pci dss 3.2 compliance with tripwire solutions · co nid ence :secured white paper advanced threat...

WHITE PAPERCONFIDENCE:SECURED

ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

PCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS

TRIPWIRE ENTERPRISETRIPWIRE LOG CENTER

TRIPWIRE IP360TRIPWIRE PURECLOUD

A UL TRANSACTION SECURITY (QSA) AND TRIPWIRE WHITE PAPER

2 PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper

CONTENTS TrademarkAcknowledgements-----------------------------------------------------------------------------------------------------------------3

Copyright----------------------------------------------------------------------------------------------------------------------------------------------3

PCIDSSversion--------------------------------------------------------------------------------------------------------------------------------------3

Intendedaudience----------------------------------------------------------------------------------------------------------------------------------4

Authors------------------------------------------------------------------------------------------------------------------------------------------------4

AboutTripwire---------------------------------------------------------------------------------------------------------------------------------------4

Disclaimer---------------------------------------------------------------------------------------------------------------------------------------------4

Introduction------------------------------------------------------------------------------------------------------------------------------------------5

PCIDSSAssessmentProcess---------------------------------------------------------------------------------------------------------------------6

PCIDSSCompliancewithTripwireEnterprise-----------------------------------------------------------------------------------------------7

TRIPWIREEnterpriseFileIntegrityManager-------------------------------------------------------------------------------------------------9

TRIPWIREEnterprisePolicyManager--------------------------------------------------------------------------------------------------------11

PCIDSSCompliancewithTripwireLogCenter---------------------------------------------------------------------------------------------18

PCIDSSCompliancewithTripwireIP360----------------------------------------------------------------------------------------------------23

PCIDSSCompliancewithTripwirePureCloud---------------------------------------------------------------------------------------------28

TechnicalInformationAboutTripwireProductstoComplywithPCIDSS-----------------------------------------------------------32

3PCI DSS 3.2 Compliance with Tripwire Solutions - A UL/Tripwire White Paper

TRADEMARK ACKNOWLEDGEMENTS ThefollowingaretrademarksorregisteredtrademarksofTripwire,Inc.:

• Tripwire• LogCenter• IP360

PCISecurityStandardsCouncil,LLC(theCouncil)istheownerofthecopyrightofthematerialknownasPCIDataSecurityStandards(PCIDSS).PCIDSSistheexclusivepropertyoftheCouncil.

COPYRIGHT ©2017ULTransactionSecurityPtyLtdandTripwire,Inc.

Thisdocumentmaybecopiedinitsentiretyanddistributedinanymediumsubjecttothefollowing:allcopyrightsnotices,includingthisnotice,arepreserved;thedocumentmayonlybecopiedinitsentirety;andthedocumentmustnotbemadeavailablefordownloadfromanywebsiteinanyformat.ThisdocumentmaybemadeavailablethroughahyperlinktoULTransactionSecurityPtyLtd’sorTripwire’swebsites.

Exceptassetoutabove,nopartofthisdocumentmaybereproduced,altered,adapted,translated,published,rebrandedorotherwisewithoutthepriorwrittenpermissionofULTransactionSecurityPtyLtdorTripwire,Inc.

PCI DSS VERSION ThiswhitepaperhasbeenbasedonPCIDSSRequirementsandSecurityAssessmentProcedures,Version3.2,andTemplateforReportonComplianceforusewithPCIDSSv3.2.ThesedocumentscanbeobtainedfromthePCISSCwebsiteat

https://www.pcisecuritystandards.org/security_standards/documents.php

ThePCISSCwebsitecontainsanumberofotherdocumentsthatmaybehelpfulininterpretingthePCIDSSspecification.Thesesupportingdocumentscanbedownloadedfromthesamelocation.


INTENDED AUDIENCE This whitepaper would be a useful guide for security personnel who wants find out how Tripwire® Enterprise, Tripwire Log Center®, Tripwire IP360™ and Tripwire PureCloud could assist in meeting PCI DSS requirements. Qualified Security Assessors (QSAs) might find this document useful as it highlights the areas the PCI DSS requirements that can be verified and met by the Tripwire products reviewed in this paper. Prior knowledge of Tripwire Enterprise, Tripwire Log Center, Tripwire IP360, Tripwire PureCloud and PCI DSS is recommended.

AUTHORS This whitepaper has been prepared by UL’s Transaction Security Division in conjunction with Tripwire.

UL’s Transaction Security division guides companies within the mobile, payments and transit domains through the complex world of electronic transactions. UL is the global leader in ensuring security, compliance and global interoperability. Offering advice, test and certification services, security evaluations and test tools, during the full life cycle of your product development process or the implementation of new technologies. UL’s people pro-‐actively collaborate with industry players to define robust standards and policies. Serving you locally whilst acting globally. UL is recognized by leading industry bodies including Visa, MasterCard, Discover, JCB, American Express, EMVCo, PCI, GCF, ETSI, GSMA, GlobalPlatform, NFC Forum and many others.

For more information, go to UL-‐TS.com

ABOUT TRIPWIRE Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-‐fidelity asset visibility and deep endpoint intelligence combined with business-‐context, and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-‐class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at www.tripwire.com. Get security news, trends and insights at tripwire.com/blog.

DISCLAIMER This document should be treated as a guide only. It does not guarantee that an organization will necessarily be compliant by following the recommendations herein. Professional advice should be sought to determine the organization’s specific situation and exactly what needs to be done for the organization to achieve PCI DSS compliance. The status in regards to PCI DSS compliance will ultimately be determined by the organization’s QSA.


INTRODUCTION Anyentitythatprocesses,transmitsorstoresaccountdata1,orcanimpactthesecurityofcardholderdataenvironment(CDE)2,isrequiredtobecomplianttothePaymentCardIndustryDataSecurityStandard(PCIDSS).InPCIDSSallsystemcomponents3,processesandpeoplethatareincludedinorconnectedtotheCDE,orcanimpactthesecurityoftheCDE,areconsideredin-scope.PCIDSScomprisesof12highlevelrequirements.Eachhighlevelrequirementincludesanumberoflow-levelrequirementsandeachlow-levelrequirementconsistsofoneormoretestingprocedures.PCIDSSversion3.2includes270+low-levelrequirementsand460+testingprocedures.Thelow-levelrequirementswillbereferredtoasthe“requirements”fromthispointonward.

DuringaPCIDSSassessment,testingproceduresarefollowedbyqualifiedsecurityassessors(QSAs)tovalidateifin-scopesystemcomponents,processesandpeoplemeettheintentsoftherequirements.ThiswhitepaperexaminesthefunctionalitiesprovidedbyTripwireEnterprise,TripwireLogCenter,TripwireIP360andTripwirePureCloudthatcanbeusedtoassistentitiesmeetinganumberofPCIDSSrequirements.

TripwireEnterprise TripwireLogCenter TripwireIP360 TripwirePureCloud

32 18 9 4

Table1:SummaryoftotalnumberofPCIDSSrequirementscoveredbyTripwireproducts

Thisreporthasbeenorganizedasfollows:AbriefdescriptionofthePCIDSSassessmentprocesshasbeenprovidedinthenextsection.ThefollowingfoursectionscovertheoverviewsofTripwireEnterprise,TripwireLogCenter,TripwireIP360andTripwirePureCloud,andhowtheseproductscanbeusedtomeetPCIDSSrequirements.

WhileTripwireproductscanassistentitiestocomplywithcertainPCIDSSrequirements,theseproductsmightbeconsideredtohavesecurityimpactsontheCDEandthereforewouldberequiredtocomplywithapplicablePCIDSSrequirements.ThelastsectionincludestechnicalinformationabouttheseproductswhichwouldbeusefultounderstandhowtheymeetsomekeyPCIDSSrequirements,e.g.defaultusernamesandpassword.

1Accountdataconsistsofthefollowingcomponents:• Cardholderdata(CHD)consistingofprimaryaccountnumber(PAN),cardholdername,expirationdateandservicecode• Cardholderdata(CHD)consistingofprimaryaccountnumber(PAN),cardholdername,expirationdateandservicecode• Sensitiveauthenticationdata(SAD)whichincludesconsistingoffullmagneticstripedataorequivalentonachip,

CAV2/CVC2/CVV2/CIDorPINs/PINblocks2CardholderdataenvironmentorCDEreferstothesystemcomponents(e.g.servers,applications,firewallsetc.),peopleandprocessesthatstore,processortransmitcardholderdataorsensitiveauthenticationdata.AsystemcomponentthathasnotbeensegmentedfromthesystemcomponentswithintheCDEisconsideredpartoftheCDE.3Systemcomponentsrefertoservers,applicationsandnetworkdevicesthatareincludedinorconnectedtotheCDE,orcanimpactthesecurityoftheCDE.


PCI DSS ASSESSMENT PROCESS AtthebeginningoftheassessmentprocessaQSAtypicallydefinesthescopeoftheassessment.DuringthisstagetheQSAisrequiredtoidentifyallsystemcomponents,processesandpeoplethatareincludedinorconnectedtotheCDE,orcanimpactthesecurityoftheCDE.Oncethescopeisdetermined,theQSAwouldtypicallyselectarepresentativesampleoftheidentifiedsystemcomponents,processesandpeople.Thenthesampledsystemcomponents,processesandpeoplewouldbeassessedagainstapplicablePCIDSSrequirementsandtestingprocedures.ThefindingsoftheassessmentwouldbedocumentedinatemplatecalledTemplateforReportonCompliance(ROC)forusewithPCIDSS.PCIhaspublishedthistemplatethatoutlinesthetypeofevidence,informationandlevelofdetailaQSAisexpectedtoprovideforrespondingtoeachtestingprocedureintheROC.

Figure1:ExtractfromTemplateforReportonCompliance(ROC)forusewithPCIDSSV3.2

AnextractfromthetemplatehasbeenprovidedinFigure1.TheReportingInstructioncolumn(i.e.2ndcolumninFigure1)containstheinstructionsforQSAstofollowforwritingupthefindingsforaparticularrequirementandtestingprocedure.ThetemplateforROCisavailableonPCISSCwebsiteanditisrecommendedthatthisdocumentisusedbyentitiestounderstandwhattypeofevidenceandinformationaQSAislikelytolookforduringanassessment.


PCI DSS COMPLIANCE WITH TRIPWIRE ENTERPRISE TripwireEnterpriseprovidestwoproductcomponents:

• Fileintegritymonitoring(FIM)-knownasTripwireEnterpriseFileIntegrityManager• Compliancemonitoring-knownasTripwireEnterprisePolicyManager

AFIMorsimilartechnologyisrequiredforthreerequirements.TripwireEnterpriseFileIntegrityManagercanbeusedasaFIMtomeettheserequirements.

TripwireEnterprisePolicyManagercanbeusedtomonitorconfigurationsettingsforoperatingsystemsandnetworkdevices,andalertsystem/networkadministratorsifanymonitoredsettingschange.ThisfeaturecanbeusefultodemonstratetoQSAsthatmonitoredsystemcomponentshavebeenconfiguredasperdocumentedstandards.

Figure2:TripwireEnterprisearchitecture


TripwireEnterprisecanbeinstalledwitheitherofthefollowingmodes:

1. Withasingle-systeminstallation,wheretheTripwireEnterpriseConsolesoftwareandTripwireEnterprisedatabase4arebothinstalledonthesamesystem(theTripwireEnterpriseServer)

2. Withadistributedinstallation,wheretheTripwireEnterpriseConsolesoftwareisinstalledontheTripwireEnterpriseServer,andtheTripwireEnterprisedatabaseonanothersystem

Inadistributedinstallation,theTripwireEnterprisedatabaseisalsoreferredtoasaremotedatabase.Aremotedatabaseserveristhesystemonwhicharemotedatabaseisinstalled.

