VMware Cloud Community
spride
Enthusiast
Enthusiast
Jump to solution

PCI DSS 3.0 Section 11.5

PCI DSS 3.0 Section 11.5 says this: "Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly."

Has anyone figured out a solution for this?  I submitted a VMware support ticket asking and they said they have no tool/app today that does this nor could they recommend any.  I find it rather surprising this standard has been effective since Jan 1, 2015 and there is hardly any info on what people are doing to fulfil this (and 11.5.1) requirement.  Thanks!

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Then you really want to look into HyTrust CloudCOntrol and/or Catbird vSecurity as it will monitor changes to a host for you. The reporting is to monitor for change drift or unauthorized changes. How you do that depends on how you feel you should do it. If I monitor the contents of a file for change, it does not mean I need to monitor the entire file for change. Contents is really what is important not the actual file itself.

If your QSA is really stuck on you must have a file integrity monitor, then they are sticking to the letter of the law, so to speak, instead of the intent. I would fire them and get one that truly understands the intent. Also, if you control access to the management console, that is also a compensating control and that is captured as well. You need to think how those files would change in the first place and if I can control said change, log said change, etc. then I have a compensating control that is sufficient.

I can also use the hardening guide to monitor critical files for change as well by monitoring the critical settings within those files. I have a tool that does just that as do many others.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
7 Replies
Texiwill
Leadership
Leadership
Jump to solution

Hello,

There is a lot of interpretation to this, 1) is this for the workload, VM, or host? 2) Is this about changes to infrastructure or the application? Once you get those answered and if they are about the host or VM you can use several tools today:

VMware vCM

HyTrust CloudControl

Catbird vSecurity

etc.

It really depends on how you interpret the change. Critical file comparisons could be done by monitoring the changes that occur within a host or VM container. You could also download the configuration of the host config via the vCLI, vMA every week and compare it via the proper checksum to the previous week. That would also suffice. But only if you are looking at the host.

The answer will depend on what is considered in-scope for this audit. Find that out and then we may be able to add more to the conversation. This is too general at the moment. It is sort of like saying 'count the stripes' and we do not know if we are talking about zebras, cheetahs, shirts, houses, or cars.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
spride
Enthusiast
Enthusiast
Jump to solution

Thanks for the quick response, Edward.  This would be just from an ESXi host perspective.  We have vCM and I tried importing the PCI DSS 3.0 tool, but even though it says it was successful we aren't seeing any filters, etc., for it.

I've heard of people home-brewing their own solution much like you mentioned with vCLI, but was just curious if there may be an easier solution.  If not, then we may have to go that route.  For now, we've shut down all but the minimal services on the host and put it in lockdown mode as per the hardening guide.  This requirement though seems to be a stumper.

Thanks.

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Then you really want to look into HyTrust CloudCOntrol and/or Catbird vSecurity as it will monitor changes to a host for you. The reporting is to monitor for change drift or unauthorized changes. How you do that depends on how you feel you should do it. If I monitor the contents of a file for change, it does not mean I need to monitor the entire file for change. Contents is really what is important not the actual file itself.

If your QSA is really stuck on you must have a file integrity monitor, then they are sticking to the letter of the law, so to speak, instead of the intent. I would fire them and get one that truly understands the intent. Also, if you control access to the management console, that is also a compensating control and that is captured as well. You need to think how those files would change in the first place and if I can control said change, log said change, etc. then I have a compensating control that is sufficient.

I can also use the hardening guide to monitor critical files for change as well by monitoring the critical settings within those files. I have a tool that does just that as do many others.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
spride
Enthusiast
Enthusiast
Jump to solution

"If your QSA is really stuck on you must have a file integrity monitor, then they are sticking to the letter of the law, so to speak, instead of the intent. I would fire them and get one that truly understands the intent. Also, if you control access to the management console, that is also a compensating control and that is captured as well. You need to think how those files would change in the first place and if I can control said change, log said change, etc. then I have a compensating control that is sufficient."

LOL.  Man, if only.  Yes, we have the ESXi host pretty well locked down so that all enablement/etc is done through the vCenter (which itself is strictly controlled).  Our manager has a similar line of thinking as you when it comes to interpretation, and feels that perhaps the strictness of control itself may be enough to meet the requirement.  Hearing it from an expert only adds fodder to our case.  Worst case scenario is we have to implement a solution such as you provided, which isn't the end of the world - just more work.  Appreciate your input!

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Well if you need such a thing, I have the beginnings of a script that will do it, and will finish it shortly, it is actually part of an OpenSCAP hardening guide assessment, just let me know. I am sure we can work out something. Smiley Happy

Actually, you do have the right to ask for a new QSA if the one you have is being overly dense or does not get along, or any number of reasons.  Check your agreements.

But on the other hand if you can explain what you do check and why it is a compensating control to an auditor they should accept that unless they are being a over zealous ...

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
spride
Enthusiast
Enthusiast
Jump to solution

Cool.  Thanks Edward you've been most helpful.  I'd definitely would like to hear more about the tool you are working on.

Reply
0 Kudos
patrickrd2004
Contributor
Contributor
Jump to solution

Hi Texiwill,

I am running into similar issues with needing to have a FIM solution for PCI. I was wondering if you were able to create the script you mentioned in your post to look for changes in the files on the ESXi server. I was looking to monitor files like:

  1. /etc/vmware/esx.conf
  2. /etc/vmware/snmp.xml
  3. /etc/vmware/hostd/config.xml - listed as hostAgentConfig.xml
  4. /etc/vmware/ssl/rui.crt - listed as ssl_cert
  5. /etc/vmware/ssl/rui.key - listed as ssl_key
  6. /etc/vmware/config   - listed as vmware_config
  7. /etc/vmware/configrules 

Thanks for your help.

Ricky

Reply
0 Kudos