The PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. Attend this webinar to learn how CFEngine is used to support an important element of PCI DSS: ensuring that the configuration of your IT Infrastructure complies with the standard. See how to create and enforce PCI policies for services such as SSH, Sudo, NTP, and user and password management and how automate delivery of reports to make it easy to audit compliance.

1. PCI Solution
Product, Process, Consulting

2. PCI High Level Overview
- Payment Application Data Security Standard
- Pin Transaction Security
- Data Security Standard:
INTERNAL ONLY - CONFIDENTIAL

3. Using CFEngine to maintain
PCI compliant IT infrastructure
Provision PCI
Provision PCI Hardened
Hardened
Compliant
Compliant Operating
Operating
Infrastructure
Infrastructure Systems
Systems
BUILD DEPLOY
PCI
POLICY
AUDIT MANAGE
Monitoring
Monitoring Maintain
Maintain
Reporting
Reporting Compliance in
Compliance in
Audit
Audit Real Time
Real Time
INTERNAL ONLY - CONFIDENTIAL

4. Approaches to PCI-DSS compliance
●
Reactive (traditional)
●
Manual changes, scripts, inconsistencies
●
Scanners/detection-scripts (band-aid)
●
Proactive (CFEngine)
●
Desired-state
●
Automation, consistency
●
Always maintained and provable
INTERNAL ONLY - CONFIDENTIAL

5. CFEngine examples
• Extended history setting in shell (/etc/profile) PCI-DSS requires strict OS hardening,
and a system to maintain the hardening
• NTP configuration (/etc/ntp.conf) over time.
CFEngine is uniquely capable to keep
• File integrity check systems compliant with desired state and
provide reporting to validate this.
• SSH configuration (/etc/ssh/sshd_config)
• Useradd settings (/etc/default/useradd)
• Password definitions (/etc/login.defs)
• Password expiration on personal users
• User interaction timeout (/etc/profile)
• Sudo configuration (/etc/sudoers)
• Syslog configuration (/etc/syslog.conf)
• Management of services (whitelist & blacklist)
• Locking of inactive users
INTERNAL ONLY - CONFIDENTIAL

6. File integrity (manage)
{
"activated": true,
"params": {
"watch": [
"/etc",
Sketch Security::file_integrity
"/boot", Params pcidss_v2.json
"/bin",
"/usr/sbin",
"/sbin",
"/lib",
],
"hash_algorithm": "sha256",
"ifelapsed": "1440"
},
"tags": [
"pcidss",
Knowledge is kept
"pcidss_v2", with configuration
"pcidss_v2_sec_11_5"
]
}
INTERNAL ONLY - CONFIDENTIAL

7. File integrity (audit)
INTERNAL ONLY - CONFIDENTIAL

8. SSH Configuration (manage)
{
"activated": true, Sketch Security::SSH
"params": {
Params pcidssv2.json
"Protocol": "2",
"PermitEmptyPasswords": "no",
"ClientAliveInterval": "900",
"ClientAliveCountMax": "0"
},
"tags": [
"pcidss",
"pcidss_v2",
"pcidss_v2_sec_2_1",
"pcidss_v2_sec_2_2_3",
Which sections was this for?
"pcidss_v2_sec_8_5_15"
]
}
INTERNAL ONLY - CONFIDENTIAL

9. SSH Report (audit)
Host Failing promise Time
comp1.ex.com sshd_set_config Sept 21, 2012
log1.ex.com sshd_restart Sept 21, 2012
log1.ex.com sshd_set_config Sept 19, 2012
app1.ex.com sshd_copy_config Sept 20, 2012
app2.ex.com sshd_restart Sept 18, 2012
●
Available through web interface, PDF, CSV and REST API
●
Scheduling, emailing and archiving possible
●
SQL-based, extremely flexible
INTERNAL ONLY - CONFIDENTIAL

10. Conclusions – what you get
●
CFE software to maintain PCI-DSS compliance
●
9 out of 10 largest banks does it
●
Content to do it out-of-the-box (on-going effort)
●
Design Center sketches
●
Report and audit with CFE 3 Enterprise
INTERNAL ONLY - CONFIDENTIAL

11. Links
●
CFEngine 3 Enterprise (manage, report and audit)
●
http://cfengine.com/enterprise
●
Design Center (content)
●
https://github.com/cfengine/design-center
●
Work-in-progress
●
Learning CFEngine 3
●
https://cfengine.com/getting-started
INTERNAL ONLY - CONFIDENTIAL