Forsometypesofsystems(e.g.Windows,Solaris,Oracledatabase)TripwireEnterpriserequiresaTripwireagenttorunonthetargetsystemtocollectinformation(e.g.systemsettings,hashesoffiles)andsendtheinformationbacktotheTripwireEnterpriseServertoanalyze.Forothersystems(e.g.networkdevices,customapplications,HPNonStop)TripwireEnterpriseneedstobeusedinagentlessmode.InthismodeTripwireEnterpriseServerwouldneedtoconnecttothetargetsystemusingausernameandpasswordwithappropriateprivilegethatwouldallowittoruncommands/scriptstoretrieveinformationtobeanalyzedwithinTripwireEnterpriseserver.

4ATripwireEnterprisedatabasestoresalldatageneratedbyTripwireEnterpriseConsole.


TRIPWIRE ENTERPRISE FILE INTEGRITY MANAGER ThecapabilitiesoftheTripwireEnterpriseFileIntegrityManagerwerereviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingimplementingtheTripwireEnterpriseFileIntegrityManagerhavebeenhighlightedinboldintheROCReportingInstructioncolumn.Tocomplywitharequirement,theitemsthathavenotbeenboldedalsoneedtobemetaspertheROCReportingDetailscolumn,e.g.throughinterview,reviewdocumentationsetc.

PCIDSSRequirements

TestingProcedures ROCReportingInstruction Remarks

11.5Deployachange-detectionmechanism(forexample,file-integritymonitoringtools)toalertpersonneltounauthorizedmodification(includingchanges,additionsanddeletions)ofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.

11.5.aVerifytheuseofachange-detectionmechanismwithinthecardholderdataenvironmentbyobservingsystemsettingsandmonitoredfiles,aswellasreviewingresultsfrommonitoringactivities.Examplesoffilesthatshouldbemonitored:• Systemexecutables• Applicationexecutables• Configurationandparameterfiles• Centrallystored,historicalor

archived,logandauditfiles• Additionalcriticalfilesdeterminedby

entity(i.e.,throughriskassessmentorothermeans)

Describethechange-detectionmechanismdeployed.Identifytheresultsfrommonitoredfilesreviewedtoverifytheuseofachange-detectionmechanism.Describehowthefollowingverifiedtheuseofachange-detectionmechanism:

• Systemsettings• Monitoredfiles

TripwireEnterpriseFileIntegrityManagercouldbeusedtodemonstratetoaQSAthatafile-integritymonitoringsolutionisusedtomonitorchangestocriticalsystemfiles,configurationfiles,orcontentfiles.TripwireEnterpriseFileIntegrityManagercanbeconfiguredtocheckchanges(e.g.modification,deletion)tofilesonascheduledorreal-timebasisandsendalertsifchangesaredetected.

11.5.bVerifythemechanismisconfiguredtoalertpersonneltounauthorizedmodification(includingchanges,additionsanddeletions)ofcriticalfiles,andtoperformcriticalfilecomparisonsatleastweekly.

Describehowsystemsettingsverifiedthatthechange-detectionmechanismisconfiguredto:

• Alertpersonneltounauthorizedmodification(includingchanges,additionsanddeletions)ofcriticalfiles.

• Performcriticalfilecomparisonsatleastweekly.

12.10.3Designatespecificpersonneltobeavailableona24/7basistorespondtoalerts.

12.10.3Verifythroughobservation,reviewofpolicies,andinterviewsofresponsiblepersonnelthatdesignatedpersonnelareavailablefor24/7incidentresponseandmonitoringcoverageforanyevidenceofunauthorizedactivity,detectionofunauthorizedwirelessaccesspoints,criticalIDSalerts,and/orreportsofunauthorizedcriticalsystemorcontentfilechanges.

Identifytheresponsiblepersonnelinterviewedwhoconfirm24/7incidentresponseandmonitoringcoveragefor:

• Anyevidenceofunauthorizedactivity.• Detectionofunauthorizedwirelessaccess

points.• CriticalIDSalerts.• Reportsofunauthorizedcriticalsystemor

contentfilechanges.Describehowitwasobservedthatdesignatedpersonnelareavailablefor24/7incidentresponseandmonitoringcoveragefor:

• Anyevidenceofunauthorizedactivity.• Detectionofunauthorizedwirelessaccess

points.• CriticalIDSalerts.• Reportsofunauthorizedcriticalsystemor

contentfilechanges.

Thisrequirementisrelatedtorespondingtoalertsreceivedfromvarioussources,e.g.fileintegritymonitoring,intrusiondetectionorprevention.AQSAwouldwanttoseethatadocumentedprocessexiststomonitorandrespondtoalertsTheQSAwouldalsocheckthatdocumentedprocessisbeingfollowed.AlertsfromTripwireEnterpriseFileIntegrityManagercanbeusedasanevidencetodetectunauthorizedchangestocriticalsystemorcontentfiles.


PCIDSSRequirements

TestingProcedures ROCReportingInstruction Remarks

12.10.5Includealertsfromsecuritymonitoringsystems,includingbutnotlimitedtointrusion-detection,intrusion-prevention,firewalls,andfile-integritymonitoringsystems.

12.10.5VerifythroughobservationandreviewofprocessesthatmonitoringandrespondingtoalertsfromsecuritymonitoringsystemsarecoveredintheIncidentResponsePlan.

DescribehowprocesseswerereviewedtoverifythatmonitoringalertsfromsecuritymonitoringsystemsarecoveredintheIncidentResponsePlan.DescribehowprocesseswerereviewedtoverifythatrespondingtoalertsfromsecuritymonitoringsystemsarecoveredintheIncidentResponsePlan.

AlertsfromTripwireEnterpriseFileIntegrityManagercanbeusedasoneoftheinputsfortheincidentresponseplan.


TRIPWIRE ENTERPRISE POLICY MANAGER TheTripwireEnterprisePolicyManagercontainsasetofpoliciesthatcanbeusedtomonitorvariousconfigurationsettings.Itstartsbyperformingascanofconfigurationsettingsofthemonitoredsystemcomponents(e.g.servers,databasesandnetworkdevices)toproduceabaselineconfigurationstate,theknownstate.ThenitcomparesthebaselineconfigurationsettingsagainstsettingsspecifiedinaselectedTripwirecompliancepolicy.TripwireEnterprisePolicyManagerthengeneratesascorecardthatshowshowconfigurationsmeasureupagainstpolicy.Italsoallowsdrilldownfromthescorecardforspecificfailures,andprovidesremediationguidancewithstep-by-stepinstructionstogetfailedconfigurationsintoacompliantstate.

ThefeaturesoftheTripwireEnterprisePolicyManagerwerereviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingimplementingtheTripwireEnterprisePolicyManagerhavebeenhighlightedinboldintheROCReportingInstructioncolumn.Tocomplywitharequirement,theitemsthathavenotbeenboldedalsoneedtobemetaspertheROCReportingDetailscolumn,e.g.throughinterview,reviewdocumentationsetc.

PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks2.1Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.

2.1.bForthesampleofsystemcomponents,verifythatallunnecessarydefaultaccounts(includingaccountsusedbyoperatingsystems,securitysoftware,applications,systems,POSterminals,SNMP,etc.)areremovedordisabled.

Foreachiteminthesampleofsystemcomponentsindicatedat2.1.a,describehowallunnecessarydefaultaccountswereverifiedtobeeither:

• Removed• Disabled

TripwireEnterprisePolicyManagercanbeconfiguredtocheckifdefaultaccountshavebeenremoved,renamedordisabled.AQSAwouldalsocheckthatifanydefaultpasswordandSNMPstringisused.AQSAwouldtypicallyperformthistestbyobservingovertheshoulderofanadministratorwhetherloginattemptswithdefaultpasswordsfail.

2.2.2Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

2.2.2.aSelectasampleofsystemcomponentsandinspectenabledsystemservices,daemons,andprotocolstoverifythatonlynecessaryservicesorprotocolsareenabled.

Identifythesampleofsystemcomponentsselected.Foreachiteminthesample,describehowtheenabledsystemservices,daemons,andprotocolsverifiedthatonlynecessaryservicesorprotocolsareenabled.

TripwireEnterprisePolicyManagercanbeusedtotakeasnapshotofalltheservicesandprocessesrunning,andportsthatareinLISTENmode.Thissnapshotcanbeusedtomonitorifthelisthasbeenchanged.AsTripwireEnterprisePolicyManagerwouldbecheckingagainstasnapshot,alertswillbegeneratedassoonasthelistchanges,e.g.ifaprocessendsandstartswithanewprocessID.

2.2.2.bIdentifyanyenabledinsecureservices,daemons,orprotocolsandinterviewpersonneltoverifytheyarejustifiedperdocumentedconfigurationstandards.

Foreachiteminthesampleofsystemcomponentsfrom2.2.2.a,indicatewhetheranyinsecureservices,daemons,orprotocolsareenabled.(yes/no)If“no,”marktheremainderof2.2.2.band2.2.3as“NotApplicable.”If“yes,”identifytheresponsiblepersonnelinterviewedwhoconfirmthatadocumentedbusinessjustificationwaspresentforeachinsecureservice,daemon,orprotocol

Alistofinsecureservices,processesandportscanbelistedinarule.Ifasystemcomponentisfoundtoberunningaserviceorprocess,orlisteningonaportthathasbeenlistedinthisrule,thiswouldbedetectedbytheTripwireEnterprisePolicyManagersothatappropriateactioncanbetakentoresolve


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks2.2.3Implementadditionalsecurityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure.

2.2.3.aInspectconfigurationsettingstoverifythatsecurityfeaturesaredocumentedandimplementedforallinsecureservices,daemons,orprotocols.

Describehowconfigurationsettingsverifiedthatsecurityfeaturesforallinsecureservices,daemons,orprotocolsare:

• Documented• Implemented

thisissue.Documentedbusinessjustificationsmustexistforallinsecureservices,processesandports.Securityfeaturesmustbeimplementedtoensureinsecureservices,processesandportscanbeusedtocompromisecardholderdataorsystemcomponentsthatstore,processortransmitaccountdata.

2.2.4Configuresystemsecurityparameterstopreventmisuse.

2.2.4.cSelectasampleofsystemcomponentsandinspectthecommonsecurityparameterstoverifythattheyaresetappropriatelyandinaccordancewiththeconfigurationstandards.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowthecommonsecurityparametersverifiedthattheyaresetappropriatelyandinaccordancewiththeconfigurationstandards.

CommonsecurityparameterswhicharedocumentedcanbespecifiedinrulessothatTripwireEnterprisePolicyManagercanbeusedtoautomaticallymonitorthecompliancestatusofoperatingsystems,databasesandnetworkdevices.IfaQSAcanverifythatTripwireEnterprisePolicyManagerhasbeenconfiguredtomonitorcommonsecurityparametersforallin-scopesystemcomponents,thentheQSAcouldusethecompliancestatusreportasanevidenceforthistestingprocedure.

2.2.5Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems,andunnecessarywebservers.

2.2.5.aSelectasampleofsystemcomponentsandinspecttheconfigurationstoverifythatallunnecessaryfunctionality(forexample,scripts,drivers,features,subsystems,filesystems,etc.)isremoved.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowconfigurationsverifiedthatallunnecessaryfunctionalityisremoved.

Rulescanbecreatedtocheckthefunctionalitiesenabled(e.g.webserver,DNS)inanoperatingsystemagainstabaseline.Thebaselineneedstobedocumented.

2.2.5.bExaminethedocumentationandsecurityparameterstoverifyenabledfunctionsaredocumentedandsupportsecureconfiguration.

Describehowthesecurityparametersandrelevantdocumentationverifiedthatenabledfunctionsare:

• Documented• Supportsecureconfiguration

2.2.5.cExaminethedocumentationandsecurityparameterstoverifythatonlydocumentedfunctionalityispresentonthesampledsystemcomponents.

Identifydocumentationexaminedforthistestingprocedure.Describehowthesecurityparametersverifiedthatonlydocumentedfunctionalityispresentonthesampledsystemcomponentsfrom2.2.5.a.

2.3Encryptallnon-consoleadministrativeaccessusingstrongcryptography.

