[BESAdmin-Announcements] IBM BigFix Compliance PCI Add-on: Updated Content: PCI DSS Checklists for RHEL 5, RHEL 6, RHEL 7, and AIX 7 published 2016-07-20
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Wed Jul 20 08:38:28 PDT 2016
Product:
IBM BigFix Compliance PCI Add-on
Title:
Updated Security Configuration Management (SCM) PCI DSS Checklists for
RHEL 5, RHEL 6, RHEL 7, and AIX 7 to comply with PCI DSS v3.2
Category:
Updated SCM checklist
Published Benchmark:
Payment Card Industry Data Security Standard v3.2
Details:
The IBM BigFix Compliance PCI Add-on team has updated the content for the
Payment Card Industry Data Security Standard (PCI DSS) checklists for RHEL
5, RHEL 6, RHEL 7, and AIX 7 to comply with PCI DSS v3.2, as well as to
include other enhancements. Details are as follows.
For AIX 7:
· PCI DSS Requirements and Security Assessment Procedures v3.2 is
supported in the checklists. Existing checks are updated to adopt to the
new standard and new checks are added to conform to the new requirements.
· The following PCI DSS v3.2 specific checks are added to the
checklists:
o “PCI DSS v3.2: Verify that changes in the "ipfilters"
configurations are logged” (pcidss-10.2.2_2.1)
o “PCI DSS v3.2: Verify that changes in the password policy are
logged” (pcidss-10.2.2_2.2)
o “PCI DSS v3.2: Verify that logging is enabled for the “ipfilters”
service status changes” (pcidss-10.2.2_2.3)
· The measured values for each AIX 7 check, which can be viewed in
the BigFix console, analyses, and SCA reports are formatted for enhanced
readability. The results now clearly present the desired system
configuration setting, as specified by a check, against the actual setting
on the endpoint.
· The description for the globalfind feature is updated for improved
usability.
· Some titles and descriptions of the checks are updated with the
standardized format and extensions.
· The checks named “Verify that the SSH protocol is set to the
version 2 for the client side” (2.2.2.a_5.1) and “Verify that the SSH
protocol is set to the version 2 for the server side” (2.2.2.a_5.2) are
updated with appropriate default desired values.
For RHEL 5 and RHEL 6:
· PCI DSS Requirements and Security Assessment Procedures v3.2 is
supported in the checklists. Existing checks are updated to adopt to the
new standard and new checks are added to conform to the new requirements.
· The following PCI DSS v3.2 specific checks are added to the
checklists:
o “PCI DSS v3.2: Verify that events that modify iptables
configuration are logged” (pcidss-10.8_b.1.9)
o “PCI DSS v3.2: Verify that events that modify password policies
are logged” (pcidss-10.8_b.2.9)
· The check named “Verify that default ports are not using SSL and
early TLS” (pcidss-4.1.d.9.31) is added in the checklists.
· The checks named “Verify that inactive user accounts are disabled
within '90 days or less'” (pcidss-8.1.4.8) and “Verify that inactive user
accounts are disabled within '90 days or less'” (pcidss-8.1.4.9), which
are from the PCI DSS Checklist for RHEL 6 and PCI DSS Checklist for RHEL 5
sites, respectively, are updated with the correct parameterization range
For RHEL 7:
· PCI DSS Requirements and Security Assessment Procedures v3.2 is
supported in the checklist. Existing checks are updated to adopt to the
new standard and new checks are added to conform to the new requirements.
· The following PCI DSS v3.2 specific checks are added to the
checklists:
o “PCI DSS v3.2: Verify that events that modify iptables
configuration are logged” (pcidss-10.8_b.1.6)
o “PCI DSS v3.2: Verify that events that modify firewalld
configuration are logged” (pcidss-10.8_b.3.6)
o “PCI DSS v3.2: Verify that events that modify password policies
are logged” (pcidss-10.8_b.2.6)
· The check named “Verify that default ports are not using SSL and
early TLS” (pcidss-4.1.d.9.31) is added in the checklist.
· The check named “Verify that inactive user accounts are disabled
within '90 days or less'” (pcidss-8.1.4.6) is updated with the correct
parameterization range.
Published Sites:
PCI DSS Checklist for AIX 7 , version 2
PCI DSS Checklist for RHEL 5, version 4
PCI DSS Checklist for RHEL 6, version 5
PCI DSS Checklist for RHEL 7, version 5
*The site version is provided for air-gap customers.
Actions to Take:
If you use custom sites, update your custom sites accordingly to use the
latest content. You can synchronize your content by using the Synchronize
Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
If you have not subscribed to the site above, you can use the License
Overview dashboard to enable and gather the sites. Note that you must be
entitled to the new content and you are using IBM BigFix version 9.0 and
later.
If you were involved in the Early Access Program for IBM BigFix Compliance
PCI Add-on, unsubscribe from the beta sites to avoid any conflicting
issues with the production sites. If you do not unsubscribe from the beta
sites, the content in the production sites will fail.
More information:
To view the related PCI DSS v3.2 support announcements, see the following
posts: https://ibm.biz/BdrFiu and https://ibm.biz/BdrXPU.
To know more information about the IBM BigFix Compliance SCM checklists,
see:
IBM BigFix Compliance PCI Add-on User's Guide in the BigFix developerWorks
wiki: https://ibm.biz/BdrBtk
IBM developerWorks: https://ibm.biz/BdFiGQ
SCM Checklist Deployment: https://ibm.biz/BdrBtU
IBM Blog for Checklist Release Announcement: https://ibm.biz/BdrBt5
BigFix forums: https://forum.bigfix.com/
We hope you find this latest release of SCM content useful and effective.
Thank you!
-- The IBM BigFix Compliance PCI Add-on team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20160720/a255b112/attachment.html>
More information about the Besadmin-announcements
mailing list