoensuremodificationstotimesettingsarelogged.
10.4.3Timesettingsarereceivedfromindustry-acceptedtimesources.
10.4.3Examinesystemsconfigurationstoverifythatthetimeserver(s)accepttimeupdatesfromspecific,industry-acceptedexternalsources(topreventamaliciousindividualfromchangingtheclock).Optionally,thoseupdatescanbeencryptedwithasymmetrickey,andaccesscontrollistscanbecreatedthatspecifytheIPaddressesofclientmachinesthatwillbeprovidedwiththetimeupdates(topreventunauthorizeduseofinternaltimeservers).
Identifythesampleoftimeserversselectedforthistestingprocedure.Forallitemsinthesample,describehowconfigurationsettingsverifiedeitherofthefollowing:• Thatthetimeserversreceivetimeupdates
fromspecific,industry-acceptedexternalsources.OR
• Thattimeupdatesareencryptedwithasymmetrickey,andaccesscontrollistsspecifytheIPaddressesofclientmachines.
TimeconfigurationsettingscanbemonitoredbyTripwireEnterprisePolicyManagertoensureonlydesignatedexternaltimesourcesareusedbyinternaltimeservers.
18 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCI DSS COMPLIANCE WITH TRIPWIRE LOG CENTER TripwireLogCenterconsistsoftwoproductcomponents:
1. TripwireLogCenterManager(TLCManager)isthecoresoftwareforTripwireLogCenterenvironment.TLCManagercollectsandprocesseslogmessagesfromawidevarietyofsystemsanddevices.
2. TripwireLogCenterConsole(TLCConsole)isthesoftwarefortheTripwireLogCentergraphicaluserinterface(GUI).ThiscanbeusedtoconfigureTripwireLogCenterandtoviewlogsandalerts.
TripwireLogCentercanbeusedasacentralrepositoryforstoringlogsfromvarioussystemscomponentswithinthenetwork.ItcanstorelogsencryptedusingAES-256.LogsfromsupportedoperatingsystemsarepushedbyTripwireagentsintoTripwireLogCenter.Logsfromagentlessdevices(e.g.networkdevices)arecollectedbyTripwireLogCenter.TripwireLogCenterprovidesauserinterfacethatcanbeusedformanagementpurposes(e.g.configuration,logreview).TripwireLogCentercanbeconfiguredtogeneratealertsoneventsofinterest.Thesealertscanbesenttoresponsiblepersonnelviavariousmethodssuchasemail,syslog.
Eighteenrequirementsarerelatedtostoringlogsinaremoteorcentralizedlocation,protectingthelogsfromunauthorizedmodificationsandreviewinglogsatleastdailytoidentifymaliciousactivities.TripwireLogCentercanbeconfiguredtoassistcompaniesmeetingtheserequirements.
ThecapabilitiesoftheTripwireLogCenterwerereviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingTripwireLogCenterhavebeenhighlightedinboldintheROCReportingInstructioncolumn.Tomeetarequirement,theentityassessedwouldbeexpectedtodemonstratetoaQSAhowotheritemsintheROCReportingDetailscolumnfortheparticularrequirementcomplywithPCIDSS.
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks10.1Implementaudittrailstolinkallaccesstosystemcomponentstoeachindividualuser.
10.1Verify,throughobservationandinterviewingthesystemadministrator,that:• Audittrailsareenabledandactive
forsystemcomponents.• Accesstosystemcomponentsis
linkedtoindividualusers.
Identifythesystemadministrator(s)interviewedwhoconfirmthat:• Audittrailsareenabledandactiveforsystem
components.• Accesstosystemcomponentsislinkedto
individualusers.Describehowaudittrailswereobservedtoverifythefollowing:• Audittrailsareenabledandactiveforsystem
components.• Accesstosystemcomponentsislinkedto
individualusers.
IfauditlogsaresenttoTripwireLogCenter,followingrequirementscouldbeverifiedbytheQSAduringaPCIDSSassessment:• Audittrailsare
enabledandactiveforsystemcomponents.
• Accesstosystemcomponentsislinkedtoindividualusers.
• Alltheeventslistedinrequirements10.2and10.4.2arelogged
• Eachlogeventincludestheinformationlistedinrequirements10.3.1-10.3.6
10.2Implementautomatedaudittrailsforallsystemcomponentstoreconstructthefollowingevents:• Allindividualaccess
tocardholderdata.• Allactionstakenby
anyindividualwithrootoradministrativeprivileges.
• Accesstoallaudittrails.
• Invalidlogicalaccessattempts.
• Useofandchangestoidentificationand
10.2Throughinterviewsofresponsiblepersonnel,observationofauditlogs,andexaminationofauditlogsettings,performthefollowing:• Allindividualaccesstocardholder
data.• Allactionstakenbyanyindividual
withrootoradministrativeprivileges.
• Accesstoallaudittrails.• Invalidlogicalaccessattempts.• Useofandchangesto
identificationandauthenticationmechanisms,including:o Allelevationofprivileges.o Allchanges,additions,or
Identifytheresponsiblepersonnelinterviewedwhoconfirmthefollowingfrom10.2.1-10.2.7arelogged:• Allindividualaccesstocardholderdata.• Allactionstakenbyanyindividualwithrootor
administrativeprivileges.• Accesstoallaudittrails.• Invalidlogicalaccessattempts.• Useofandchangestoidentificationand
authenticationmechanisms,including:o Allelevationofprivileges.o Allchanges,additions,ordeletionstoany
accountwithrootoradministrativeprivileges.
• Initializationofauditlogs.• Stoppingorpausingofauditlogs.• Creationanddeletionofsystemlevelobjects.
19PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarksauthenticationmechanisms,including:o Allelevationof
privileges.o Allchanges,
additions,ordeletionstoanyaccountwithrootoradministrativeprivileges.
• Initializationofauditlogs.
• Stoppingorpausingofauditlogs.
• Creationanddeletionofsystemlevelobjects.
deletionstoanyaccountwithrootoradministrativeprivileges.
• Initializationofauditlogs.• Stoppingorpausingofauditlogs.• Creationanddeletionofsystem
levelobjects.
Identifythesampleofauditlogsselectedfor10.2.1-10.2.7.