2.3.aObserveanadministratorlogontoeachsystemandexaminesystemconfigurationstoverifythatastrongencryptionmethodisinvokedbeforetheadministrator’spasswordisrequested.

Describehowtheadministratorlogontoeachsystemverifiedthatastrongencryptionmethodisinvokedbeforetheadministrator’spasswordisrequested.Describehowsystemconfigurationsforeachsystemverifiedthatastrongencryptionmethodisinvokedbeforetheadministrator’spasswordisrequested.Identifythestrongencryptionmethodusedfornon-consoleadministrativeaccess.

TripwireEnterprisePolicyManagercanbeusedtomonitorifasecureloginprotocol(e.g.SSH)issupportedbyoperatingsystemsornetworkdevices.IfSSHorTerminalServiceisused,itmightbepossibletocreaterulestomonitorthesecuritysettingsassociatedwiththeseprotocols.AQSAismightwanttoobservethatpasswordsareenteredonlywhenasecureloginprotocolisused.

2.3.bReviewservicesandparameter Describehowservicesandparameterfileson TripwireEnterprisePolicy


PCIDSSRequirements TestingProcedures ROCReportingInstruction RemarksfilesonsystemstodeterminethatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.

systemsverifiedthatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.

Managercanbeconfiguredtocheckifanyinsecureservice(e.g.Telnet)isenabledonanoperatingsystemornetworkdevice.

2.3.cObserveanadministratorlogontoeachsystemtoverifythatadministratoraccesstoanyweb-basedmanagementinterfacesisencryptedwithstrongcryptography.

Describehowtheadministratorlogontoeachsystemverifiedthatadministratoraccesstoanyweb-basedmanagementinterfaceswasencryptedwithstrongcryptography.Identifythestrongencryptionmethodusedforanyweb-basedmanagementinterfaces.

TripwireEnterprisePolicyManagercanbeconfiguredtocheckifawebserviceisrunningandsecuritysettings(e.g.version,enabledciphersuites)associatedwiththewebservice.

4.1Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:• Onlytrustedkeysand

certificatesareaccepted.

• Theprotocolinuseonlysupportssecureversionsorconfigurations.

• Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.

4.1.anIdentifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Examinedocumentedstandardsandcomparetosystemconfigurationstoverifytheuseofsecurityprotocolsandstrongcryptographyforalllocations.

Identifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Identifythedocumentedstandardsexamined.

1. 2. Describehowthedocumentedstandardsandsystem

configurationsbothverifiedtheuseof:• Securityprotocolsforalllocations• Strongcryptographyforalllocations

AQSAneedstoidentifyallpossiblemethods/URLsusedfortransmittingaccountdataoveropen,publicnetworks.ForeachofthemethodsTripwireEnterprisePolicyManagercanbeconfiguredtocheckifsecureconfigurationsareused,andinsecureversions(e.g.onlytheversionofTLSisenabledwhichisnotvulnerabletoanyknownvulnerabilities)orconfigurations(e.g.weakciphersuites)arenotenabled.

4.1.eExaminesystemconfigurationstoverifythattheprotocolisimplementedtouseonlysecureconfigurationsanddoesnotsupportinsecureversionsorconfigurations.

ForallinstanceswherecardholderdataIstransmittedorreceivedoveropen,publicnetworks,describehowsystemconfigurationsverifiedthattheprotocol:

• Isimplementedtouseonlysecureconfigurations.

• Doesnotsupportinsecureversionsorconfigurations.

TripwireEnterprisePolicyManagercanbeconfiguredtocheckifstrongciphersuite,secureversionofprotocolandappropriateciphers/keylengthhavebeenenabled.AQSAwouldexaminevendorrecommendations/bestpracticesforencryptionstrengthtobeusedforeachtransmissionmethod.

4.1.fExaminesystemconfigurationstoverifythattheproperencryptionstrengthisimplementedfortheencryptionmethodologyinuse.(Checkvendorrecommendations/bestpractices.)

Foreachencryptionmethodologyinuse,Identifyvendorrecommendations/bestpracticesforencryptionstrength.Identifytheencryptionstrengthobservedtobeimplemented.

4.1.gForTLSimplementations,examinesystemconfigurationstoverifythatTLSisenabledwhenevercardholderdataistransmittedorreceived.

IndicatewhetherTLSisimplementedtoencryptcardholderdataoveropen,publicnetworks.(yes/no)If‘no,’marktheremainderof4.1.gas‘notapplicable.’If“yes,”forallinstanceswhereTLSisusedtoencryptcardholderdataoveropen,publicnetworks,describehowsystemconfigurationsverifiedthatTLSisenabledwhenevercardholderdataistransmittedorreceived.

5.1Deployanti-virussoftwareonallsystemscommonlyaffectedbymalicioussoftware(particularlypersonalcomputersandservers).

5.1Forasampleofsystemcomponentsincludingalloperatingsystemtypescommonlyaffectedbymalicioussoftware,verifythatanti-virussoftwareisdeployedifapplicableanti-virustechnologyexists.

Identifythesampleofsystemcomponents(includingalloperatingsystemtypescommonlyaffectedbymalicioussoftware)selectedforthistestingprocedure.Foreachiteminthesample,describehowanti-virussoftwarewasobservedtobedeployed.

AQSAwouldidentifyalloperatingsystems(e.g.Windows)commonlyaffectedbymalicioussoftware.TripwireEnterprisePolicyManagercanbeconfiguredtocheckthelistofservices/processesrunningtoensureananti-virusservice/processexists.

7.2.1Coverageofallsystemcomponents.

7.2.1Confirmthataccesscontrolsystemsareinplaceonallsystemcomponents.

Identifyvendordocumentationexamined.Describehowsystemsettingsandthevendor

TripwireEnterprisePolicyManagercanbeusedtocheckif


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarksdocumentationverifiedthataccesscontrolsystemsareinplaceonallsystemcomponents.

• Acentralizedaccesscontrolsystemhasbeendeployedonoperatingsystemsandnetworkdevices.

• ThecentralizedaccesscontrolsystemhasbeenconfiguredasperthepolicyspecifiedinTripwireEnterpriseCompliancePolicyManager

7.2.2Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.

7.2.2Confirmthataccesscontrolsystemsareconfiguredtoenforceprivilegesassignedtoindividualsbasedonjobclassificationandfunction.

Describehowsystemsettingsandthevendordocumentationat7.2.1verifiedthataccesscontrolsystemsareconfiguredtoenforceprivilegesassignedtoindividualsbasedonjobclassificationandfunction.

7.2.3Default“deny-all”setting.

7.2.3Confirmthattheaccesscontrolsystemshaveadefault“deny-all”setting.

Describehowsystemsettingsandthevendordocumentationat7.2.1verifiedthataccesscontrolsystemshaveadefault“deny-all”setting.

8.1.4Remove/disableinactiveuseraccountswithin90days.

8.1.4Observeuseraccountstoverifythatanyinactiveaccountsover90daysoldareeitherremovedordisabled.

Describehowuseraccountswereobservedtoverifythatanyinactiveaccountsover90daysoldareeitherremovedordisabled.

TripwireEnterprisePolicyManagercanbeconfiguredtomonitoraccountexpiry/lockoutsettingsonsupportedsystemcomponentstoensureuseraccountsinactiveformorethan90daysaredisabled/removed/locked.

8.1.6LimitrepeatedaccessattemptsbylockingouttheuserIDafternotmorethansixattempts.

8.1.6.aForasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatauthenticationparametersaresettorequirethatuseraccountsbelockedoutafternotmorethansixinvalidlogonattempts.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatauthenticationparametersaresettorequirethatuseraccountsbelockedafternotmorethansixinvalidlogonattempts.

TripwireEnterprisePolicyManagercanbeconfiguredtocheckaccountlockoutthresholdanddurationsettingsonsupportedsystems.

8.1.6.bAdditionalprocedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentation,andobserveimplementedprocessestoverifythatnon-consumercustomeruseraccountsaretemporarilylocked-outafternotmorethansixinvalidaccessattempts.

Additionalprocedureforserviceproviderassessmentsonly,identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythatnon-consumercustomeruseraccountsaretemporarilylocked-outafternotmorethansixinvalidaccessattempts.Describehowimplementedprocesseswereobservedtoverifythatnon-consumercustomeruseraccountsaretemporarilylocked-outafternotmorethansixinvalidaccessattempts.

8.1.7Setthelockoutdurationtoaminimumof30minutesoruntilanadministratorenablestheuserID.

8.1.7Forasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatpasswordparametersaresettorequirethatonceauseraccountislockedout,itremainslockedforaminimumof30minutesoruntilasystemadministratorresetstheaccount.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpasswordparametersaresettorequirethatonceauseraccountislockedout,itremainslockedforaminimumof30minutesoruntilasystemadministratorresetstheaccount.

8.1.8Ifasessionhasbeenidleformorethan15minutes,requiretheusertore-authenticatetore-activatetheterminalorsession.

8.1.8Forasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatsystem/sessionidletimeoutfeatureshavebeensetto15minutesorless.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatsystem/sessionidletimeoutfeatureshavebeensetto15minutesorless.

TripwireEnterprisePolicyManagercanbeconfiguredtochecksessionidletime-outsettingonsupportedsystems.ThesettingsrelatedtoscreenlockoutwithpasswordprotectioncanalsobecheckedwithTripwireEnterprisePolicyManageronsupportedoperatingsystems(e.g.Windows).


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks8.2.1Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

8.2.1.aExaminevendordocumentationandsystemconfigurationsettingstoverifythatpasswordsareprotectedwithstrongcryptographyduringtransmissionandstorage.

Identifythevendordocumentationexaminedtoverifythatpasswordsareprotectedwithstrongcryptographyduringtransmissionandstorage.Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpasswordsareprotectedwithstrongcryptographyduringtransmission.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpasswordsareprotectedwithstrongcryptographyduringstorage.

TripwireEnterprisePolicyManagercanbeconfiguredtomonitorsettingsforloginmethods(e.g.SSH,TerminalService)andpasswordstorage(e.g.DoNotStoreLanManagerPasswordHashforWindows)inoperatingsystemsandnetworkdevices.

8.2.3.aPasswords/passphrasesmustmeetthefollowing:• Requireaminimum

lengthofatleastsevencharacters.

• Containbothnumericandalphabeticcharacters.

Alternatively,thepasswords/passphrasesmusthavecomplexityandstrengthatleastequivalenttotheparametersspecifiedabove.

8.2.3.aForasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatuserpassword/passphraseparametersaresettorequireatleastthefollowingstrength/complexity:• Requireaminimumlengthofat

leastsevencharacters.• Containbothnumericand

alphabeticcharacters.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatuserpassword/passphraseparametersaresettorequireatleastthefollowingstrength/complexity:• Requireaminimumlengthofatleastseven

characters.• Containbothnumericandalphabetic

characters.

TripwireEnterprisePolicyManagercanbeconfiguredtocheckpasswordlengthandcomplexitysettingonsupportedsystems.

8.2.3.bAdditionalprocedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentationtoverifythatnon-consumercustomerpasswords/passphrasesarerequiredtomeetatleastthefollowingstrength/complexity:• Requireaminimumlengthofat

leastsevencharacters.• Containbothnumericand

alphabeticcharacters.

• Additionalprocedureforserviceproviderassessmentsonly:Identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythatnon-consumercustomerpasswords/passphrasesarerequiredtomeetatleastthefollowingstrength/complexity:• Aminimumlengthofatleastsevencharacters.• Non-consumercustomer

passwords/passphrasesarerequiredtocontainbothnumericandalphabeticcharacters.

Describehowinternalprocesseswereobservedtoverifythatnon-consumercustomerpasswords/passphrasesarerequiredtomeetatleastthefollowingstrength/complexity:• Aminimumlengthofatleastseven

characters.• Non-consumercustomer

passwords/passphrasesarerequiredtocontainbothnumericandalphabeticcharacters.

8.2.4Changeuserpasswords/passphrasesatleastonceevery90days.

