IBM BigFix Compliance PCI Add-on: Updated PCI DSS Checklists for RHEL 5, RHEL 6, RHEL 7, and AIX 7 published 2016-07-20

Product:
IBM BigFix Compliance PCI Add-on

Title:
Updated Security Configuration Management (SCM) PCI DSS Checklists for RHEL 5, RHEL 6, RHEL 7, and AIX 7 to comply with PCI DSS v3.2

Category:
Updated SCM checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:
The IBM BigFix Compliance PCI Add-on team has updated the content for the Payment Card Industry Data Security Standard (PCI DSS) checklists for RHEL 5, RHEL 6, RHEL 7, and AIX 7 to comply with PCI DSS v3.2, as well as to include other enhancements. Details are as follows.

For AIX 7:

• PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the checklists. Existing checks are updated to adopt to the new standard and new checks are added to conform to the new requirements.
• The following PCI DSS v3.2 specific checks are added to the checklists:
• “PCI DSS v3.2: Verify that changes in the “ipfilters” configurations are logged” (pcidss-10.2.2_2.1)
• “PCI DSS v3.2: Verify that changes in the password policy are logged” (pcidss-10.2.2_2.2)
• “PCI DSS v3.2: Verify that logging is enabled for the “ipfilters” service status changes” (pcidss-10.2.2_2.3)
• The measured values for each AIX 7 check, which can be viewed in the BigFix console, analyses, and SCA reports are formatted for enhanced readability. The results now clearly present the desired system configuration setting, as specified by a check, against the actual setting on the endpoint.
• The description for the globalfind feature is updated for improved usability.
• Some titles and descriptions of the checks are updated with the standardized format and extensions.
• The checks named “Verify that the SSH protocol is set to the version 2 for the client side” (2.2.2.a_5.1) and “Verify that the SSH protocol is set to the version 2 for the server side” (2.2.2.a_5.2) are updated with appropriate default desired values.

For RHEL 5 and RHEL 6:

• PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the checklists. Existing checks are updated to adopt to the new standard and new checks are added to conform to the new requirements.
• The following PCI DSS v3.2 specific checks are added to the checklists:
• “PCI DSS v3.2: Verify that events that modify iptables configuration are logged” (pcidss-10.8_b.1.9)
• “PCI DSS v3.2: Verify that events that modify password policies are logged” (pcidss-10.8_b.2.9)
• The check named “Verify that default ports are not using SSL and early TLS” (pcidss-4.1.d.9.31) is added in the checklists.
• The checks named “Verify that inactive user accounts are disabled within ‘90 days or less’” (pcidss-8.1.4.8) and “Verify that inactive user accounts are disabled within ‘90 days or less’” (pcidss-8.1.4.9), which are from the PCI DSS Checklist for RHEL 6 and PCI DSS Checklist for RHEL 5 sites, respectively, are updated with the correct parameterization range.

For RHEL 7:

• PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the checklist. Existing checks are updated to adopt to the new standard and new checks are added to conform to the new requirements.
• The following PCI DSS v3.2 specific checks are added to the checklists:
• “PCI DSS v3.2: Verify that events that modify iptables configuration are logged” (pcidss-10.8_b.1.6)
• “PCI DSS v3.2: Verify that events that modify firewalld configuration are logged” (pcidss-10.8_b.3.6)
• “PCI DSS v3.2: Verify that events that modify password policies are logged” (pcidss-10.8_b.2.6)
• The check named “Verify that default ports are not using SSL and early TLS” (pcidss-4.1.d.9.31) is added in the checklist.
• The check named “Verify that inactive user accounts are disabled within ‘90 days or less’” (pcidss-8.1.4.6) is updated with the correct parameterization range.

Published Sites:
PCI DSS Checklist for AIX 7 , version 2
PCI DSS Checklist for RHEL 5, version 4
PCI DSS Checklist for RHEL 6, version 5
PCI DSS Checklist for RHEL 7, version 5
*The site version is provided for air-gap customers.

Actions to Take:

• If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
• If you have not subscribed to the site above, you can use the License Overview dashboard to enable and gather the sites. Note that you must be entitled to the new content and you are using IBM BigFix version 9.0 and later.
• If you were involved in the Early Access Program for IBM BigFix Compliance PCI Add-on, unsubscribe from the beta sites to avoid any conflicting issues with the production sites. If you do not unsubscribe from the beta sites, the content in the production sites will fail.

More information:
To view the related PCI DSS v3.2 support announcements, see the following posts: https://ibm.biz/BdrFiu and https://ibm.biz/BdrXPU.

To know more information about the IBM BigFix Compliance SCM checklists, see:

• IBM BigFix Compliance PCI Add-on User’s Guide in the BigFix developerWorks wiki: https://ibm.biz/BdrBtk
• IBM developerWorks: https://ibm.biz/BdFiGQ
• SCM Checklist Deployment: https://ibm.biz/BdrBtU
• IBM Blog for Checklist Release Announcement: https://ibm.biz/BdrBt5
• BigFix forums: https://forum.bigfix.com/

We hope you find this latest release of SCM content useful and effective. Thank you!

The IBM BigFix Compliance PCI Add-on team