10.3Recordatleastthefollowingaudittrailentriesforallsystemcomponentsforeachevent:• Useridentification• Typeofevent• Dateandtime• Successorfailure
indication• Originationofevent• Identityornameof
affecteddata,systemcomponent,orresource
10.3Throughinterviewsandobservationofauditlogs,foreachauditableevent(from10.2),performthefollowing:• Useridentification• Typeofevent• Dateandtime• Successorfailureindication• Originationofevent• Identityornameofaffecteddata,
systemcomponent,orresource
Identifytheresponsiblepersonnelinterviewedwhoconfirmthatforeachauditableeventfrom10.2.1-10.2.7,thefollowingareincludedinlogentries:• Useridentification• Typeofevent• Dateandtime• Successorfailureindication• Originationofevent• Identityornameofaffecteddata,system
component,orresourceIdentifythesampleofauditlogsfrom10.2.1-10.2.7observedtoverifythefollowingareincludedinlogentries:• Useridentification• Typeofevent• Dateandtime• Successorfailureindication• Originationofevent• Identityornameofaffecteddata,system
component,orresource10.3.1Useridentification 10.3.1Verifyuseridentificationis
includedinlogentries.Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedthatuseridentificationisincludedinlogentries.
10.3.2Typeofevent 10.3.2Verifytypeofeventisincludedinlogentries.
Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedthattypeofeventisincludedinlogentries.
10.3.3Dateandtime 10.3.3Verifydateandtimestampisincludedinlogentries.
Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedthatdateandtimestampisincludedinlogentries.
10.3.4Successorfailureindication
10.3.4Verifysuccessorfailureindicationisincludedinlogentries.
Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedsuccessorfailureindicationisincludedinlogentries.
10.3.5Originationofevent 10.3.5Verifyoriginationofeventisincludedinlogentries.
Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedoriginationofeventisincludedinlogentries.
10.3.6Identityornameofaffecteddata,systemcomponent,orresource.
10.3.6Verifyidentityornameofaffecteddata,systemcomponent,orresourcesisincludedinlogentries.
Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedtheidentityornameofaffecteddata,systemcomponent,orresourceisincludedinlogentries.
10.4.2Timedataisprotected.
10.4.2.bExaminesystemconfigurations,timesynchronizationsettingsandlogs,andprocessestoverifythatanychangestotimesettingsoncriticalsystemsarelogged,monitored,andreviewed.
Forallitemsinthesamplefrom10.4.1,describehowconfigurationsettingsandtimesynchronizationsettingsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.Forallitemsinthesamplefrom10.4.1,describehowtheexaminedlogsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.
20 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction RemarksDescribehowtimesynchronizationprocesseswereexaminedtoverifychangestotimesettingsoncriticalsystemsare:• Logged• Monitored• Reviewed
10.5.1Limitviewingofaudittrailstothosewithajob-relatedneed.
10.5.1Onlyindividualswhohaveajob-relatedneedcanviewaudittrailfiles.
Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatonlyindividualswhohaveajob-relatedneedcanviewaudittrailfiles.
EachTripwireLogCenterusercanbeassigneddifferentrolesandprivilegestoensureonlyindividualswhohasadocumentedjob-relatedneedhaveprivilegedaccesstotheproducttoperformadministrativetasks.RolesandprivilegesassignedtosampledusersinTripwireLogCenterwillbeexaminedbyaQSAduringanassessment.
10.5.2Protectaudittrailfilesfromunauthorizedmodifications.
10.5.2Currentaudittrailfilesareprotectedfromunauthorizedmodificationsviaaccesscontrolmechanisms,physicalsegregation,and/ornetworksegregation.
Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatcurrentaudittrailfilesareprotectedfromunauthorizedmodificationsviaaccesscontrolmechanisms,physicalsegregation,and/ornetworksegregation.
IfTripwireLogCenterisusedtostoreaudittrailscentrallyfromconnectedsystemcomponents(e.g.operatingsystems,networkdevices),thentheuserlistinTripwireLogCentercanbeusedtoshowthatpersonnelwhohaveaccesstoconnectedsystemsdonothaveaccesstoTripwireLogCenter.Thiscouldbeusedtodemonstratethataudittrailsareprotectedfromunauthorizedmodificationsviaaccesscontrolmechanisms.AsTripwireLogCenterwouldusuallybeonaseparatephysicalsystem,QSAwouldbeabletovalidatethataudittrailfilesareprotectedfromunauthorizedmodificationsviaphysicalsegregation.
10.5.3Promptlybackupaudittrailfilestoacentralizedlogserverormediathatisdifficulttoalter.
10.5.3Currentaudittrailfilesarepromptlybackeduptoacentralizedlogserverormediathatisdifficulttoalter.
Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatcurrentaudittrailfilesarepromptlybackeduptoacentralizedlogserverormediathatisdifficulttoalter.
TripwireLogCentercanbeusedtopromptlybackupaudittrailsfromconnectedsystemcomponents(e.g.operatingsystems,networkdevices).ThiscanbedemonstratedbyloggingintooneoftheconnectedsystemcomponentsandsimultaneouslyshowinginTripwireLogCenterthatthiseventhasbeencapturedbyTripwireLogCenterinrealtime.UseraccesscontrolsettingsimplementedinTripwireLogCenterandpermission
10.5.4Writelogsforexternal-facingtechnologiesontoasecure,centralized,internallogserverormediadevice.
10.5.4Logsforexternal-facingtechnologies(forexample,wireless,firewalls,DNS,mail)arewrittenontoasecure,centralized,internallogserverormedia.
Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatlogsforexternal-facingtechnologiesarewrittenontoasecure,centralized,internallogserverormedia.
21PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarksoffolders(e.g.“Data”folder)whererawaudittrailsarestoredcanbeusedtodemonstratethatitisdifficulttoalteraudittrailsstoredinTripwireLogCenter.
10.5.5Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts(althoughnewdatabeingaddedshouldnotcauseanalert).
10.5.5Examinesystemsettings,monitoredfiles,andresultsfrommonitoringactivitiestoverifytheuseoffile-integritymonitoringorchange-detectionsoftwareonlogs.
Foreachiteminthesampleat10.5,describehowthefollowingverifiedtheuseoffile-integritymonitoringorchange-detectionsoftwareonlogs:• Systemsettings• Monitoredfiles• ResultsfrommonitoringactivitiesIdentifythefile-integritymonitoring(FIM)orchange-detectionsoftwareverifiedtobeinuse.
WhenTripwireLogCenterreceivesalogmessagefromalogcollector,itfirstplacesthemessageinaninternalcache.Whenthelogmessagesinthecacheexceedspecifiedtimeandsizethresholds,TripwireLogCenterflushesthecachecontentsinacompressedfileandcalculatesSHA-256hashofthefile.TripwireLogCentercanbeconfiguredtoalertwhenacompressedlogfilechecksumisaltered.
10.6.1Reviewthefollowingatleastdaily:Allsecurityevents• Logsofallsystem
componentsthatstore,process,ortransmitCHDand/orSAD
• Logsofallcriticalsystemcomponents
• Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authenticationservers,e-commerceredirectionservers,etc.).