8.2.4.aForasampleofsystemcomponents,inspectsystemconfigurationsettingstoverifythatuserpassword/passphraseparametersaresettorequireuserstochangepasswords/passphrasesatleastonceevery90days.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatuserpassword/passphraseparametersaresettorequireuserstochangepasswords/passphrasesatleastonceevery90days.

TripwireEnterprisePolicyManagercanbeconfiguredtomonitorpasswordexpirysettingonsupportedsystems.

8.2.4.bAdditionalprocedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentationtoverifythat:• Non-consumercustomeruser

passwords/passphrasesarerequiredtochangeperiodically;and

• Non-consumercustomerusersaregivenguidanceastowhen,andunderwhatcircumstances,

Additionalprocedureforserviceproviderassessmentsonly,identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythat:• Non-consumercustomeruser


• Non-consumercustomerusersaregivenguidanceastowhen,andunderwhatcircumstances,passwords/passphrasesmustchange.


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarkspasswords/passphrasesmustchange.

Describehowinternalprocesseswereobservedtoverifythat:• Non-consumercustomeruser


• Non-consumercustomerusersaregivenguidanceastowhen,andunderwhatcircumstances,passwords/passphrasesmustchange.

8.2.5Donotallowanindividualtosubmitanewpassword/passphrasethatisthesameasanyofthelastfourpasswords/passphrasesheorshehasused.

8.2.5.aForasampleofsystemcomponents,obtainandinspectsystemconfigurationsettingstoverifythatpassword/passphrasesparametersaresettorequirethatnewpasswords/passphrasescannotbethesameasthefourpreviouslyusedpasswords/passphrases.

Identifythesampleofsystemcomponentsselectedforthistestingprocedure.Foreachiteminthesample,describehowsystemconfigurationsettingsverifiedthatpassword/passphraseparametersaresettorequirethatnewpasswords/passphrasescannotbethesameasthefourpreviouslyusedpasswords/passphrases.

TripwireEnterprisePolicyManagercanbeconfiguredtocheckpasswordhistorysettingonsupportedsystems.

8.2.5.bAdditionalProcedureforserviceproviderassessmentsonly:Reviewinternalprocessesandcustomer/userdocumentationtoverifythatnewnon-consumercustomeruserpasswords/passphrasescannotbethesameasthepreviousfourpasswords/passphrases.

Additionalprocedureforserviceproviderassessmentsonly,identifythedocumentedinternalprocessesandcustomer/userdocumentationreviewedtoverifythatnewnon-consumercustomeruserpasswords/passphrasescannotbethesameasthepreviousfourpasswords/passphrases.Describehowinternalprocesseswereobservedtoverifythatnewnon-consumercustomeruserpasswords/passphrasescannotbethesameasthepreviousfourpasswords/passphrases.

10.2.2Allactionstakenbyanyindividualwithrootoradministrativeprivileges.

10.2.2Verifyallactionstakenbyanyindividualwithrootoradministrativeprivilegesarelogged.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedallactionstakenbyanyindividualwithrootoradministrativeprivilegesarelogged.

LogsettingsonsupportedsystemscanbemonitoredwithTripwireEnterprisePolicyManagertoensurefollowingeventsarecaptured:• Actionstakenwith

privilegedaccess,e.g.changingsecuritysettings,adding/modifyinguseraccounts,installingapplications,changinglogsettingsetc.

• Failedloginattempts

10.2.4Invalidlogicalaccessattempts.

10.2.4Verifyinvalidlogicalaccessattemptsarelogged.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatinvalidlogicalaccessattemptsarelogged.

10.25Useofandchangestoidentificationandauthenticationmechanisms-includingbutnotlimitedtocreationofnewaccountsandelevationofprivileges-andallchanges,additions,ordeletionstoaccountswithrootoradministrativeprivileges.

10.2.5.aVerifyuseofidentificationandauthenticationmechanismsislogged.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatuseofidentificationandauthenticationmechanismsislogged.

10.2.5.bVerifyallelevationofprivilegesislogged.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatallelevationofprivilegesislogged.

10.2.5.cVerifyallchanges,additions,ordeletionstoanyaccountwithrootoradministrativeprivilegesarelogged.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatallchanges,additions,ordeletionstoanyaccountwithrootoradministrativeprivilegesarelogged.

10.2.6Initialization,stopping,orpausingoftheauditlogs.

10.2.6Verifythefollowingarelogged:• Initializationofauditlogs.• Stoppingorpausingofauditlogs.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatinitializationofauditlogsislogged.Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatstoppingandpausingofauditlogsislogged.

10.2.7Creationanddeletionofsystem-levelobjects.

10.2.7Verifycreationanddeletionofsystemlevelobjectsarelogged.

Forallitemsinthesampleat10.2,describehowconfigurationsettingsverifiedthatcreationanddeletionofsystemlevelobjectsarelogged.

10.4Usingtime-synchronizationtechnology,synchronizeallcriticalsystemclocksandtimesandensurethatthefollowingisimplementedforacquiring,distributing,andstoring

10.4Examineconfigurationstandardsandprocessestoverifythattime-synchronizationtechnologyisimplementedandkeptcurrentperPCIDSSRequirements6.1and6.2.

Identifythetimesynchronizationtechnologiesinuse.(IfNTP,includeversion)Identifythedocumentedtime-synchronizationconfigurationstandardsexaminedtoverifythattimesynchronizationtechnologyisimplementedandkeptcurrentperPCIDSSRequirements6.1and6.2.

TripwireEnterprisePolicyManagercanbeusedtocheckthelistofservices/processesrunningtocheckiftimesynchronizationserviceisrunningandwherepossiblegettheversioninfoaswell.


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarkstime.Note:OneexampleoftimesynchronizationtechnologyisNetworkTimeProtocol(NTP).

Describehowprocesseswereexaminedtoverifythattimesynchronizationtechnologiesare:• Implemented.• Keptcurrent,perthedocumentedprocess.

AQSAwouldalsoaskfor• Documentsthatdefine

processestokeepthetimesynchronizationtechnologypatchedasperrequirements6.1and6.2,andcurrent.

• Evidencethatthedocumentedprocessesarefollowed

10.4.1Criticalsystemshavethecorrectandconsistenttime.

10.4.1.bObservethetime-relatedsystem-parametersettingsforasampleofsystemcomponentstoverify:• Onlythedesignatedcentraltime

server(s)receivetimesignalsfromexternalsources,andtimesignalsfromexternalsourcesarebasedonInternationalAtomicTimeorUTC.

• Wherethereismorethanonedesignatedtimeserver,thedesignatedcentraltimeserver(s)peerwithoneanothertokeepaccuratetime.

• Systemsreceivetimeonlyfromdesignatedcentraltimeserver(s).

Identifythesampleofsystemcomponentsselectedfor10.4.1.b-10.4.2.bForallitemsinthesample,describehowthetime-relatedsystem-parametersettingsverified:• Onlythedesignatedcentraltimeserver(s)

receivetimesignalsfromexternalsources,andtimesignalsfromexternalsourcesarebasedonInternationalAtomicTimeorUTC.

• Wherethereismorethanonedesignatedtimeserver,thedesignatedcentraltimeserver(s)peerwithoneanothertokeepaccuratetime.

• Systemsreceivetimeonlyfromdesignatedcentraltimeserver(s).

TimeconfigurationsettingscanbemonitoredbyTripwireEnterprisePolicyManagertoensure• Onlydesignated

externaltimesourcesareusedbyinternaltimeservers

• Eachinternalsystemreceivestimeonlyfromdesignatedinternaltimerservers.

10.4.2Timedataisprotected.

10.4.2.aExaminesystemconfigurationsandtime-synchronizationsettingstoverifythataccesstotimedataisrestrictedtoonlypersonnelwithabusinessneedtoaccesstimedata.

Forallitemsinthesamplefrom10.4.1,describehowconfigurationsettingsverifiedthataccesstotimedataisrestrictedtoonlypersonnelwithabusinessneedtoaccesstimedata.

Accessrightsassignedtogroups/usersofthehostsystemcanbemonitoredbyTripwireEnterprisePolicyManagertoensureonlyauthorizedgroups/userscanmakechangestotimesettings

10.4.2.bExaminesystemconfigurations,timesynchronizationsettingsandlogs,andprocessestoverifythatanychangestotimesettingsoncriticalsystemsarelogged,monitored,andreviewed.

Forallitemsinthesamplefrom10.4.1,describehowconfigurationsettingsandtimesynchronizationsettingsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.Forallitemsinthesamplefrom10.4.1,describehowtheexaminedlogsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.Describehowtimesynchronizationprocesseswereexaminedtoverifychangestotimesettingsoncriticalsystemsare:• Logged• Monitored• Reviewed

LogsettingsofthehostsystemcanbemonitoredbyTripwireEnterprisePolicyManagertoensuremodificationstotimesettingsarelogged.

10.4.3Timesettingsarereceivedfromindustry-acceptedtimesources.

10.4.3Examinesystemsconfigurationstoverifythatthetimeserver(s)accepttimeupdatesfromspecific,industry-acceptedexternalsources(topreventamaliciousindividualfromchangingtheclock).Optionally,thoseupdatescanbeencryptedwithasymmetrickey,andaccesscontrollistscanbecreatedthatspecifytheIPaddressesofclientmachinesthatwillbeprovidedwiththetimeupdates(topreventunauthorizeduseofinternaltimeservers).

Identifythesampleoftimeserversselectedforthistestingprocedure.Forallitemsinthesample,describehowconfigurationsettingsverifiedeitherofthefollowing:• Thatthetimeserversreceivetimeupdates

fromspecific,industry-acceptedexternalsources.OR

• Thattimeupdatesareencryptedwithasymmetrickey,andaccesscontrollistsspecifytheIPaddressesofclientmachines.

TimeconfigurationsettingscanbemonitoredbyTripwireEnterprisePolicyManagertoensureonlydesignatedexternaltimesourcesareusedbyinternaltimeservers.


PCI DSS COMPLIANCE WITH TRIPWIRE LOG CENTER TripwireLogCenterconsistsoftwoproductcomponents:

1. TripwireLogCenterManager(TLCManager)isthecoresoftwareforTripwireLogCenterenvironment.TLCManagercollectsandprocesseslogmessagesfromawidevarietyofsystemsanddevices.

2. TripwireLogCenterConsole(TLCConsole)isthesoftwarefortheTripwireLogCentergraphicaluserinterface(GUI).ThiscanbeusedtoconfigureTripwireLogCenterandtoviewlogsandalerts.

TripwireLogCentercanbeusedasacentralrepositoryforstoringlogsfromvarioussystemscomponentswithinthenetwork.ItcanstorelogsencryptedusingAES-256.LogsfromsupportedoperatingsystemsarepushedbyTripwireagentsintoTripwireLogCenter.Logsfromagentlessdevices(e.g.networkdevices)arecollectedbyTripwireLogCenter.TripwireLogCenterprovidesauserinterfacethatcanbeusedformanagementpurposes(e.g.configuration,logreview).TripwireLogCentercanbeconfiguredtogeneratealertsoneventsofinterest.Thesealertscanbesenttoresponsiblepersonnelviavariousmethodssuchasemail,syslog.

Eighteenrequirementsarerelatedtostoringlogsinaremoteorcentralizedlocation,protectingthelogsfromunauthorizedmodificationsandreviewinglogsatleastdailytoidentifymaliciousactivities.TripwireLogCentercanbeconfiguredtoassistcompaniesmeetingtheserequirements.

ThecapabilitiesoftheTripwireLogCenterwerereviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingTripwireLogCenterhavebeenhighlightedinboldintheROCReportingInstructioncolumn.Tomeetarequirement,theentityassessedwouldbeexpectedtodemonstratetoaQSAhowotheritemsintheROCReportingDetailscolumnfortheparticularrequirementcomplywithPCIDSS.

PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks10.1Implementaudittrailstolinkallaccesstosystemcomponentstoeachindividualuser.

10.1Verify,throughobservationandinterviewingthesystemadministrator,that:• Audittrailsareenabledandactive

forsystemcomponents.• Accesstosystemcomponentsis

linkedtoindividualusers.

