PCI SolutionProduct, Process, Consulting
PCI High Level Overview     - Payment Application Data Security Standard     - Pin Transaction Security     - Data Securit...
Using CFEngine to maintainPCI compliant IT infrastructure    Provision PCI     Provision PCI                              ...
Approaches to PCI-DSS compliance●    Reactive (traditional)     ●         Manual changes, scripts, inconsistencies     ●  ...
CFEngine examples  • Extended history setting in shell (/etc/profile)   PCI-DSS requires strict OS hardening,             ...
File integrity (manage)  {      "activated": true,      "params": {           "watch": [                "/etc",           ...
File integrity (audit) INTERNAL ONLY - CONFIDENTIAL
SSH Configuration (manage)  {      "activated": true,                    Sketch Security::SSH      "params": {            ...
SSH Report (audit)          Host                  Failing promise    Time          comp1.ex.com          sshd_set_config  ...
Conclusions – what you get●    CFE software to maintain PCI-DSS compliance     ●         9 out of 10 largest banks does it...
Links    ●        CFEngine 3 Enterprise (manage, report and audit)         ●           http://cfengine.com/enterprise    ●...
Supporting PCI-compliant IT-infrastructure with CFEngine
Upcoming SlideShare
Loading in …5
×

Supporting PCI-compliant IT-infrastructure with CFEngine

930 views

Published on

The PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.

Attend this webinar to learn how CFEngine is used to support an important element of PCI DSS: ensuring that the configuration of your IT Infrastructure complies with the standard. See how to create and enforce PCI policies for services such as SSH, Sudo, NTP, and user and password management and how automate delivery of reports to make it easy to audit compliance.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
930
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Supporting PCI-compliant IT-infrastructure with CFEngine

  1. 1. PCI SolutionProduct, Process, Consulting
  2. 2. PCI High Level Overview - Payment Application Data Security Standard - Pin Transaction Security - Data Security Standard: INTERNAL ONLY - CONFIDENTIAL
  3. 3. Using CFEngine to maintainPCI compliant IT infrastructure Provision PCI Provision PCI Hardened Hardened Compliant Compliant Operating Operating Infrastructure Infrastructure Systems Systems BUILD DEPLOY PCI POLICY AUDIT MANAGE Monitoring Monitoring Maintain Maintain Reporting Reporting Compliance in Compliance in Audit Audit Real Time Real Time INTERNAL ONLY - CONFIDENTIAL
  4. 4. Approaches to PCI-DSS compliance● Reactive (traditional) ● Manual changes, scripts, inconsistencies ● Scanners/detection-scripts (band-aid)● Proactive (CFEngine) ● Desired-state ● Automation, consistency ● Always maintained and provable INTERNAL ONLY - CONFIDENTIAL
  5. 5. CFEngine examples • Extended history setting in shell (/etc/profile) PCI-DSS requires strict OS hardening, and a system to maintain the hardening • NTP configuration (/etc/ntp.conf) over time. CFEngine is uniquely capable to keep • File integrity check systems compliant with desired state and provide reporting to validate this. • SSH configuration (/etc/ssh/sshd_config) • Useradd settings (/etc/default/useradd) • Password definitions (/etc/login.defs) • Password expiration on personal users • User interaction timeout (/etc/profile) • Sudo configuration (/etc/sudoers) • Syslog configuration (/etc/syslog.conf) • Management of services (whitelist & blacklist) • Locking of inactive users INTERNAL ONLY - CONFIDENTIAL
  6. 6. File integrity (manage) { "activated": true, "params": { "watch": [ "/etc", Sketch Security::file_integrity "/boot", Params pcidss_v2.json "/bin", "/usr/sbin", "/sbin", "/lib", ], "hash_algorithm": "sha256", "ifelapsed": "1440" }, "tags": [ "pcidss", Knowledge is kept "pcidss_v2", with configuration "pcidss_v2_sec_11_5" ] } INTERNAL ONLY - CONFIDENTIAL
  7. 7. File integrity (audit) INTERNAL ONLY - CONFIDENTIAL
  8. 8. SSH Configuration (manage) { "activated": true, Sketch Security::SSH "params": { Params pcidssv2.json "Protocol": "2", "PermitEmptyPasswords": "no", "ClientAliveInterval": "900", "ClientAliveCountMax": "0" }, "tags": [ "pcidss", "pcidss_v2", "pcidss_v2_sec_2_1", "pcidss_v2_sec_2_2_3", Which sections was this for? "pcidss_v2_sec_8_5_15" ] } INTERNAL ONLY - CONFIDENTIAL
  9. 9. SSH Report (audit) Host Failing promise Time comp1.ex.com sshd_set_config Sept 21, 2012 log1.ex.com sshd_restart Sept 21, 2012 log1.ex.com sshd_set_config Sept 19, 2012 app1.ex.com sshd_copy_config Sept 20, 2012 app2.ex.com sshd_restart Sept 18, 2012 ● Available through web interface, PDF, CSV and REST API ● Scheduling, emailing and archiving possible ● SQL-based, extremely flexible INTERNAL ONLY - CONFIDENTIAL
  10. 10. Conclusions – what you get● CFE software to maintain PCI-DSS compliance ● 9 out of 10 largest banks does it● Content to do it out-of-the-box (on-going effort) ● Design Center sketches● Report and audit with CFE 3 Enterprise INTERNAL ONLY - CONFIDENTIAL
  11. 11. Links ● CFEngine 3 Enterprise (manage, report and audit) ● http://cfengine.com/enterprise ● Design Center (content) ● https://github.com/cfengine/design-center ● Work-in-progress ● Learning CFEngine 3 ● https://cfengine.com/getting-started INTERNAL ONLY - CONFIDENTIAL

×