10.6.1.anExaminesecuritypoliciesandprocedurestoverifythatproceduresaredefinedfor,reviewingthefollowingatleastdaily,eithermanuallyorvialogtools:
• Allsecurityevents• Logsofallsystem
componentsthatstore,process,ortransmitCHDand/orSAD
• Logsofallcriticalsystemcomponents
• Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authenticationservers,e-commerceredirectionservers,etc.).
Identifythedocumentedsecuritypoliciesandproceduresexaminedtoverifythatproceduresdefinereviewingthefollowingatleastdaily,eithermanuallyorvialogtools:• Allsecurityevents• Logsofallsystemcomponentsthatstore,process,
ortransmitCHDand/orSAD• Logsofallcriticalsystemcomponents• Logsofallserversandsystemcomponentsthat
performsecurityfunctions.Describethemanualorlogtoolsusedfordailyreviewoflogs.
TripwireLogCentermightbecapturingauditlogsfromtensandhundredsofsystemcomponents(e.g.operatingsystems,networkdevices).Manuallygoingthroughtheselogsdailymightbeinefficientandimpractical.Unusual/abnormalactivitiesneedtobereviewedonadailybasis.ToassistwiththisprocessrulescanbecreatedinTripwireLogCentertofilteroutlogscontainingabnormalactivities,e.g.aprivilegeduserloggingintoasystemcomponentoutsidenormalbusinesshours.
10.6.1.bObserveprocessesandinterviewpersonneltoverifythatthefollowingarereviewedatleastdaily:
• Allsecurityevents• Logsofallsystem
componentsthatstore,process,ortransmitCHDand/orSAD
• Logsofallcriticalsystemcomponents
• Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authenticationservers,e-commerceredirectionservers,etc.).
Identifytheresponsiblepersonnelinterviewedwhoconfirmthatthefollowingarereviewedatleastdaily:• Allsecurityevents• Logsofallsystemcomponentsthatstore,process,
ortransmitCHDand/orSAD• Logsofallcriticalsystemcomponents• Logsofallserversandsystemcomponentsthat
performsecurityfunctions.Describehowprocesseswereobservedtoverifythatthefollowingarereviewedatleastdaily:• Allsecurityevents.• Logsofallsystemcomponentsthatstore,
process,ortransmitCHDand/orSAD.• Logsofallcriticalsystemcomponents.• Logsofallserversandsystemcomponentsthat
performsecurityfunctions.
22 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks10.6.2Reviewlogsofallothersystemcomponentsperiodicallybasedontheorganization’spoliciesandriskmanagementstrategy,asdeterminedbytheorganization’sannualriskassessment.
10.6.2.aExaminesecuritypoliciesandprocedurestoverifythatproceduresaredefinedforreviewinglogsofallothersystemcomponentsperiodically—eithermanuallyorvialogtools—basedontheorganization’spoliciesandriskmanagementstrategy.
Identifythedocumentedsecuritypoliciesandproceduresexaminedtoverifythatproceduresdefinereviewinglogsofallothersystemcomponentsperiodically—eithermanuallyorvialogtools—basedontheorganization’spoliciesandriskmanagementstrategy.Describethemanualorlogtoolsdefinedforperiodicreviewoflogsofallothersystemcomponents.
Thisrequirementappliestolowerrisksystemcomponentsthatarein-scope,butdonotrequiredailylogreviewsasperrequirement10.6.1,e.g.workstationswhichdonothandleCHD,butcanimpactthesecurityoftheCDE.LogsfromthesetypesofsystemcomponentscanalsobesenttoTripwireLogCenterandreviewedandmonitoredthroughTripwireLogCenteraspertheorganization’spoliciesandriskmanagementstrategy.
10.7Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableforanalysis(forexample,online,archived,orrestorablefrombackup).
10.7.bInterviewpersonnelandexamineauditlogstoverifythatauditlogsareretainedforatleastoneyear.
Identifytheresponsiblepersonnelinterviewedwhoconfirmthatauditlogsareretainedforatleastoneyear.Describehowtheauditlogsverifiedthatauditlogsareretainedforatleastoneyear.
TripwireLogCenterstoresrawlogsinflatfiles.Theusualnameofthefolderis“Data.”Dateandtimestampsoftheflatfilescanbeusedtodemonstratehowlongtheaudittrailslogsarestored.TheTripwireLogCenterGUIcanbeusedtoshowlogsfromflatfilesinareadableformat.Thisfeaturecanbeusedtoqueryandshowlogsfromlastthreemonths.
10.7.cInterviewpersonnelandobserveprocessestoverifythatatleastthelastthreemonths’logsareimmediatelyavailableforanalysis.
Identifytheresponsiblepersonnelinterviewedwhoconfirmthatatleastthelastthreemonths’logsareimmediatelyavailableforanalysis.Describehowprocesseswereobservedtoverifythatatleastthelastthreemonths’logsareimmediatelyavailableforanalysis.
23PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCI DSS COMPLIANCE WITH TRIPWIRE IP360 TripwireIP360isavulnerabilitymanagementsystemwhichcanbeusedbyorganizationstoscanvariousoperatingsystems,networkdevicesandwebapplicationsandassignriskrankingofidentifiedvulnerabilities.
Thesolutionconsistsofthefollowingtwokeyproductcomponents:
1. VnEManager:VnEManagerisahardenedappliancethatservesasthecentraldatarepositoryandmanagementplatform,andcanbephysicalhardwareorvirtualized.
2. DeviceProfiler(DP).DPisahardened,disklessappliancethatscansoperatingsystems,networkdevicesandwebapplicationsandreportsitsfindingstotheVnEManager.
TheTripwireVulnerabilityandExposureResearchTeam(TripwireVERT)isdedicatedtoresearchingthisareaandresponsibleforprovidingtimelyandup-to-datevulnerabilitydiscoverysignaturestotheTripwireIP360solution.VnEManagercanbeconfiguredtoconnecttoTripwireovertheInternettoreceivelatestsignaturesautomatically.IfVnEManagerisnotconnectedtotheInternet,thenlatestsignaturesneedtobedownloadedfromtheTripwirewebsiteusingacustomeraccountasafilereferredtoastheASPL(AdvancedSecurityProfilingLanguage)update.
TripwireIP360wasreviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingTripwireIP360havebeenhighlightedinboldintheROCReportingInstructioncolumn.TomeetarequirementtheentityassessedwouldbeexpectedtodemonstratetoaQSAhowotheritemsintheROCReportingDetailscolumnfortheparticularrequirementcomplywithPCIDSS.
24 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
2.1Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.
2.1.bForthesampleofsystemcomponents,verifythatallunnecessarydefaultaccounts(includingaccountsusedbyoperatingsystems,securitysoftware,applications,systems,POSterminals,SNMP,etc.)areremovedordisabled.