Identifythesystemadministrator(s)interviewedwhoconfirmthat:• Audittrailsareenabledandactiveforsystem

components.• Accesstosystemcomponentsislinkedto

individualusers.Describehowaudittrailswereobservedtoverifythefollowing:• Audittrailsareenabledandactiveforsystem

components.• Accesstosystemcomponentsislinkedto

individualusers.

IfauditlogsaresenttoTripwireLogCenter,followingrequirementscouldbeverifiedbytheQSAduringaPCIDSSassessment:• Audittrailsare

enabledandactiveforsystemcomponents.

• Accesstosystemcomponentsislinkedtoindividualusers.

• Alltheeventslistedinrequirements10.2and10.4.2arelogged

• Eachlogeventincludestheinformationlistedinrequirements10.3.1-10.3.6

10.2Implementautomatedaudittrailsforallsystemcomponentstoreconstructthefollowingevents:• Allindividualaccess

tocardholderdata.• Allactionstakenby

anyindividualwithrootoradministrativeprivileges.

• Accesstoallaudittrails.

• Invalidlogicalaccessattempts.

• Useofandchangestoidentificationand

10.2Throughinterviewsofresponsiblepersonnel,observationofauditlogs,andexaminationofauditlogsettings,performthefollowing:• Allindividualaccesstocardholder

data.• Allactionstakenbyanyindividual

withrootoradministrativeprivileges.

• Accesstoallaudittrails.• Invalidlogicalaccessattempts.• Useofandchangesto

identificationandauthenticationmechanisms,including:o Allelevationofprivileges.o Allchanges,additions,or

Identifytheresponsiblepersonnelinterviewedwhoconfirmthefollowingfrom10.2.1-10.2.7arelogged:• Allindividualaccesstocardholderdata.• Allactionstakenbyanyindividualwithrootor

administrativeprivileges.• Accesstoallaudittrails.• Invalidlogicalaccessattempts.• Useofandchangestoidentificationand

authenticationmechanisms,including:o Allelevationofprivileges.o Allchanges,additions,ordeletionstoany

accountwithrootoradministrativeprivileges.

• Initializationofauditlogs.• Stoppingorpausingofauditlogs.• Creationanddeletionofsystemlevelobjects.


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarksauthenticationmechanisms,including:o Allelevationof

privileges.o Allchanges,

additions,ordeletionstoanyaccountwithrootoradministrativeprivileges.

• Initializationofauditlogs.

• Stoppingorpausingofauditlogs.

• Creationanddeletionofsystemlevelobjects.

deletionstoanyaccountwithrootoradministrativeprivileges.

• Initializationofauditlogs.• Stoppingorpausingofauditlogs.• Creationanddeletionofsystem

levelobjects.

Identifythesampleofauditlogsselectedfor10.2.1-10.2.7.

10.3Recordatleastthefollowingaudittrailentriesforallsystemcomponentsforeachevent:• Useridentification• Typeofevent• Dateandtime• Successorfailure

indication• Originationofevent• Identityornameof

affecteddata,systemcomponent,orresource

10.3Throughinterviewsandobservationofauditlogs,foreachauditableevent(from10.2),performthefollowing:• Useridentification• Typeofevent• Dateandtime• Successorfailureindication• Originationofevent• Identityornameofaffecteddata,

systemcomponent,orresource

Identifytheresponsiblepersonnelinterviewedwhoconfirmthatforeachauditableeventfrom10.2.1-10.2.7,thefollowingareincludedinlogentries:• Useridentification• Typeofevent• Dateandtime• Successorfailureindication• Originationofevent• Identityornameofaffecteddata,system

component,orresourceIdentifythesampleofauditlogsfrom10.2.1-10.2.7observedtoverifythefollowingareincludedinlogentries:• Useridentification• Typeofevent• Dateandtime• Successorfailureindication• Originationofevent• Identityornameofaffecteddata,system

component,orresource10.3.1Useridentification 10.3.1Verifyuseridentificationis

includedinlogentries.Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedthatuseridentificationisincludedinlogentries.

10.3.2Typeofevent 10.3.2Verifytypeofeventisincludedinlogentries.

Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedthattypeofeventisincludedinlogentries.

10.3.3Dateandtime 10.3.3Verifydateandtimestampisincludedinlogentries.

Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedthatdateandtimestampisincludedinlogentries.

10.3.4Successorfailureindication

10.3.4Verifysuccessorfailureindicationisincludedinlogentries.

Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedsuccessorfailureindicationisincludedinlogentries.

10.3.5Originationofevent 10.3.5Verifyoriginationofeventisincludedinlogentries.

Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedoriginationofeventisincludedinlogentries.

10.3.6Identityornameofaffecteddata,systemcomponent,orresource.

10.3.6Verifyidentityornameofaffecteddata,systemcomponent,orresourcesisincludedinlogentries.

Foralllogsinthesampleat10.3,describehowtheauditlogsverifiedtheidentityornameofaffecteddata,systemcomponent,orresourceisincludedinlogentries.

10.4.2Timedataisprotected.

10.4.2.bExaminesystemconfigurations,timesynchronizationsettingsandlogs,andprocessestoverifythatanychangestotimesettingsoncriticalsystemsarelogged,monitored,andreviewed.

Forallitemsinthesamplefrom10.4.1,describehowconfigurationsettingsandtimesynchronizationsettingsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.Forallitemsinthesamplefrom10.4.1,describehowtheexaminedlogsverifiedthatanychangestotimesettingsoncriticalsystemsarelogged.


PCIDSSRequirements TestingProcedures ROCReportingInstruction RemarksDescribehowtimesynchronizationprocesseswereexaminedtoverifychangestotimesettingsoncriticalsystemsare:• Logged• Monitored• Reviewed

10.5.1Limitviewingofaudittrailstothosewithajob-relatedneed.

10.5.1Onlyindividualswhohaveajob-relatedneedcanviewaudittrailfiles.

Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatonlyindividualswhohaveajob-relatedneedcanviewaudittrailfiles.

EachTripwireLogCenterusercanbeassigneddifferentrolesandprivilegestoensureonlyindividualswhohasadocumentedjob-relatedneedhaveprivilegedaccesstotheproducttoperformadministrativetasks.RolesandprivilegesassignedtosampledusersinTripwireLogCenterwillbeexaminedbyaQSAduringanassessment.

10.5.2Protectaudittrailfilesfromunauthorizedmodifications.

10.5.2Currentaudittrailfilesareprotectedfromunauthorizedmodificationsviaaccesscontrolmechanisms,physicalsegregation,and/ornetworksegregation.

Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatcurrentaudittrailfilesareprotectedfromunauthorizedmodificationsviaaccesscontrolmechanisms,physicalsegregation,and/ornetworksegregation.

IfTripwireLogCenterisusedtostoreaudittrailscentrallyfromconnectedsystemcomponents(e.g.operatingsystems,networkdevices),thentheuserlistinTripwireLogCentercanbeusedtoshowthatpersonnelwhohaveaccesstoconnectedsystemsdonothaveaccesstoTripwireLogCenter.Thiscouldbeusedtodemonstratethataudittrailsareprotectedfromunauthorizedmodificationsviaaccesscontrolmechanisms.AsTripwireLogCenterwouldusuallybeonaseparatephysicalsystem,QSAwouldbeabletovalidatethataudittrailfilesareprotectedfromunauthorizedmodificationsviaphysicalsegregation.

10.5.3Promptlybackupaudittrailfilestoacentralizedlogserverormediathatisdifficulttoalter.

10.5.3Currentaudittrailfilesarepromptlybackeduptoacentralizedlogserverormediathatisdifficulttoalter.

Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatcurrentaudittrailfilesarepromptlybackeduptoacentralizedlogserverormediathatisdifficulttoalter.

TripwireLogCentercanbeusedtopromptlybackupaudittrailsfromconnectedsystemcomponents(e.g.operatingsystems,networkdevices).ThiscanbedemonstratedbyloggingintooneoftheconnectedsystemcomponentsandsimultaneouslyshowinginTripwireLogCenterthatthiseventhasbeencapturedbyTripwireLogCenterinrealtime.UseraccesscontrolsettingsimplementedinTripwireLogCenterandpermission

10.5.4Writelogsforexternal-facingtechnologiesontoasecure,centralized,internallogserverormediadevice.

10.5.4Logsforexternal-facingtechnologies(forexample,wireless,firewalls,DNS,mail)arewrittenontoasecure,centralized,internallogserverormedia.

Foreachiteminthesampleat10.5,describehowsystemconfigurationsandpermissionsverifiedthatlogsforexternal-facingtechnologiesarewrittenontoasecure,centralized,internallogserverormedia.


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarksoffolders(e.g.“Data”folder)whererawaudittrailsarestoredcanbeusedtodemonstratethatitisdifficulttoalteraudittrailsstoredinTripwireLogCenter.

10.5.5Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts(althoughnewdatabeingaddedshouldnotcauseanalert).

10.5.5Examinesystemsettings,monitoredfiles,andresultsfrommonitoringactivitiestoverifytheuseoffile-integritymonitoringorchange-detectionsoftwareonlogs.

Foreachiteminthesampleat10.5,describehowthefollowingverifiedtheuseoffile-integritymonitoringorchange-detectionsoftwareonlogs:• Systemsettings• Monitoredfiles• ResultsfrommonitoringactivitiesIdentifythefile-integritymonitoring(FIM)orchange-detectionsoftwareverifiedtobeinuse.

WhenTripwireLogCenterreceivesalogmessagefromalogcollector,itfirstplacesthemessageinaninternalcache.Whenthelogmessagesinthecacheexceedspecifiedtimeandsizethresholds,TripwireLogCenterflushesthecachecontentsinacompressedfileandcalculatesSHA-256hashofthefile.TripwireLogCentercanbeconfiguredtoalertwhenacompressedlogfilechecksumisaltered.

10.6.1Reviewthefollowingatleastdaily:Allsecurityevents• Logsofallsystem

componentsthatstore,process,ortransmitCHDand/orSAD

• Logsofallcriticalsystemcomponents

• Logsofallserversandsystemcomponentsthatperformsecurityfunctions(forexample,firewalls,intrusion-detectionsystems/intrusion-preventionsystems(IDS/IPS),authenticationservers,e-commerceredirectionservers,etc.).

10.6.1.anExaminesecuritypoliciesandprocedurestoverifythatproceduresaredefinedfor,reviewingthefollowingatleastdaily,eithermanuallyorvialogtools:

• Allsecurityevents• Logsofallsystem




Identifythedocumentedsecuritypoliciesandproceduresexaminedtoverifythatproceduresdefinereviewingthefollowingatleastdaily,eithermanuallyorvialogtools:• Allsecurityevents• Logsofallsystemcomponentsthatstore,process,

ortransmitCHDand/orSAD• Logsofallcriticalsystemcomponents• Logsofallserversandsystemcomponentsthat

performsecurityfunctions.Describethemanualorlogtoolsusedfordailyreviewoflogs.

TripwireLogCentermightbecapturingauditlogsfromtensandhundredsofsystemcomponents(e.g.operatingsystems,networkdevices).Manuallygoingthroughtheselogsdailymightbeinefficientandimpractical.Unusual/abnormalactivitiesneedtobereviewedonadailybasis.ToassistwiththisprocessrulescanbecreatedinTripwireLogCentertofilteroutlogscontainingabnormalactivities,e.g.aprivilegeduserloggingintoasystemcomponentoutsidenormalbusinesshours.

10.6.1.bObserveprocessesandinterviewpersonneltoverifythatthefollowingarereviewedatleastdaily:

• Allsecurityevents• Logsofallsystem




Identifytheresponsiblepersonnelinterviewedwhoconfirmthatthefollowingarereviewedatleastdaily:• Allsecurityevents• Logsofallsystemcomponentsthatstore,process,

ortransmitCHDand/orSAD• Logsofallcriticalsystemcomponents• Logsofallserversandsystemcomponentsthat

performsecurityfunctions.Describehowprocesseswereobservedtoverifythatthefollowingarereviewedatleastdaily:• Allsecurityevents.• Logsofallsystemcomponentsthatstore,

process,ortransmitCHDand/orSAD.• Logsofallcriticalsystemcomponents.• Logsofallserversandsystemcomponentsthat

performsecurityfunctions.


