supporting pci-compliant it-infrastructure with cfengine
DESCRIPTION
The PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. Attend this webinar to learn how CFEngine is used to support an important element of PCI DSS: ensuring that the configuration of your IT Infrastructure complies with the standard. See how to create and enforce PCI policies for services such as SSH, Sudo, NTP, and user and password management and how automate delivery of reports to make it easy to audit compliance.TRANSCRIPT
PCI Solution
Product, Process, Consulting
INTERNAL ONLY - CONFIDENTIAL
PCI High Level Overview- Payment Application Data Security Standard
- Pin Transaction Security
- Data Security Standard:
INTERNAL ONLY - CONFIDENTIAL
Using CFEngine to maintain PCI compliant IT infrastructure
BUILD
MANAGEAUDIT
DEPLOY
PCI POLICY
Provision PCI Compliant
Infrastructure
Provision PCI Compliant
Infrastructure
Hardened Operating Systems
Hardened Operating Systems
Maintain Compliance in
Real Time
Maintain Compliance in
Real Time
MonitoringReporting
Audit
MonitoringReporting
Audit
INTERNAL ONLY - CONFIDENTIAL
Approaches to PCI-DSS compliance
● Reactive (traditional)● Manual changes, scripts, inconsistencies● Scanners/detection-scripts (band-aid)
● Proactive (CFEngine)● Desired-state● Automation, consistency● Always maintained and provable
INTERNAL ONLY - CONFIDENTIAL
CFEngine examples
• Extended history setting in shell (/etc/profile)
• NTP configuration (/etc/ntp.conf)
• File integrity check
• SSH configuration (/etc/ssh/sshd_config)
• Useradd settings (/etc/default/useradd)
• Password definitions (/etc/login.defs)
• Password expiration on personal users
• User interaction timeout (/etc/profile)
• Sudo configuration (/etc/sudoers)
• Syslog configuration (/etc/syslog.conf)
• Management of services (whitelist & blacklist)
• Locking of inactive users
PCI-DSS requires strict OS hardening,and a system to maintain the hardeningover time.
CFEngine is uniquely capable to keep systems compliant with desired state and provide reporting to validate this.
INTERNAL ONLY - CONFIDENTIAL
File integrity (manage){
"activated": true,
"params": {
"watch": [
"/etc",
"/boot",
"/bin",
"/usr/sbin",
"/sbin",
"/lib",
],
"hash_algorithm": "sha256",
"ifelapsed": "1440"
},
"tags": [
"pcidss",
"pcidss_v2",
"pcidss_v2_sec_11_5"
]
}
Sketch Security::file_integrityParams pcidss_v2.json
Knowledge is keptwith configuration
INTERNAL ONLY - CONFIDENTIAL
File integrity (audit)
INTERNAL ONLY - CONFIDENTIAL
SSH Configuration (manage){ "activated": true, "params": { "Protocol": "2", "PermitEmptyPasswords": "no", "ClientAliveInterval": "900", "ClientAliveCountMax": "0" }, "tags": [ "pcidss", "pcidss_v2", "pcidss_v2_sec_2_1", "pcidss_v2_sec_2_2_3", "pcidss_v2_sec_8_5_15" ]}
Sketch Security::SSHParams pcidssv2.json
Which sections was this for?
INTERNAL ONLY - CONFIDENTIAL
SSH Report (audit)
Host Failing promise Time
comp1.ex.com sshd_set_config Sept 21, 2012
log1.ex.com sshd_restart Sept 21, 2012
log1.ex.com sshd_set_config Sept 19, 2012
app1.ex.com sshd_copy_config Sept 20, 2012
app2.ex.com sshd_restart Sept 18, 2012
● Available through web interface, PDF, CSV and REST API● Scheduling, emailing and archiving possible● SQL-based, extremely flexible
INTERNAL ONLY - CONFIDENTIAL
Conclusions – what you get
● CFE software to maintain PCI-DSS compliance● 9 out of 10 largest banks does it
● Content to do it out-of-the-box (on-going effort)● Design Center sketches
● Report and audit with CFE 3 Enterprise
INTERNAL ONLY - CONFIDENTIAL
Links
● CFEngine 3 Enterprise (manage, report and audit)● http://cfengine.com/enterprise
● Design Center (content)● https://github.com/cfengine/design-center● Work-in-progress
● Learning CFEngine 3● https://cfengine.com/getting-started