Foreachiteminthesampleofsystemcomponentsindicatedat2.1.a,describehowallunnecessarydefaultaccountswereverifiedtobeeither:• Removed• Disabled
TripwireIP360canbeusedtoscansupportedplatformstoidentifyifvendorsupplieddefaultusernamesandpasswordsarestillused.
2.2.2Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
2.2.2.aSelectasampleofsystemcomponentsandinspectenabledsystemservices,daemons,andprotocolstoverifythatonlynecessaryservicesorprotocolsareenabled.
Identifythesampleofsystemcomponentsselected.Foreachiteminthesample,describehowtheenabledsystemservices,daemons,andprotocolsverifiedthatonlynecessaryservicesorprotocolsareenabled.
AspartofthenormalscanningTripwireIP360identifiesalltheserviceslisteningonports.Thisinformationcanbeusedtoforthefollowingpurposes:• Comparewiththelistofdocumented
services/protocolstoensureonlynecessaryservices/protocolsareenabled
• Identifyinsecureservices/protocols(e.g.FTP,Telnet)
• IdentifyifSSLandearlyTLSareused
2.2.2.bIdentifyanyenabledinsecureservices,daemons,orprotocolsandinterviewpersonneltoverifytheyarejustifiedperdocumentedconfigurationstandards.
Foreachiteminthesampleofsystemcomponentsfrom2.2.2.a,indicatewhetheranyinsecureservices,daemons,orprotocolsareenabled.(yes/no)If“no,”marktheremainderof2.2.2.band2.2.3as“NotApplicable.”If“yes,”identifytheresponsiblepersonnelinterviewedwhoconfirmthatadocumentedbusinessjustificationwaspresentforeachinsecureservice,daemon,orprotocol
2.2.3Implementadditionalsecurityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure
2.2.3.bIfSSL/earlyTLSisused,performtestingproceduresinAppendixA2:AdditionalPCIDSSRequirementsforEntitiesusingSSL/EarlyTLS.
• IndicatewhetherSSL/earlyTLSisused.(yes/no)If‘no,’marktheremainderof2.2.3.bas‘notapplicable.’If‘yes,’providethenameoftheassessorwhoatteststhatthetestingproceduresinAppendixA2:AdditionalPCIDSSRequirementsforEntitiesusingSSL/EarlyTLSwereperformed.
2.3Encryptallnon-consoleadministrativeaccessusingstrongcryptography.
2.3.bReviewservicesandparameterfilesonsystemstodeterminethatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.
DescribehowservicesandparameterfilesonsystemsverifiedthatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.
2.3.cObserveanadministratorlogontoeachsystemtoverifythatadministratoraccesstoanyweb-basedmanagementinterfacesisencryptedwithstrongcryptography.
Describehowtheadministratorlogontoeachsystemverifiedthatadministratoraccesstoanyweb-basedmanagementinterfaceswasencryptedwithstrongcryptography.Identifythestrongencryptionmethodusedforanyweb-basedmanagementinterfaces.
4.1Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:• Onlytrustedkeys
andcertificatesareaccepted.
• Theprotocolinuseonlysupportssecureversionsorconfigurations.
• Theencryptionstrengthisappropriateforthe
4.1.aIdentifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Examinedocumentedstandardsandcomparetosystemconfigurationstoverifytheuseofsecurityprotocolsandstrongcryptographyforalllocations.
Identifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Identifythedocumentedstandardsexamined.
3. 4. Describehowthedocumentedstandardsand
systemconfigurationsbothverifiedtheuseof:• Securityprotocolsforalllocations• Strongcryptographyforalllocations
4.1.eExaminesystemconfigurationstoverifythattheprotocolisimplementedtouseonlysecureconfigurationsanddoesnotsupportinsecureversionsorconfigurations.
ForallinstanceswherecardholderdataIstransmittedorreceivedoveropen,publicnetworks,describehowsystemconfigurationsverifiedthattheprotocol:
• Isimplementedtouseonlysecureconfigurations.
• Doesnotsupportinsecureversionsor
25PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
encryptionmethodologyinuse.
configurations.
4.1.gForTLSimplementations,examinesystemconfigurationstoverifythatTLSisenabledwhenevercardholderdataistransmittedorreceived.
IndicatewhetherTLSisimplementedtoencryptcardholderdataoveropen,publicnetworks.(yes/no)If‘no,’marktheremainderof4.1.gas‘notapplicable.’If“yes,”forallinstanceswhereTLSisusedtoencryptcardholderdataoveropen,publicnetworks,describehowsystemconfigurationsverifiedthatTLSisenabledwhenevercardholderdataistransmittedorreceived.
6.1Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
6.1.bInterviewresponsiblepersonnelandobserveprocessestoverifythat:• Newsecurity
vulnerabilitiesareidentified.
• Ariskrankingisassignedtovulnerabilitiesthatincludesidentificationofall“high”riskand“critical”vulnerabilities.
• Processestoidentifynewsecurityvulnerabilitiesincludeusingreputableoutsidesourcesforsecurityvulnerabilityinformation.
Identifytheresponsiblepersonnelinterviewedwhoconfirmthat:• Newsecurityvulnerabilitiesareidentified.• Ariskrankingisassignedtovulnerabilities
thatincludesidentificationofall“high”riskand“critical”vulnerabilities.
• Processestoidentifynewsecurityvulnerabilitiesincludeusingreputableoutsidesourcesforsecurityvulnerabilityinformation.
Describetheprocessesobservedtoverifythat:Newsecurityvulnerabilitiesareidentified.• Ariskrankingisassignedtovulnerabilities
toincludeidentificationofall“high”riskand“critical”vulnerabilities.
• Processestoidentifynewsecurityvulnerabilitiesincludeusingreputableoutsidesourcesforsecurityvulnerabilityinformation.
Identifytheoutsidesourcesused.
TripwireIP360canbeusedtoidentifyvulnerabilitieswithintheinternalnetwork.InformationonhowTripwireIP360scoresvulnerabilitiescanbefoundinthefollowingURLhttp://www.tripwire.com/register/tripwire-vulnerability-scoring-system/TheentityundergoingPCIDSSassessmentcanusethescoreprovidedbyTripwireIP360asoneoftheinputsforevaluatingandassigningriskrating(e.g.“critical”,“High”,“Medium”,“Low”)toanewvulnerabilityasitcomesout.Note:Tofullymeettheintentofthisrequirement,entitiesneedtosubscribetoreputableoutsidesources(e.g.US-CERT)toidentifysecurityvulnerabilitiesintimelymannerforalltypesofin-scopesystems.
6.6Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:• Reviewingpublic-
facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges.