PCIDSSRequirements TestingProcedures ROCReportingInstruction Remarks10.6.2Reviewlogsofallothersystemcomponentsperiodicallybasedontheorganization’spoliciesandriskmanagementstrategy,asdeterminedbytheorganization’sannualriskassessment.

10.6.2.aExaminesecuritypoliciesandprocedurestoverifythatproceduresaredefinedforreviewinglogsofallothersystemcomponentsperiodically—eithermanuallyorvialogtools—basedontheorganization’spoliciesandriskmanagementstrategy.

Identifythedocumentedsecuritypoliciesandproceduresexaminedtoverifythatproceduresdefinereviewinglogsofallothersystemcomponentsperiodically—eithermanuallyorvialogtools—basedontheorganization’spoliciesandriskmanagementstrategy.Describethemanualorlogtoolsdefinedforperiodicreviewoflogsofallothersystemcomponents.

Thisrequirementappliestolowerrisksystemcomponentsthatarein-scope,butdonotrequiredailylogreviewsasperrequirement10.6.1,e.g.workstationswhichdonothandleCHD,butcanimpactthesecurityoftheCDE.LogsfromthesetypesofsystemcomponentscanalsobesenttoTripwireLogCenterandreviewedandmonitoredthroughTripwireLogCenteraspertheorganization’spoliciesandriskmanagementstrategy.

10.7Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableforanalysis(forexample,online,archived,orrestorablefrombackup).

10.7.bInterviewpersonnelandexamineauditlogstoverifythatauditlogsareretainedforatleastoneyear.

Identifytheresponsiblepersonnelinterviewedwhoconfirmthatauditlogsareretainedforatleastoneyear.Describehowtheauditlogsverifiedthatauditlogsareretainedforatleastoneyear.

TripwireLogCenterstoresrawlogsinflatfiles.Theusualnameofthefolderis“Data.”Dateandtimestampsoftheflatfilescanbeusedtodemonstratehowlongtheaudittrailslogsarestored.TheTripwireLogCenterGUIcanbeusedtoshowlogsfromflatfilesinareadableformat.Thisfeaturecanbeusedtoqueryandshowlogsfromlastthreemonths.

10.7.cInterviewpersonnelandobserveprocessestoverifythatatleastthelastthreemonths’logsareimmediatelyavailableforanalysis.

Identifytheresponsiblepersonnelinterviewedwhoconfirmthatatleastthelastthreemonths’logsareimmediatelyavailableforanalysis.Describehowprocesseswereobservedtoverifythatatleastthelastthreemonths’logsareimmediatelyavailableforanalysis.


PCI DSS COMPLIANCE WITH TRIPWIRE IP360 TripwireIP360isavulnerabilitymanagementsystemwhichcanbeusedbyorganizationstoscanvariousoperatingsystems,networkdevicesandwebapplicationsandassignriskrankingofidentifiedvulnerabilities.

Thesolutionconsistsofthefollowingtwokeyproductcomponents:

1. VnEManager:VnEManagerisahardenedappliancethatservesasthecentraldatarepositoryandmanagementplatform,andcanbephysicalhardwareorvirtualized.

2. DeviceProfiler(DP).DPisahardened,disklessappliancethatscansoperatingsystems,networkdevicesandwebapplicationsandreportsitsfindingstotheVnEManager.

TheTripwireVulnerabilityandExposureResearchTeam(TripwireVERT)isdedicatedtoresearchingthisareaandresponsibleforprovidingtimelyandup-to-datevulnerabilitydiscoverysignaturestotheTripwireIP360solution.VnEManagercanbeconfiguredtoconnecttoTripwireovertheInternettoreceivelatestsignaturesautomatically.IfVnEManagerisnotconnectedtotheInternet,thenlatestsignaturesneedtobedownloadedfromtheTripwirewebsiteusingacustomeraccountasafilereferredtoastheASPL(AdvancedSecurityProfilingLanguage)update.

TripwireIP360wasreviewedinrelationtotheapplicablePCIDSSrequirements.FindingshavebeensummarizedinthenexttableundertheRemarkscolumn.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingTripwireIP360havebeenhighlightedinboldintheROCReportingInstructioncolumn.TomeetarequirementtheentityassessedwouldbeexpectedtodemonstratetoaQSAhowotheritemsintheROCReportingDetailscolumnfortheparticularrequirementcomplywithPCIDSS.


PCIDSSRequirements

TestingProcedures ROCReportingDetails Remarks

2.1Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.

2.1.bForthesampleofsystemcomponents,verifythatallunnecessarydefaultaccounts(includingaccountsusedbyoperatingsystems,securitysoftware,applications,systems,POSterminals,SNMP,etc.)areremovedordisabled.

Foreachiteminthesampleofsystemcomponentsindicatedat2.1.a,describehowallunnecessarydefaultaccountswereverifiedtobeeither:• Removed• Disabled

TripwireIP360canbeusedtoscansupportedplatformstoidentifyifvendorsupplieddefaultusernamesandpasswordsarestillused.

2.2.2Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

2.2.2.aSelectasampleofsystemcomponentsandinspectenabledsystemservices,daemons,andprotocolstoverifythatonlynecessaryservicesorprotocolsareenabled.

Identifythesampleofsystemcomponentsselected.Foreachiteminthesample,describehowtheenabledsystemservices,daemons,andprotocolsverifiedthatonlynecessaryservicesorprotocolsareenabled.

AspartofthenormalscanningTripwireIP360identifiesalltheserviceslisteningonports.Thisinformationcanbeusedtoforthefollowingpurposes:• Comparewiththelistofdocumented

services/protocolstoensureonlynecessaryservices/protocolsareenabled

• Identifyinsecureservices/protocols(e.g.FTP,Telnet)

• IdentifyifSSLandearlyTLSareused

2.2.2.bIdentifyanyenabledinsecureservices,daemons,orprotocolsandinterviewpersonneltoverifytheyarejustifiedperdocumentedconfigurationstandards.

Foreachiteminthesampleofsystemcomponentsfrom2.2.2.a,indicatewhetheranyinsecureservices,daemons,orprotocolsareenabled.(yes/no)If“no,”marktheremainderof2.2.2.band2.2.3as“NotApplicable.”If“yes,”identifytheresponsiblepersonnelinterviewedwhoconfirmthatadocumentedbusinessjustificationwaspresentforeachinsecureservice,daemon,orprotocol

2.2.3Implementadditionalsecurityfeaturesforanyrequiredservices,protocols,ordaemonsthatareconsideredtobeinsecure

2.2.3.bIfSSL/earlyTLSisused,performtestingproceduresinAppendixA2:AdditionalPCIDSSRequirementsforEntitiesusingSSL/EarlyTLS.

• IndicatewhetherSSL/earlyTLSisused.(yes/no)If‘no,’marktheremainderof2.2.3.bas‘notapplicable.’If‘yes,’providethenameoftheassessorwhoatteststhatthetestingproceduresinAppendixA2:AdditionalPCIDSSRequirementsforEntitiesusingSSL/EarlyTLSwereperformed.


2.3.bReviewservicesandparameterfilesonsystemstodeterminethatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.

DescribehowservicesandparameterfilesonsystemsverifiedthatTelnetandotherinsecureremote-logincommandsarenotavailablefornon-consoleaccess.

2.3.cObserveanadministratorlogontoeachsystemtoverifythatadministratoraccesstoanyweb-basedmanagementinterfacesisencryptedwithstrongcryptography.

Describehowtheadministratorlogontoeachsystemverifiedthatadministratoraccesstoanyweb-basedmanagementinterfaceswasencryptedwithstrongcryptography.Identifythestrongencryptionmethodusedforanyweb-basedmanagementinterfaces.

4.1Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:• Onlytrustedkeys

andcertificatesareaccepted.


• Theencryptionstrengthisappropriateforthe

4.1.aIdentifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Examinedocumentedstandardsandcomparetosystemconfigurationstoverifytheuseofsecurityprotocolsandstrongcryptographyforalllocations.


3. 4. Describehowthedocumentedstandardsand

systemconfigurationsbothverifiedtheuseof:• Securityprotocolsforalllocations• Strongcryptographyforalllocations




• Doesnotsupportinsecureversionsor


PCIDSSRequirements


encryptionmethodologyinuse.

configurations.



6.1Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.

6.1.bInterviewresponsiblepersonnelandobserveprocessestoverifythat:• Newsecurity

vulnerabilitiesareidentified.

• Ariskrankingisassignedtovulnerabilitiesthatincludesidentificationofall“high”riskand“critical”vulnerabilities.

• Processestoidentifynewsecurityvulnerabilitiesincludeusingreputableoutsidesourcesforsecurityvulnerabilityinformation.

Identifytheresponsiblepersonnelinterviewedwhoconfirmthat:• Newsecurityvulnerabilitiesareidentified.• Ariskrankingisassignedtovulnerabilities

thatincludesidentificationofall“high”riskand“critical”vulnerabilities.


Describetheprocessesobservedtoverifythat:Newsecurityvulnerabilitiesareidentified.• Ariskrankingisassignedtovulnerabilities

toincludeidentificationofall“high”riskand“critical”vulnerabilities.


Identifytheoutsidesourcesused.

TripwireIP360canbeusedtoidentifyvulnerabilitieswithintheinternalnetwork.InformationonhowTripwireIP360scoresvulnerabilitiescanbefoundinthefollowingURLhttp://www.tripwire.com/register/tripwire-vulnerability-scoring-system/TheentityundergoingPCIDSSassessmentcanusethescoreprovidedbyTripwireIP360asoneoftheinputsforevaluatingandassigningriskrating(e.g.“critical”,“High”,“Medium”,“Low”)toanewvulnerabilityasitcomesout.Note:Tofullymeettheintentofthisrequirement,entitiesneedtosubscribetoreputableoutsidesources(e.g.US-CERT)toidentifysecurityvulnerabilitiesintimelymannerforalltypesofin-scopesystems.

6.6Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:• Reviewingpublic-

facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges.

Note:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.• Installingan

6.6Forpublic-facingwebapplications,ensurethateitheroneofthefollowingmethodsisinplaceasfollows:• Examinedocumented

processes,interviewpersonnel,andexaminerecordsofapplicationsecurityassessmentstoverifythatpublic-facingwebapplicationsarereviewed-usingeithermanualorautomatedvulnerabilitysecurityassessmenttoolsormethods-asfollows:o Atleastannually.o Afteranychanges.o Byanorganization

thatspecializesinapplicationsecurity.

o That,ataminimum,allvulnerabilitiesin

Foreachpublic-facingwebapplication,identifywhichofthetwomethodsareimplemented:• Webapplicationvulnerabilitysecurity

assessments,AND/OR• Automatedtechnicalsolutionthatdetects

andpreventsweb-basedattacks,suchaswebapplicationfirewalls.

Ifapplicationvulnerabilitysecurityassessmentsareindicatedabove:Describethetoolsand/ormethodsused(manualorautomated,oracombinationofboth).Identifythedocumentedprocessesthatwereexaminedtoverifythatpublic-facingwebapplicationsarereviewedusingthetoolsand/ormethodsindicatedabove,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesin

applicationsecurity.• That,ataminimum,allvulnerabilitiesin

Requirement6.5areincludedintheassessment.

TripwireIP360includesoptionstoscanwebapplications.Thisfeaturecanbeusedtodemonstratethatanautomatedwebapplicationvulnerabilitysecurityassessmenttoolisusedtoidentifyvulnerabilitiesforpublic-facingwebapplications.TripwirePureCloud,basedonTripwireIP360,providescoveragefornineoftheOWASPtop10categoriesatthetimeofthispaper.


