IBM BigFix Compliance PCI Add-on: New Support for CentOS 7 published 2016-12-14

Product:
IBM BigFix Compliance PCI Add-on

Title:
PCI DSS Checklist for RHEL 7 site updated to support both RHEL 7 and CentOS 7

Category:
Updated PCI DSS checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:

  • CentOS 7 is now supported in the PCI DSS Checklist for RHEL 7 site. This additional support is based on the guidance provided by the Payment Card Industry Data Security Standard (PCI DSS) v3.2 and on existing checks that are included in the PCI DSS Checklist for RHEL 7 site.
  • The available checks evaluate the security settings of your CentOS 7 endpoints according to the PCI DSS standard.
  • Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation and remediation actions to efficiently remediate a non-compliance issue with a single action. Note that parameterization requires the creation of a custom site.
  • Several other updates are made to the PCI DSS Checklist for RHEL 7 site to improve accuracy:
  • A new check “Verify that Environment Setup Task is executed for current site” is added to help ensure the correctness of the compliance data in the reports used by the Compliance Manager.
  • The Applicability Fixlet called “Applicability Fixlet - PCI-DSS - RHEL 7" is updated to limit the scope to RHEL 7 systems only.
  • A new Applicability Fixlet called “Applicability Fixlet for RHEL 7, CentOS 7” is added for both RHEL 7 and CentOS 7 systems. This Fixlet excludes the “Verify that “rhnsd” daemon is disabled” check (pcidss-2.2.d_13.9), which is not applicable to CentOS 7 systems.
  • The following checks were modified to replace yum commands with rpm commands to improve performance when querying the installed software list:
  • Verify that “pam_ccreds” package is removed (pcidss-2.2.2.a_14.6)
  • Verify that “DHCP” server is removed (pcidss-2.2.2.a_16.6)
  • Verify that “rsyslog” package is installed (pcidss-2.2.2.a_17.6)
  • Verify that “cronie-anacron” package is removed (pcidss-2.2.2.a_21.6)
  • Verify that “FTP” server is removed (pcidss-2.2.2.a_8.6)
  • Verify that “X Windows system” is removed (pcidss-2.2.2.a_9.6)
  • Verify that “Network Information System” client is removed (pcidss-2.2.5.a_10.6)
  • Verify that “Network Information System” server is removed (pcidss-2.2.5.a_11.6)
  • Verify that “Trival File Transfer Protocol” client is removed (pcidss-2.2.5.a_12.6)
  • Verify that “Trival File Transfer Protocol” server is removed (pcidss-2.2.5.a_13.6)
  • Verify that “talk” package is removed (pcidss-2.2.5.a_14.6)
  • Verify that “SETroubleshoot” package is removed (pcidss-2.2.5.a_1.6)
  • Verify that “telnet-server” package is removed (pcidss-2.2.5.a_4.6)
  • Verify that “talk-server” package is removed (pcidss-2.2.5.a_5.6)
  • Verify that “xinetd” daemon is removed (pcidss-2.2.5.a_6.6)
  • Verify that “telnet client” is removed (pcidss-2.2.5.a_7.6)
  • Verify that “rsh-server” package is removed (pcidss-2.2.5.a_8.6)
  • Verify that “rsh” package is removed (pcidss-2.2.5.a_9.6)
  • Verify that “aide” is installed on the system (pcidss-2.2.4.b_12.6)

Published Site:
PCI DSS Checklist for RHEL 7, version 6

NOTE: If this site is not enabled, it is displayed in the License Overview dashboard as PCI DSS Checklist for RHEL 7, CentOS 7. Otherwise, it is listed as PCI DSS Checklist for RHEL 7, but supports both RHEL 7 and CentOS 7.

*The site version is provided for air-gap customers.

Actions to Take:

  • If you have already enabled the updated site, gather the site changes and extend the site’s computer subscription to CentOS systems.
  • If you have not enabled the updated site, enable it from the License Overview dashboard. Note that it is listed as PCI DSS Checklist for RHEL 7, CentOS 7 in the dashboard.

More information:
To know more information about the IBM BigFix Compliance PCI DSS checklists, see:

We hope you find this latest release of PCI DSS content useful and effective.

Thank you!
– The IBM BigFix Compliance PCI Add-on team