Note:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.• Installingan
6.6Forpublic-facingwebapplications,ensurethateitheroneofthefollowingmethodsisinplaceasfollows:• Examinedocumented
processes,interviewpersonnel,andexaminerecordsofapplicationsecurityassessmentstoverifythatpublic-facingwebapplicationsarereviewed-usingeithermanualorautomatedvulnerabilitysecurityassessmenttoolsormethods-asfollows:o Atleastannually.o Afteranychanges.o Byanorganization
thatspecializesinapplicationsecurity.
o That,ataminimum,allvulnerabilitiesin
Foreachpublic-facingwebapplication,identifywhichofthetwomethodsareimplemented:• Webapplicationvulnerabilitysecurity
assessments,AND/OR• Automatedtechnicalsolutionthatdetects
andpreventsweb-basedattacks,suchaswebapplicationfirewalls.
Ifapplicationvulnerabilitysecurityassessmentsareindicatedabove:Describethetoolsand/ormethodsused(manualorautomated,oracombinationofboth).Identifythedocumentedprocessesthatwereexaminedtoverifythatpublic-facingwebapplicationsarereviewedusingthetoolsand/ormethodsindicatedabove,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesin
applicationsecurity.• That,ataminimum,allvulnerabilitiesin
Requirement6.5areincludedintheassessment.
TripwireIP360includesoptionstoscanwebapplications.Thisfeaturecanbeusedtodemonstratethatanautomatedwebapplicationvulnerabilitysecurityassessmenttoolisusedtoidentifyvulnerabilitiesforpublic-facingwebapplications.TripwirePureCloud,basedonTripwireIP360,providescoveragefornineoftheOWASPtop10categoriesatthetimeofthispaper.
26 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
automatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
Requirement6.5areincludedintheassessment.
o Thatallvulnerabilitiesarecorrected.
o Thattheapplicationisre-evaluatedafterthecorrections.
• Examinethesystemconfigurationsettingsandinterviewresponsiblepersonneltoverifythatanautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)isinplaceasfollows:o Issituatedinfront
ofpublic-facingwebapplicationstodetectandpreventweb-basedattacks.
o Isactivelyrunningandup-to-dateasapplicable.
o Isgeneratingauditlogs.
o Isconfiguredtoeitherblockweb-basedattacks,orgenerateanalertthatisimmediatelyinvestigated.
• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafter
thecorrections.Identifytheresponsiblepersonnelinterviewedwhoconfirmthatpublic-facingwebapplicationsarereviewed,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesin
applicationsecurity.• That,ataminimum,allvulnerabilitiesin
Requirement6.5areincludedintheassessment.
• Thatallvulnerabilitiesarecorrected.• Thattheapplicationisre-evaluatedafter
thecorrections.Identifytherecordsofapplicationvulnerabilitysecurityassessmentsexaminedforthistestingprocedure.Describehowtherecordsofapplicationvulnerabilitysecurityassessmentsverifiedthatpublic-facingwebapplicationsarereviewedasfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesin
applicationsecurity.• That,ataminimum,allvulnerabilitiesin
Requirement6.5areincludedintheassessment.
• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafter
thecorrections.11.2.1Performquarterlyinternalvulnerabilityscans.Addressvulnerabilitiesandperformrescanstoverifyall“high-risk”vulnerabilitiesareresolvedinaccordancewiththeentity’svulnerabilityranking(perRequirement6.1).Scansmustbeperformedbyqualifiedpersonnel.
11.2.1.aReviewthescanreportsandverifythatfourquarterlyinternalscansoccurredinthemostrecent12-monthperiod.
Identifytheinternalvulnerabilityscanreportsandsupportingdocumentationreviewed.Providethenameoftheassessorwhoatteststhatfourquarterlyinternalscanswereverifiedtohaveoccurredinthemostrecent12-monthperiod.
TripwireIP360canbeusedtoidentifyvulnerabilitiesofsupportedoperatingsystems,networkdevicesandwebapplicationsintheinternalnetwork.ItprovidesCVSSscores,andprioritizesandranksvulnerabilities.Thisresultcanbeusedtoidentify“High”vulnerabilitiesandperformrescanninguntilpassingresultsareobtained.
11.2.1.bReviewthescanreportsandverifythatall“high-risk”vulnerabilitiesareaddressedandthescanprocessincludesrescanstoverifythatthe“high-risk”vulnerabilitiesasdefinedinPCIDSSRequirement6.1areresolved.
Identifythedocumentedprocessforquarterlyinternalscanningtoverifytheprocessdefinesperformingrescansaspartofthequarterlyinternalscanprocess.Foreachofthefourinternalquarterlyscansindicatedat11.2.1.a,indicatewhetherarescanwasrequired.(yes/no)If“yes,”describehowrescanswereverifiedtobeperformeduntilall“high-risk”vulnerabilitiesasdefinedinPCIDSSRequirement6.1areresolved.
11.2.3Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.
11.2.3.bReviewscanreportsandverifythatthescanprocessincludesrescansuntil:• Forexternalscans,no
vulnerabilitiesexistthatarescored4.0orhigherbytheCVSS.
• Forinternalscans,all“high-risk”vulnerabilitiesasdefinedinPCIDSS
Forallscansreviewedin11.2.3.a,indicatewhetherarescanwasrequired.(yes/no)If“yes”–forexternalscans,describehowrescanswereperformeduntilnovulnerabilitieswithaCVSSscoregreaterthan4.0exist.If“yes”–forinternalscans,describehowrescanswereperformeduntileitherpassingresultswereobtainedorall“high-risk”
27PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
Requirement6.1areresolved.
vulnerabilitiesasdefinedinPCIDSSRequirement6.1wereresolved.
28 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCI DSS COMPLIANCE WITH TRIPWIRE PURECLOUD TripwirePureCloudisTripwire’shostedvulnerabilitymanagementsolution,basedonTripwire’sIP360vulnerabilitymanagementproduct.
TripwirePureCloudforPCI(ASV–ApprovedScanningVendor)usesthesamesoftwareasTripwireIP360intheirhostedenvironmenttoimplementthissolution.EachcustomerisgivenuniquecredentialstologintotheTripwirePureCloudwebportalfromwhichtheycanperformthefollowingtypesofvulnerabilityscans:
1. Perimeter:AnagentlessvulnerabilityscanofInternet-facingsystems,includingweb-basedapplications2. Internal:CustomerswouldneedtodownloadTripwirePureCloudEnterprisesoftwareforuseastheirinternal
scanningtoolandrunitfromaninternalhosttoscaninternalsystems.ThiswouldtypicallyrunonaphysicalorvirtualizedWindowsserver.