PCIDSSRequirements


automatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.


o Thatallvulnerabilitiesarecorrected.

o Thattheapplicationisre-evaluatedafterthecorrections.

• Examinethesystemconfigurationsettingsandinterviewresponsiblepersonneltoverifythatanautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)isinplaceasfollows:o Issituatedinfront

ofpublic-facingwebapplicationstodetectandpreventweb-basedattacks.

o Isactivelyrunningandup-to-dateasapplicable.

o Isgeneratingauditlogs.

o Isconfiguredtoeitherblockweb-basedattacks,orgenerateanalertthatisimmediatelyinvestigated.

• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafter

thecorrections.Identifytheresponsiblepersonnelinterviewedwhoconfirmthatpublic-facingwebapplicationsarereviewed,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesin



• Thatallvulnerabilitiesarecorrected.• Thattheapplicationisre-evaluatedafter

thecorrections.Identifytherecordsofapplicationvulnerabilitysecurityassessmentsexaminedforthistestingprocedure.Describehowtherecordsofapplicationvulnerabilitysecurityassessmentsverifiedthatpublic-facingwebapplicationsarereviewedasfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesin



• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafter

thecorrections.11.2.1Performquarterlyinternalvulnerabilityscans.Addressvulnerabilitiesandperformrescanstoverifyall“high-risk”vulnerabilitiesareresolvedinaccordancewiththeentity’svulnerabilityranking(perRequirement6.1).Scansmustbeperformedbyqualifiedpersonnel.

11.2.1.aReviewthescanreportsandverifythatfourquarterlyinternalscansoccurredinthemostrecent12-monthperiod.

Identifytheinternalvulnerabilityscanreportsandsupportingdocumentationreviewed.Providethenameoftheassessorwhoatteststhatfourquarterlyinternalscanswereverifiedtohaveoccurredinthemostrecent12-monthperiod.

TripwireIP360canbeusedtoidentifyvulnerabilitiesofsupportedoperatingsystems,networkdevicesandwebapplicationsintheinternalnetwork.ItprovidesCVSSscores,andprioritizesandranksvulnerabilities.Thisresultcanbeusedtoidentify“High”vulnerabilitiesandperformrescanninguntilpassingresultsareobtained.

11.2.1.bReviewthescanreportsandverifythatall“high-risk”vulnerabilitiesareaddressedandthescanprocessincludesrescanstoverifythatthe“high-risk”vulnerabilitiesasdefinedinPCIDSSRequirement6.1areresolved.

Identifythedocumentedprocessforquarterlyinternalscanningtoverifytheprocessdefinesperformingrescansaspartofthequarterlyinternalscanprocess.Foreachofthefourinternalquarterlyscansindicatedat11.2.1.a,indicatewhetherarescanwasrequired.(yes/no)If“yes,”describehowrescanswereverifiedtobeperformeduntilall“high-risk”vulnerabilitiesasdefinedinPCIDSSRequirement6.1areresolved.

11.2.3Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.

11.2.3.bReviewscanreportsandverifythatthescanprocessincludesrescansuntil:• Forexternalscans,no

vulnerabilitiesexistthatarescored4.0orhigherbytheCVSS.

• Forinternalscans,all“high-risk”vulnerabilitiesasdefinedinPCIDSS

Forallscansreviewedin11.2.3.a,indicatewhetherarescanwasrequired.(yes/no)If“yes”–forexternalscans,describehowrescanswereperformeduntilnovulnerabilitieswithaCVSSscoregreaterthan4.0exist.If“yes”–forinternalscans,describehowrescanswereperformeduntileitherpassingresultswereobtainedorall“high-risk”


PCIDSSRequirements


Requirement6.1areresolved.

vulnerabilitiesasdefinedinPCIDSSRequirement6.1wereresolved.


PCI DSS COMPLIANCE WITH TRIPWIRE PURECLOUD TripwirePureCloudisTripwire’shostedvulnerabilitymanagementsolution,basedonTripwire’sIP360vulnerabilitymanagementproduct.

TripwirePureCloudforPCI(ASV–ApprovedScanningVendor)usesthesamesoftwareasTripwireIP360intheirhostedenvironmenttoimplementthissolution.EachcustomerisgivenuniquecredentialstologintotheTripwirePureCloudwebportalfromwhichtheycanperformthefollowingtypesofvulnerabilityscans:

1. Perimeter:AnagentlessvulnerabilityscanofInternet-facingsystems,includingweb-basedapplications2. Internal:CustomerswouldneedtodownloadTripwirePureCloudEnterprisesoftwareforuseastheirinternal

scanningtoolandrunitfromaninternalhosttoscaninternalsystems.ThiswouldtypicallyrunonaphysicalorvirtualizedWindowsserver.

3. TripwirePureCloudforPCI:Thisserviceissimilartotheperimeterscan.AspartofthisservicecustomersareabletodownloadscanreportsasperPCIDSSandPCIASVformatsandtakeadvantageofautomaticsubmissionsonaquarterlybasisperthePCIDSSstandardtotheirverifyinginstitution.TripwirePureCloudandPureCloudforPCIusesTripwireIP360astheunderlyingsoftwarewhichislistedonthePCISSCwebsiteasanASV.

TheperimeterscanandPCIASVservicesofTripwirePureCloudwerereviewedinrelationtotheapplicablePCIDSSrequirements.TheareasofthePCIDSSrequirementsthatcanbeverifiedusingtheseserviceshavebeenhighlightedinboldintheROCReportingInstructioncolumn.TomeetarequirementtheentityassessedwouldbeexpectedtodemonstratetoaQSAhowotheritemsintheROCReportingDetailscolumnfortheparticularrequirementcomplywithPCIDSS.

PCIDSSRequirements


4.1Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:• Onlytrustedkeys

andcertificatesareaccepted.


• Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.

4.1.aIdentifyalllocationswherecardholderdataistransmittedorreceivedoveropen,publicnetworks.Examinedocumentedstandardsandcomparetosystemconfigurationstoverifytheuseofsecurityprotocolsandstrongcryptographyforalllocations.


5. 6. Describehowthedocumentedstandardsandsystem

configurationsbothverifiedtheuseof:• Securityprotocolsforalllocations• Strongcryptographyforalllocations

TripwirePureCloudusestheTripwireIP360scanningandassessmentsolutiontocheckexternalIPaddressesforPCIDSScompliancepurpose.Thescancanbeusedtoidentifyifanyinsecureserviceorprotocolisused(e.g.Telnet,SSLV3.0)ontheexternallyfacinginterfaces.




• Doesnotsupportinsecureversionsorconfigurations.


PCIDSSRequirements




6.6Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:• Reviewingpublic-

facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges.

Note:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.• Installingan

automatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.

6.6Forpublic-facingwebapplications,ensurethateitheroneofthefollowingmethodsisinplaceasfollows:• Examine

documentedprocesses,interviewpersonnel,andexaminerecordsofapplicationsecurityassessmentstoverifythatpublic-facingwebapplicationsarereviewed-usingeithermanualorautomatedvulnerabilitysecurityassessmenttoolsormethods-asfollows:o Atleast

annually.o Afterany

changes.o Byan

organizationthatspecializesinapplicationsecurity.

o That,ataminimum,allvulnerabilitiesinRequirement6.5areincludedintheassessment.

o Thatallvulnerabilitiesarecorrected.

o Thattheapplicationisre-evaluatedafterthecorrections.

• Examinethesystemconfigurationsettingsandinterviewresponsiblepersonneltoverifythatanautomatedtechnicalsolution

Foreachpublic-facingwebapplication,identifywhichofthetwomethodsareimplemented:• Webapplicationvulnerabilitysecurity

assessments,AND/OR• Automatedtechnicalsolutionthatdetectsand

preventsweb-basedattacks,suchaswebapplicationfirewalls.

Ifapplicationvulnerabilitysecurityassessmentsareindicatedabove:Describethetoolsand/ormethodsused(manualorautomated,oracombinationofboth).Identifythedocumentedprocessesthatwereexaminedtoverifythatpublic-facingwebapplicationsarereviewedusingthetoolsand/ormethodsindicatedabove,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesinapplication

security.• That,ataminimum,allvulnerabilitiesin

Requirement6.5areincludedintheassessment.• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafterthe

corrections.Identifytheresponsiblepersonnelinterviewedwhoconfirmthatpublic-facingwebapplicationsarereviewed,asfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesinapplication


Requirement6.5areincludedintheassessment.• Thatallvulnerabilitiesarecorrected.• Thattheapplicationisre-evaluatedafterthe

corrections.Identifytherecordsofapplicationvulnerabilitysecurityassessmentsexaminedforthistestingprocedure.Describehowtherecordsofapplicationvulnerabilitysecurityassessmentsverifiedthatpublic-facingwebapplicationsarereviewedasfollows:• Atleastannually.• Afteranychanges.• Byanorganizationthatspecializesinapplication


Requirement6.5areincludedintheassessment.• Thatallvulnerabilitiesarecorrected• Thattheapplicationisre-evaluatedafterthe

corrections.

“WebApplicationScan”under“ScanSettings”oftheTripwirePureCloudperimeterscanserviceincludesoptionstoscanwebapplications.Thisfeaturecanbeusedtodemonstratethatanautomatedwebapplicationvulnerabilitysecurityassessmenttoolisusedtoidentifyvulnerabilitiesforpublic-facingwebapplications.TripwirePureCloud,basedonTripwireIP360,providescoveragefornineoftheOWASPtop10categoriesatthetimeofthispaper.


PCIDSSRequirements


thatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)isinplaceasfollows:o Issituatedin

frontofpublic-facingwebapplicationstodetectandpreventweb-basedattacks.

o Isactivelyrunningandup-to-dateasapplicable.

o Isgeneratingauditlogs.

o Isconfiguredtoeitherblockweb-basedattacks,orgenerateanalertthatisimmediatelyinvestigated.

11.2.2Performquarterlyexternalvulnerabilityscans,viaanApprovedScanningVendor(ASV)approvedbythePaymentCardIndustrySecurityStandardsCouncil(PCISSC).Performrescansasneeded,untilpassingscansareachieved.

11.2.2.aReviewoutputfromthefourmostrecentquartersofexternalvulnerabilityscansandverifythatfourquarterlyexternalvulnerabilityscansoccurredinthemostrecent12-monthperiod.

Identifytheexternalnetworkvulnerabilityscanreportsandsupportingdocumentationreviewed.Providethenameoftheassessorwhoatteststhatfourquarterlyexternalvulnerabilityscanswereverifiedtohaveoccurredinthemostrecent12-monthperiod.

TripwirePureCloudusesTripwireIP360scansolutiontoscanexternalIPaddressesforPCIDSScompliancepurpose.ItgeneratesfollowingreportsasperthePCISSCASVProgramGuide:

• ASVScanReportAttestationofScanCompliance

• ASVScanReportExecutiveSummary

• ASVScanReportVulnerabilityDetails

ThesereportscanbeusedduringthePCIDSSassessmenttodemonstratecompliancetothisrequirement.

11.2.2.bReviewtheresultsofeachquarterlyscanandrescantoverifythattheASVProgramGuiderequirementsforapassingscanhavebeenmet(forexample,novulnerabilitiesrated4.0orhigherbytheCVSS,noautomaticfailures).

ProvidethenameoftheassessorwhoatteststhattheresultsofeachquarterlyscanwerereviewedandverifiedthattheASVProgramGuiderequirementsforapassingscanhavebeenmet.Foreachofthefourexternalquarterlyscansindicatedat11.2.2.a,indicatewhetherarescanwasnecessary.(yes/no)If“yes,”describehowtheresultsoftherescanverifiedthattheASVProgramGuiderequirementsforapassingscanhavebeenmet.

11.2.2.cReviewthescanreportstoverifythatthescanswerecompletedbyaPCISSCApprovedScanningVendor(ASV).

ProvidethenameoftheassessorwhoatteststhattheexternalscanreportswerereviewedandverifiedtohavebeencompletedbyaPCISSC-ApprovedScanningVendor(ASV).

