7 Replies Latest reply on Jan 12, 2016 7:06 AM by patrickrd2004

    PCI DSS 3.0 Section 11.5

    spride Enthusiast

      PCI DSS 3.0 Section 11.5 says this: "Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly."

       

      Has anyone figured out a solution for this?  I submitted a VMware support ticket asking and they said they have no tool/app today that does this nor could they recommend any.  I find it rather surprising this standard has been effective since Jan 1, 2015 and there is hardly any info on what people are doing to fulfil this (and 11.5.1) requirement.  Thanks!

        • 1. Re: PCI DSS 3.0 Section 11.5
          Texiwill Guru
          vExpertUser Moderators

          Hello,

           

          There is a lot of interpretation to this, 1) is this for the workload, VM, or host? 2) Is this about changes to infrastructure or the application? Once you get those answered and if they are about the host or VM you can use several tools today:

           

          VMware vCM

          HyTrust CloudControl

          Catbird vSecurity

          etc.

           

          It really depends on how you interpret the change. Critical file comparisons could be done by monitoring the changes that occur within a host or VM container. You could also download the configuration of the host config via the vCLI, vMA every week and compare it via the proper checksum to the previous week. That would also suffice. But only if you are looking at the host.

           

          The answer will depend on what is considered in-scope for this audit. Find that out and then we may be able to add more to the conversation. This is too general at the moment. It is sort of like saying 'count the stripes' and we do not know if we are talking about zebras, cheetahs, shirts, houses, or cars.

           

          Best regards,
          Edward L. Haletky
          VMware Communities User Moderator, VMware vExpert 2009-2015

          Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

          Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

          • 2. Re: PCI DSS 3.0 Section 11.5
            spride Enthusiast

            Thanks for the quick response, Edward.  This would be just from an ESXi host perspective.  We have vCM and I tried importing the PCI DSS 3.0 tool, but even though it says it was successful we aren't seeing any filters, etc., for it.

             

            I've heard of people home-brewing their own solution much like you mentioned with vCLI, but was just curious if there may be an easier solution.  If not, then we may have to go that route.  For now, we've shut down all but the minimal services on the host and put it in lockdown mode as per the hardening guide.  This requirement though seems to be a stumper.

             

            Thanks.

            • 3. Re: PCI DSS 3.0 Section 11.5
              Texiwill Guru
              vExpertUser Moderators

              Hello,

               

              Then you really want to look into HyTrust CloudCOntrol and/or Catbird vSecurity as it will monitor changes to a host for you. The reporting is to monitor for change drift or unauthorized changes. How you do that depends on how you feel you should do it. If I monitor the contents of a file for change, it does not mean I need to monitor the entire file for change. Contents is really what is important not the actual file itself.

               

              If your QSA is really stuck on you must have a file integrity monitor, then they are sticking to the letter of the law, so to speak, instead of the intent. I would fire them and get one that truly understands the intent. Also, if you control access to the management console, that is also a compensating control and that is captured as well. You need to think how those files would change in the first place and if I can control said change, log said change, etc. then I have a compensating control that is sufficient.

               

              I can also use the hardening guide to monitor critical files for change as well by monitoring the critical settings within those files. I have a tool that does just that as do many others.

               

              Best regards,
              Edward L. Haletky
              VMware Communities User Moderator, VMware vExpert 2009-2015

              Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

              Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

              • 4. Re: PCI DSS 3.0 Section 11.5
                spride Enthusiast

                "If your QSA is really stuck on you must have a file integrity monitor, then they are sticking to the letter of the law, so to speak, instead of the intent. I would fire them and get one that truly understands the intent. Also, if you control access to the management console, that is also a compensating control and that is captured as well. You need to think how those files would change in the first place and if I can control said change, log said change, etc. then I have a compensating control that is sufficient."

                 

                LOL.  Man, if only.  Yes, we have the ESXi host pretty well locked down so that all enablement/etc is done through the vCenter (which itself is strictly controlled).  Our manager has a similar line of thinking as you when it comes to interpretation, and feels that perhaps the strictness of control itself may be enough to meet the requirement.  Hearing it from an expert only adds fodder to our case.  Worst case scenario is we have to implement a solution such as you provided, which isn't the end of the world - just more work.  Appreciate your input!

                • 5. Re: PCI DSS 3.0 Section 11.5
                  Texiwill Guru
                  vExpertUser Moderators

                  Hello,

                   

                  Well if you need such a thing, I have the beginnings of a script that will do it, and will finish it shortly, it is actually part of an OpenSCAP hardening guide assessment, just let me know. I am sure we can work out something.

                   

                  Actually, you do have the right to ask for a new QSA if the one you have is being overly dense or does not get along, or any number of reasons.  Check your agreements.

                   

                  But on the other hand if you can explain what you do check and why it is a compensating control to an auditor they should accept that unless they are being a over zealous ...

                   

                  Best regards,
                  Edward L. Haletky
                  VMware Communities User Moderator, VMware vExpert 2009-2015

                  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

                  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

                  • 6. Re: PCI DSS 3.0 Section 11.5
                    spride Enthusiast

                    Cool.  Thanks Edward you've been most helpful.  I'd definitely would like to hear more about the tool you are working on.

                    • 7. Re: PCI DSS 3.0 Section 11.5
                      patrickrd2004 Lurker

                      Hi Texiwill,

                       

                      I am running into similar issues with needing to have a FIM solution for PCI. I was wondering if you were able to create the script you mentioned in your post to look for changes in the files on the ESXi server. I was looking to monitor files like:

                      1. /etc/vmware/esx.conf
                      2. /etc/vmware/snmp.xml
                      3. /etc/vmware/hostd/config.xml - listed as hostAgentConfig.xml
                      4. /etc/vmware/ssl/rui.crt - listed as ssl_cert
                      5. /etc/vmware/ssl/rui.key - listed as ssl_key
                      6. /etc/vmware/config   - listed as vmware_config
                      7. /etc/vmware/configrules 

                       

                      Thanks for your help.

                       

                      Ricky