3. TripwirePureCloudforPCI:Thisserviceissimilartotheperimeterscan.AspartofthisservicecustomersareabletodownloadscanreportsasperPCIDSSandPCIASVformatsandtakeadvantageofautomaticsubmissionsonaquarterlybasisperthePCIDSSstandardtotheirverifyinginstitution.TripwirePureCloudandPureCloudforPCIusesTripwireIP360astheunderlyingsoftwarewhichislistedonthePCISSCwebsiteasanASV.
TheperimeterscanandPCIASVservicesofTripwirePureCloudwerereviewedinrelationtotheapplicablePCIDSSrequirements.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingtheseserviceshavebeenhighlightedinboldintheROCReportingInstructioncolumn.TomeetarequirementtheentityassessedwouldbeexpectedtodemonstratetoaQSAhowotheritemsintheROCReportingDetailscolumnfortheparticularrequirementcomplywithPCIDSS.
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
4.1Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:• Onlytrustedkeys
andcertificatesareaccepted.
• Theprotocolinuseonlysupportssecureversionsorconfigurations.
• Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.
4.1.aIdentifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Examinedocumentedstandardsandcomparetosystemconfigurationstoverifytheuseofsecurityprotocolsandstrongcryptographyforalllocations.
Identifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Identifythedocumentedstandardsexamined.
5. 6. Describehowthedocumentedstandardsandsystem
configurationsbothverifiedtheuseof:• Securityprotocolsforalllocations• Strongcryptographyforalllocations
TripwirePureCloudusestheTripwireIP360scanningandassessmentsolutiontocheckexternalIPaddressesforPCIDSScompliancepurpose.Thescancanbeusedtoidentifyifanyinsecureserviceorprotocolisused(e.g.Telnet,SSLV3.0)ontheexternallyfacinginterfaces.
4.1.eExaminesystemconfigurationstoverifythattheprotocolisimplementedtouseonlysecureconfigurationsanddoesnotsupportinsecureversionsorconfigurations.
ForallinstanceswherecardholderdataIstransmittedorreceivedoveropen,publicnetworks,describehowsystemconfigurationsverifiedthattheprotocol:
• Isimplementedtouseonlysecureconfigurations.
• Doesnotsupportinsecureversionsorconfigurations.
29PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
4.1.gForTLSimplementations,examinesystemconfigurationstoverifythatTLSisenabledwhenevercardholderdataistransmittedorreceived.
IndicatewhetherTLSisimplementedtoencryptcardholderdataoveropen,publicnetworks.(yes/no)If‘no,’marktheremainderof4.1.gas‘notapplicable.’If“yes,”forallinstanceswhereTLSisusedtoencryptcardholderdataoveropen,publicnetworks,describehowsystemconfigurationsverifiedthatTLSisenabledwhenevercardholderdataistransmittedorreceived.
6.6Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:• Reviewingpublic-
facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges.
Note:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.• Installingan
automatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
6.6Forpublic-facingwebapplications,ensurethateitheroneofthefollowingmethodsisinplaceasfollows:• Examine
documentedprocesses,interviewpersonnel,andexaminerecordsofapplicationsecurityassessmentstoverifythatpublic-facingwebapplicationsarereviewed-usingeithermanualorautomatedvulnerabilitysecurityassessmenttoolsormethods-asfollows:o Atleast
annually.o Afterany
changes.o Byan
organizationthatspecializesinapplicationsecurity.
o That,ataminimum,allvulnerabilitiesinRequirement6.5areincludedintheassessment.
o Thatallvulnerabilitiesarecorrected.
o Thattheapplicationisre-evaluatedafterthecorrections.
• Examinethesystemconfigurationsettingsandinterviewresponsiblepersonneltoverifythatanautomatedtechnicalsolution
Foreachpublic-facingwebapplication,identifywhichofthetwomethodsareimplemented:• Webapplicationvulnerabilitysecurity
assessments,AND/OR• Automatedtechnicalsolutionthatdetectsand
preventsweb-basedattacks,suchaswebapplicationfirewalls.
Ifapplicationvulnerabilitysecurityassessmentsareindicatedabove:Describethetoolsand/ormethodsused(manualorautomated,oracombinationofboth).Identifythedocumentedprocessesthatwereexaminedtoverifythatpublic-facingwebapplicationsarereviewedusingthetoolsand/ormethodsindicatedabove,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesinapplication
security.• That,ataminimum,allvulnerabilitiesin
Requirement6.5areincludedintheassessment.• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafterthe
corrections.Identifytheresponsiblepersonnelinterviewedwhoconfirmthatpublic-facingwebapplicationsarereviewed,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesinapplication
security.• That,ataminimum,allvulnerabilitiesin
Requirement6.5areincludedintheassessment.• Thatallvulnerabilitiesarecorrected.• Thattheapplicationisre-evaluatedafterthe
corrections.Identifytherecordsofapplicationvulnerabilitysecurityassessmentsexaminedforthistestingprocedure.Describehowtherecordsofapplicationvulnerabilitysecurityassessmentsverifiedthatpublic-facingwebapplicationsarereviewedasfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesinapplication
security.• That,ataminimum,allvulnerabilitiesin
Requirement6.5areincludedintheassessment.• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafterthe
corrections.
“WebApplicationScan”under“ScanSettings”oftheTripwirePureCloudperimeterscanserviceincludesoptionstoscanwebapplications.Thisfeaturecanbeusedtodemonstratethatanautomatedwebapplicationvulnerabilitysecurityassessmenttoolisusedtoidentifyvulnerabilitiesforpublic-facingwebapplications.TripwirePureCloud,basedonTripwireIP360,providescoveragefornineoftheOWASPtop10categoriesatthetimeofthispaper.
30 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
thatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)isinplaceasfollows:o Issituatedin
frontofpublic-facingwebapplicationstodetectandpreventweb-basedattacks.
o Isactivelyrunningandup-to-dateasapplicable.
o Isgeneratingauditlogs.
o Isconfiguredtoeitherblockweb-basedattacks,orgenerateanalertthatisimmediatelyinvestigated.
11.2.2Performquarterlyexternalvulnerabilityscans,viaanApprovedScanningVendor(ASV)approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).Performrescansasneeded,untilpassingscansareachieved.
11.2.2.aReviewoutputfromthefourmostrecentquartersofexternalvulnerabilityscansandverifythatfourquarterlyexternalvulnerabilityscansoccurredinthemostrecent12-monthperiod.
Identifytheexternalnetworkvulnerabilityscanreportsandsupportingdocumentationreviewed.Providethenameoftheassessorwhoatteststhatfourquarterlyexternalvulnerabilityscanswereverifiedtohaveoccurredinthemostrecent12-monthperiod.
TripwirePureCloudusesTripwireIP360scansolutiontoscanexternalIPaddressesforPCIDSScompliancepurpose.ItgeneratesfollowingreportsasperthePCISSCASVProgramGuide:
• ASVScanReportAttestationofScanCompliance
• ASVScanReportExecutiveSummary
• ASVScanReportVulnerabilityDetails
ThesereportscanbeusedduringthePCIDSSassessmenttodemonstratecompliancetothisrequirement.