11.2.3Performinternalandexternalscans,andrescansasneeded,afteranysignificantchange.Scansmustbeperformedbyqualifiedpersonnel.

11.2.3.bReviewscanreportsandverifythatthescanprocessincludesrescansuntil:• Forexternalscans,

novulnerabilitiesexistthatarescored4.0orhigherbytheCVSS.

• Forinternalscans,all“high-risk”vulnerabilitiesas

Forallscansreviewedin11.2.3.a,indicatewhetherarescanwasrequired.(yes/no)If“yes”–forexternalscans,describehowrescanswereperformeduntilnovulnerabilitieswithaCVSSscoregreaterthan4.0exist.

• If“yes”–forinternalscans,describehowrescanswereperformeduntileitherpassingresultswereobtainedorall“high-risk”vulnerabilitiesasdefinedinPCIDSSRequirement6.1wereresolved.


PCIDSSRequirements


definedinPCIDSSRequirement6.1areresolved.


TECHNICAL INFORMATION ABOUT TRIPWIRE PRODUCTS TO COMPLY WITH PCI DSS WhileaTripwireproductcanassistanentitytomeetcertainPCIDSSrequirements(whichhavebeendiscussedintheprevioussections),itmightbesubjecttoanumberofPCIDSSrequirements.ThiscanhappenifitisfoundthattheTripwireproductcanimpactthesecurityofthesystemsinCDE.ForexampleamaliciousindividualmightbeabletocompromisetheTripwireEnterprisePolicyManagerandrunprivilegedcommandsthroughtheTripwireEnterprisePolicyManagerinthetargetsystemsintheCDEtogainunauthorizedaccess.

InthefollowingtabletechnicalinformationaboutTripwireEnterprise,TripwireLogCenterandTripwireIP360havebeenprovidedagainstsomePCIDSSrequirementsasaguidetoshowhowtheseproductscancomplywiththeserequirements.DuringaPCIDSSassessmenttherequirementsthatwouldapplytoaTripwireproductwouldbedeterminedbytheassessor(e.g.QSA)dependingonhowtheproducthasbeenimplementedandwhatextentitcanimpactthesecurityofthesystemsintheCDE.

PCIDSSRequirements TripwireEnterprise(TE) TripwireLogCenter(TLC) TripwireIP3602.1Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,POSterminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.

GUI• Adefaultpasswordis

providedwiththesystem,andisrequiredtobechangeduponfirstlogin

• Thedefaultusernamecannotberemovedorlocked,butcanbechanged

CLI• Usernameand

passwordareassameasGUI

• CLIaccessisavailableoncetheuserhasloggedintotheoperatingsystemwhereTripwireEnterprisehasbeeninstalled.

• CLIaccesscannotbeusedtomakeconfigurationchangesinTripwireEnterpriseliketheGUI

GUI• Defaultusernameisprovidedwith

thesystem,andisrecommendedtobechangeduponinstallation.

• Defaultpassword:Needstobespecifiedatthetimeofinstall

• Apasswordneedstobespecifiedatthetimeofinstall.Thedefaultusernamecanbechangedordisabled

CLI• NoCLIaccessisavailable

GUIforVnEManager• Adefaultpasswordisprovidedwiththe

system,andisrecommendedtobechangeduponinstallation

• Thedefaultusernamecanbechangedordisabled

CLIforVnEManager• Usernameandpasswordaredifferent

fromGUI• Adefaultpasswordisprovidedwiththe

system,andisrecommendedtobechangeduponinstallation

• Thedefaultusernamecannotbechangedordisabled

GUIforDP(DeviceProfiler)• NoGUIaccessisavailable

CLIforDP(DeviceProfiler)• SameasCLIforVnEManager


GUI• TripwireEnterprise

usesacustomizedTomcatApacheserver

• The“server.properties”fileunder“<te_root>/server/data/config/”needstobemodifiedtosupportonlystrongciphers

CLI• Asinteractiveaccessto

theCLIisobtainedbyloggingintothehostoperatingsystem,thehostoperatingsystemwouldneedtocomplytothisrequirement

GUI• TLSv1.2isusedbetweenTLC

ManagerandTLCConsolecommunications.TripwireLogCenterdoesnotspecifyanyciphertobeusedinthesecommunicationsasitreliesonthe.NETframeworkforthis.TheframeworkworksbasedontheWindowspolicies.


GUIforVnEManager• CanbeconfiguredtoFIPS140-2modeto

supportonlyTLSattheserverside

CLIforVnEManager• SSHaccessisenabled,butdisabledby

Tripwirepersonnelaspartoftheinstallation.Oncethisisdonetheuserneedstobephysicallypresentatthedevicetologinviathedeviceconsole.


CLIforDP(DeviceProfiler)• CLIaccessisrequiredfortheinitialinstall

anddeployauthenticationkey(sharedkeybetweenVnEmanagerandDP)tocommunicatewithVnE.

• SSHaccess–SameasCLIforVnEManager


PCIDSSRequirements TripwireEnterprise(TE) TripwireLogCenter(TLC) TripwireIP3607.2Establishanaccesscontrolsystem(s)forsystemscomponentsthatrestrictsaccessbasedonauser’sneedtoknow,andissetto“denyall”unlessspecificallyallowed.Thisaccesscontrolsystem(s)mustincludethefollowing:

GUI• Users(exceptthelocal

administratoraccount)canbeauthenticatedagainstacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.

• UsersneedtobeassignedgroupswhicharemaintainedwithinTripwireEnterprise

CLI• SameasGUI

GUI• Users(exceptthelocal

administratoraccount)canbeauthenticatedagainstacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.

• UsersneedtobeassignedgroupswhicharemaintainedwithinTripwireLogCenter


GUIforVnEManager• Users(exceptthelocaladminister

account)canbeauthenticatedagainstacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.

• UsersneedtobeassignedgroupswhicharemaintainedwithinTripwireIP360

CLIforVnEManager• SSHaccessisenabled,butdisabledby

Tripwirepersonnelaspartoftheinstallation.Oncethisisdonetheuserneedstobephysicallypresentatthedevicetologinviathedeviceconsole.

• CLIaccesscannotbeusedtorunscanorchangescanprofilesettings

• CLIaccesscannotbeintegratedwithacentralizedauthenticationserver,e.g.MicrosoftActiveDirectory.



7.2.1Coverageofallsystemcomponents.

7.2.2Assignmentofprivilegestoindividualsbasedonjobclassificationandfunction.7.2.3Default“deny-all”setting.

8.1.1AssignallusersauniqueIDbeforeallowingthemtoaccesssystemcomponentsorcardholderdata.

GUI• TripwireEnterprise

requiresassigninguniqueuserIDsifmultipleuseraccountsareusedtoaccesstheproduct

CLI• SameasGUI

GUI• TripwireLogCenterrequires

assigninguniqueuserIDsifmultipleuseraccountsareusedtoaccesstheproduct


GUIforVnEManager• TripwireIP360requiresassigningunique

userIDsifmultipleuseraccountsareusedtoaccesstheVnEManager

CLIforVnEManager• Additionaluseraccountscannotbe

createdGUIforDP(DeviceProfiler)• NoGUIaccessisavailable


8.2.1Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

GUI• Storage-Passwordsfor

TEConsolelocalaccountsarehashedusingPBKDF2withHMACSHA256.Arandomsaltisgeneratedeachtimeapasswordishashedandstored.

• Transmission-refertothecommentsunderrequirement2.3

CLI• SameasGUICredentialstoaccessmonitoredsystems• Avalidusernameand

passwordwithprivilegedaccessmaybeneededtoaccesssystemcomponentswhereTripwireagentscannotbeinstalled.

• Thepasswordisstoredencryptedwithin

GUI• Storage-256bitAESkeyisusedto

storepasswordsforTLCConsolelocalaccounts.

• Transmission-Refertothecommentsunderrequirement2.3

CLI• NoCLIaccessisavailableCredentialstoaccesssystemsbyTLCFileCollector• Avalidusernameandpassword

withprivilegedaccessmaybeneededbyTLCFileCollectortoaccesssystemcomponentswhichcannotforwardlogsorwhereTripwireLogCenteragentscannotbeinstalled.

• ThepasswordisstoredwithinTripwireLogCenterusinga256bitAESkey.

• TheFileCollectorcancollectlogfilesviaSMB(filecopy),FTPorSFTPfromtheremotesystemcomponents.

• TocomplywithPCIDSSfollowingmethodsmustnotbeused

GUIforVnEManager• A128bitAESkeyisusedtostore

passwordsforthelocalaccountstoaccesstheVnEManager.

CLIforVnEManager• Nocommandisavailabletoviewthe

passwordfileGUIforDP(DeviceProfiler)• NoGUIaccessisavailable

CLIforDP(DeviceProfiler)• SameasCLIforVnEManagerCredentialstoaccesssystemsbyDPtoperformauthenticatedscans• TripwireIP360requiresausernameand

passwordtoperformauthenticatedscansonsystemcomponents.Thisusernameandpasswordarestoredthroughthe“CredentialManagement”sectionofVnEManagerGUI.ThepasswordisstoredwithintheVnEManagerlocaldatabaseusinga128bitAESkey


PCIDSSRequirements TripwireEnterprise(TE) TripwireLogCenter(TLC) TripwireIP360TripwireEnterpriseusing256bitAES

o FTPo SMBifpasswordissentin

clear8.5Donotusegroup,shared,orgenericIDs,passwords,orotherauthenticationmethodsasfollows:• GenericuserIDsare

disabledorremoved.• ShareduserIDsdonot

existforsystemadministrationandothercriticalfunctions.

• SharedandgenericuserIDsarenotusedtoadministeranysystemcomponents.

GUI• Ifthepasswordforthe

localadministratoraccountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSappendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.

CLI• SameasGUICredentialstoaccessmonitoredsystems• Avalidusernameand

passwordwithprivilegedaccessmaybeneededbyTripwireEnterprisetoaccesssystemcomponentswhereTripwireagentscannotbeinstalled.

• CompensatingcontrolsmayneedtobedocumentedandimplementedasperPCIDSSAppendixCforthisuseraccounttoensureactivitiesperformedusingthisaccountbyanindividualcanbetracedtothatindividual.

GUI• Ifthepasswordforthelocal

administratoraccountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSappendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.


CredentialstoaccesssystemsbyTLCFileCollector• Avalidusernameandpassword

withprivilegedaccessmaybeneededbyTLCFileCollectortoaccesssystemcomponentswhichcannotforwardlogsorwhereTripwireagentscannotbeinstalled.

• CompensatingcontrolsmayneedtobeasperPCIDSSAppendixCforthisuseraccounttoensureactivitiesperformedusingthisaccountbyanindividualcanbetracedtothatindividual.

GUIforVnEManager• Iflocaladministratoraccountisenabled

andthepasswordfortheaccountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSappendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.

CLIforVnEManager• Ifthepasswordforthelocaladmin

accountisknowntomorethanoneperson,thencompensatingcontrolsneedtobedocumentedandimplementedasperPCIDSSAppendixCtoensureactivitiesperformedusingthisaccountcanbetracedtoanindividual.


CLIforDP(DeviceProfiler)• SameasCLIforVnEManagerCredentialstoaccesssystemsbyDPtoperformauthenticatedscans• TripwireIP360requiresausernameand

passwordtoperformauthenticatedscansonsystemcomponents.Thisusernameandpasswordarestoredthroughthe“CredentialManagement”sectionofVnEManagerGUI.

• CompensatingcontrolsmayneedtobedocumentedandimplementedperPCIDSSAppendixCforthisuseraccounttoensureactivitiesperformedusingthisaccountbyanindividualcanbetracedtothatindividual.

u Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vul-nerability management, log management, and reporting and analytics. Learn more at tripwire.com. u

SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER

©2017 Tripwire, Inc. Tripwire, Log Center, LogCenter and IP360 are trademarks or registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved. WPULPCI32a 201702

http://www.tripwire.com/blog

http://www.twitter.com/tripwireinc