IBM BigFix Compliance PCI Add-on: Updated PCI DSS Checklists for RHEL 6 and Windows 2012 published 2016-11-17

Product:
IBM BigFix Compliance PCI Add-on

Title:
Updated the PCI DSS Checklists for RHEL 6 and Windows 2012 for various enhancements

Category:
Updated PCI DSS checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:

PCI DSS Requirements and Milestones Reporting in BigFix Compliance Analytics 1.8

  • In order to provide PCI DSS Requirements and Milestones based reporting, BigFix provides supplemental reports which can be installed in custom sites using an installer. The installer is available in the PCI DSS Checklists for Windows 2012 and PCI DSS Checklists for RHEL 6 sites. The supplemental reports are updated to include cumulative checks for new PCI DSS sub-requirements.

PCI DSS checklist for Windows 2012 Update

  • The PCI DSS checklist for Windows 2012 is updated to include the following additional checks:
    • Verify that “Bypass traverse checking” on Windows 2012 DC is set to ‘Administrators, Authenticated Users, LOCAL SERVICE, NETWORK SERVICE’ (pcidss-7.2.2_18.1)
  • Verify that “Change the system time” is set to ‘Administrators, LOCAL SERVICE’ (pcidss-10.4.2.a_3)
  • The measured values for some of the checks in the PCI DSS checklist for Windows 2012 are formatted for enhanced readability. These values can be viewed in the BigFix console, analyses, and BigFix Compliance Analytics reports. The results now clearly present the desired system configuration setting, as specified by a check, against the actual setting on the endpoint.
  • Some titles and descriptions of the checks in the PCI DSS checklist for Windows 2012 are updated with the standardized format and extensions.

PCI DSS checklist for RHEL 6 Update

  • The PCI DSS checklist for RHEL 6 is updated to include the “Verify that Environment Setup Task is executed for current site” check to help ensure the correctness of the compliance data in the reports used by the Compliance Manager.
  • The following checks in the PCI DSS checklist for RHEL 6 were modified to replace yum commands with rpm commands to improve performance when querying the installed software list:
  • Verify that “pam_ccreds” package is removed (pcidss-2.2.2.a_14.8)
  • Verify that DHCP server is removed (pcidss-2.2.2.a_16.8)
  • Verify that “rsyslog” package is installed (pcidss-2.2.2.a_17.8)
  • Verify that “Advanced Intrusion Detection Environment” package is installed (pcidss-2.2.4.b_12.8)
  • Verify that “SETroubleshoot” package is removed (pcidss-2.2.5.a_1.8)
  • Verify that “Network Information System” client is removed (pcidss-2.2.5.a_10.8)
  • Verify that “Network Information System” server is removed (pcidss-2.2.5.a_11.8)
  • Verify that “Trival File Transfer Protocol” client is removed (pcidss-2.2.5.a_12.8)
  • Verify that “Trival File Transfer Protocol” server is removed (pcidss-2.2.5.a_13.8)
  • Verify that “talk” package is removed (pcidss-2.2.5.a_14.8)
  • Verify that “telnet-server” package is removed (pcidss-2.2.5.a_4.8)
  • Verify that “talk-server” package is removed (pcidss-2.2.5.a_5.8)
  • Verify that “xinetd” daemon is removed (pcidss-2.2.5.a_6.8)
  • Verify that telnet client is removed (pcidss-2.2.5.a_7.8)
  • Verify that “rsh-server” package is removed (pcidss-2.2.5.a_8.8)
  • Verify that “rsh” package is removed (pcidss-2.2.5.a_9.8)
  • Verify that XD/NX support is enabled on 32-bit x86 systems (pcidss-2.2.d_6.8)

Published Sites:
PCI DSS Checklist for Windows 2012, version 9
PCI DSS Checklist for RHEL 6, version 6

NOTE: The PCI DSS Checklist for RHEL 6 site supports CentOS 6. If this site is not enabled, it is displayed in the License Overview dashboard as PCI DSS Checklist for RHEL 6, CentOS 6. Otherwise, it is listed as PCI DSS Checklist for RHEL 6, but supports both RHEL 6 and CentOS 6.

*The site version is provided for air-gap customers

Actions to Take:
Complete the following steps:

  1. Remove the previous versions of the PCI DSS Requirements and Milestones reporting custom sites.
  2. Update the reporting manually or with the import_milestones.sh. The update steps can be found in the Requirements and Milestones User’s Guide at https://ibm.biz/BdsZz7.

More information:
To know more information about the IBM BigFix Compliance PCI DSS checklists, see:

We hope you find this latest release of PCI DSS content useful and effective.

Thank you!

– The IBM BigFix Compliance PCI Add-on team