11.2.2.bReviewtheresultsofeachquarterlyscanandrescantoverifythattheASVProgramGuiderequirementsforapassingscanhavebeenmet(forexample,novulnerabilitiesrated4.0orhigherbytheCVSS,noautomaticfailures).
ProvidethenameoftheassessorwhoatteststhattheresultsofeachquarterlyscanwerereviewedandverifiedthattheASVProgramGuiderequirementsforapassingscanhavebeenmet.Foreachofthefourexternalquarterlyscansindicatedat11.2.2.a,indicatewhetherarescanwasnecessary.(yes/no)If“yes,”describehowtheresultsoftherescanverifiedthattheASVProgramGuiderequirementsforapassingscanhavebeenmet.
11.2.2.cReviewthescanreportstoverifythatthescanswerecompletedbyaPCISSCApprovedScanningVendor(ASV).
ProvidethenameoftheassessorwhoatteststhattheexternalscanreportswerereviewedandverifiedtohavebeencompletedbyaPCISSC-ApprovedScanningVendor(ASV).
11.2.3Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.
11.2.3.bReviewscanreportsandverifythatthescanprocessincludesrescansuntil:• Forexternalscans,
novulnerabilitiesexistthatarescored4.0orhigherbytheCVSS.
• Forinternalscans,all“high-risk”vulnerabilitiesas
Forallscansreviewedin11.2.3.a,indicatewhetherarescanwasrequired.(yes/no)If“yes”–forexternalscans,describehowrescanswereperformeduntilnovulnerabilitieswithaCVSSscoregreaterthan4.0exist.
• If“yes”–forinternalscans,describehowrescanswereperformeduntileitherpassingresultswereobtainedorall“high-risk”vulnerabilitiesasdefinedinPCIDSSRequirement6.1wereresolved.
31PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements
TestingProcedures ROCReportingDetails Remarks
definedinPCIDSSRequirement6.1areresolved.
32 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
TECHNICAL INFORMATION ABOUT TRIPWIRE PRODUCTS TO COMPLY WITH PCI DSS WhileaTripwireproductcanassistanentitytomeetcertainPCIDSSrequirements(whichhavebeendiscussedintheprevioussections),itmightbesubjecttoanumberofPCIDSSrequirements.ThiscanhappenifitisfoundthattheTripwireproductcanimpactthesecurityofthesystemsinCDE.ForexampleamaliciousindividualmightbeabletocompromisetheTripwireEnterprisePolicyManagerandrunprivilegedcommandsthroughtheTripwireEnterprisePolicyManagerinthetargetsystemsintheCDEtogainunauthorizedaccess.
InthefollowingtabletechnicalinformationaboutTripwireEnterprise,TripwireLogCenterandTripwireIP360havebeenprovidedagainstsomePCIDSSrequirementsasaguidetoshowhowtheseproductscancomplywiththeserequirements.DuringaPCIDSSassessmenttherequirementsthatwouldapplytoaTripwireproductwouldbedeterminedbytheassessor(e.g.QSA)dependingonhowtheproducthasbeenimplementedandwhatextentitcanimpactthesecurityofthesystemsintheCDE.
PCIDSSRequirements TripwireEnterprise(TE) TripwireLogCenter(TLC) TripwireIP3602.1Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,POSterminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.
GUI• Adefaultpasswordis
providedwiththesystem,andisrequiredtobechangeduponfirstlogin
• Thedefaultusernamecannotberemovedorlocked,butcanbechanged
CLI• Usernameand
passwordareassameasGUI
• CLIaccessisavailableoncetheuserhasloggedintotheoperatingsystemwhereTripwireEnterprisehasbeeninstalled.
• CLIaccesscannotbeusedtomakeconfigurationchangesinTripwireEnterpriseliketheGUI
GUI• Defaultusernameisprovidedwith
thesystem,andisrecommendedtobechangeduponinstallation.
• Defaultpassword:Needstobespecifiedatthetimeofinstall
• Apasswordneedstobespecifiedatthetimeofinstall.Thedefaultusernamecanbechangedordisabled
CLI• NoCLIaccessisavailable
GUIforVnEManager• Adefaultpasswordisprovidedwiththe
system,andisrecommendedtobechangeduponinstallation
• Thedefaultusernamecanbechangedordisabled
CLIforVnEManager• Usernameandpasswordaredifferent
fromGUI• Adefaultpasswordisprovidedwiththe
system,andisrecommendedtobechangeduponinstallation
• Thedefaultusernamecannotbechangedordisabled
GUIforDP(DeviceProfiler)• NoGUIaccessisavailable
CLIforDP(DeviceProfiler)• SameasCLIforVnEManager
2.3Encryptallnon-consoleadministrativeaccessusingstrongcryptography.
GUI• TripwireEnterprise
usesacustomizedTomcatApacheserver
• The“server.properties”fileunder“<te_root>/server/data/config/”needstobemodifiedtosupportonlystrongciphers
CLI• Asinteractiveaccessto
theCLIisobtainedbyloggingintothehostoperatingsystem,thehostoperatingsystemwouldneedtocomplytothisrequirement
GUI• TLSv1.2isusedbetweenTLC
ManagerandTLCConsolecommunications.TripwireLogCenterdoesnotspecifyanyciphertobeusedinthesecommunicationsasitreliesonthe.NETframeworkforthis.TheframeworkworksbasedontheWindowspolicies.
CLI• NoCLIaccessisavailable
GUIforVnEManager• CanbeconfiguredtoFIPS140-2modeto
supportonlyTLSattheserverside
CLIforVnEManager• SSHaccessisenabled,butdisabledby
Tripwirepersonnelaspartoftheinstallation.Oncethisisdonetheuserneedstobephysicallypresentatthedevicetologinviathedeviceconsole.
GUIforDP(DeviceProfiler)• NoGUIaccessisavailable
CLIforDP(DeviceProfiler)• CLIaccessisrequiredfortheinitialinstall
anddeployauthenticationkey(sharedkeybetweenVnEmanagerandDP)tocommunicatewithVnE.
• SSHaccess–SameasCLIforVnEManager
33PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TripwireEnterprise(TE) TripwireLogCenter(TLC) TripwireIP3607.2Establishanaccesscontrolsystem(s)forsystemscomponentsthatrestrictsaccessbasedonauser’sneedtoknow,andissetto“denyall”unlessspecificallyallowed.Thisaccesscontrolsystem(s)mustincludethefollowing:
GUI• Users(exceptthelocal
administratoraccount)canbeauthenticatedagainstacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.
• UsersneedtobeassignedgroupswhicharemaintainedwithinTripwireEnterprise
CLI• SameasGUI
GUI• Users(exceptthelocal
administratoraccount)canbeauthenticatedagainstacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.
• UsersneedtobeassignedgroupswhicharemaintainedwithinTripwireLogCenter
CLI• NoCLIaccessisavailable
GUIforVnEManager• Users(exceptthelocaladminister
account)canbeauthenticatedagainstacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.
• UsersneedtobeassignedgroupswhicharemaintainedwithinTripwireIP360
CLIforVnEManager• SSHaccessisenabled,butdisabledby
Tripwirepersonnelaspartoftheinstallation.Oncethisisdonetheuserneedstobephysicallypresentatthedevicetologinviathedeviceconsole.
• CLIaccesscannotbeusedtorunscanorchangescanprofilesettings
• CLIaccesscannotbeintegratedwithacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.
GUIforDP(DeviceProfiler)• NoGUIaccessisavailable
CLIforDP(DeviceProfiler)• SameasCLIforVnEManager
7.2.1Coverageofallsystemcomponents.
7.2.2Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.7.2.3Default“deny-all”setting.
8.1.1AssignallusersauniqueIDbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.
GUI• TripwireEnterprise
requiresassigninguniqueuserIDsifmultipleuseraccountsareusedtoaccesstheproduct
CLI• SameasGUI
GUI• TripwireLogCenterrequires
assigninguniqueuserIDsifmultipleuseraccountsareusedtoaccesstheproduct
CLI• NoCLIaccessisavailable
GUIforVnEManager• TripwireIP360requiresassigningunique
userIDsifmultipleuseraccountsareusedtoaccesstheVnEManager
CLIforVnEManager• Additionaluseraccountscannotbe
createdGUIforDP(DeviceProfiler)• NoGUIaccessisavailable
CLIforDP(DeviceProfiler)• SameasCLIforVnEManager
8.2.1Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
GUI• Storage-Passwordsfor
TEConsolelocalaccountsarehashedusingPBKDF2withHMACSHA256.Arandomsaltisgeneratedeachtimeapasswordishashedandstored.
• Transmission-refertothecommentsunderrequirement2.3
CLI• SameasGUICredentialstoaccessmonitoredsystems• Avalidusernameand
passwordwithprivilegedaccessmaybeneededtoaccesssystemcomponentswhereTripwireagentscannotbeinstalled.
• Thepasswordisstoredencryptedwithin
GUI• Storage-256bitAESkeyisusedto
storepasswordsforTLCConsolelocalaccounts.
• Transmission-Refertothecommentsunderrequirement2.3
CLI• NoCLIaccessisavailableCredentialstoaccesssystemsbyTLCFileCollector• Avalidusernameandpassword
withprivilegedaccessmaybeneededbyTLCFileCollectortoaccesssystemcomponentswhichcannotforwardlogsorwhereTripwireLogCenteragentscannotbeinstalled.
• ThepasswordisstoredwithinTripwireLogCenterusinga256bitAESkey.
• TheFileCollectorcancollectlogfilesviaSMB(filecopy),FTPorSFTPfromtheremotesystemcomponents.
• TocomplywithPCIDSSfollowingmethodsmustnotbeused
GUIforVnEManager• A128bitAESkeyisusedtostore
passwordsforthelocalaccountstoaccesstheVnEManager.
CLIforVnEManager• Nocommandisavailabletoviewthe
passwordfileGUIforDP(DeviceProfiler)• NoGUIaccessisavailable
CLIforDP(DeviceProfiler)• SameasCLIforVnEManagerCredentialstoaccesssystemsbyDPtoperformauthenticatedscans• TripwireIP360requiresausernameand
passwordtoperformauthenticatedscansonsystemcomponents.Thisusernameandpasswordarestoredthroughthe“CredentialManagement”sectionofVnEManagerGUI.ThepasswordisstoredwithintheVnEManagerlocaldatabaseusinga128bitAESkey
34 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper
PCIDSSRequirements TripwireEnterprise(TE) TripwireLogCenter(TLC) TripwireIP360TripwireEnterpriseusing256bitAES
o FTPo SMBifpasswordissentin
clear8.5Donotusegroup,shared,orgenericIDs,passwords,orotherauthenticationmethodsasfollows:• GenericuserIDsare
disabledorremoved.• ShareduserIDsdonot
existforsystemadministrationandothercriticalfunctions.
• SharedandgenericuserIDsarenotusedtoadministeranysystemcomponents.
GUI• Ifthepasswordforthe
localadministratoraccountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSappendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.
CLI• SameasGUICredentialstoaccessmonitoredsystems• Avalidusernameand
passwordwithprivilegedaccessmaybeneededbyTripwireEnterprisetoaccesssystemcomponentswhereTripwireagentscannotbeinstalled.
• CompensatingcontrolsmayneedtobedocumentedandimplementedasperPCIDSSAppendixCforthisuseraccounttoensureactivitiesperformedusingthisaccountbyanindividualcanbetracedtothatindividual.
GUI• Ifthepasswordforthelocal
administratoraccountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSappendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.
CLI• NoCLIaccessisavailable
CredentialstoaccesssystemsbyTLCFileCollector• Avalidusernameandpassword
withprivilegedaccessmaybeneededbyTLCFileCollectortoaccesssystemcomponentswhichcannotforwardlogsorwhereTripwireagentscannotbeinstalled.
• CompensatingcontrolsmayneedtobeasperPCIDSSAppendixCforthisuseraccounttoensureactivitiesperformedusingthisaccountbyanindividualcanbetracedtothatindividual.
GUIforVnEManager• Iflocaladministratoraccountisenabled
andthepasswordfortheaccountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSappendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.
CLIforVnEManager• Ifthepasswordforthelocaladmin
accountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSAppendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.
GUIforDP(DeviceProfiler)• NoGUIaccessisavailable
CLIforDP(DeviceProfiler)• SameasCLIforVnEManagerCredentialstoaccesssystemsbyDPtoperformauthenticatedscans• TripwireIP360requiresausernameand
passwordtoperformauthenticatedscansonsystemcomponents.Thisusernameandpasswordarestoredthroughthe“CredentialManagement”sectionofVnEManagerGUI.
• CompensatingcontrolsmayneedtobedocumentedandimplementedperPCIDSSAppendixCforthisuseraccounttoensureactivitiesperformedusingthisaccountbyanindividualcanbetracedtothatindividual.
u Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vul-nerability management, log management, and reporting and analytics. Learn more at tripwire.com. u
SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER
©2017 Tripwire, Inc. Tripwire, Log Center, LogCenter and IP360 are trademarks or registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved. WPULPCI32a 201702
top related