Skip Headers
Oracle® Enterprise Manager Application Configuration Console PCI Compliance
Release 5.3.2

E14654-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 PCI Compliance Automation Module

This chapter instructs how to install Application Configuration Console's PCI Compliance Automation Module and describes the installed components.

2.1 Prerequisites

PCI compliance in a Windows environment requires that you have the Windows Resource Extensions (WRE) installed. WRE is an Application Configuration Console product add-in that enables you to extract Windows configuration data from Windows servers to create assets in Application Configuration Console. To do this, the Server connects to proxy service, which in turn, runs Visual Basic scripts on target machines to extract the data and pass it back through the Application Configuration Console Server to the Clients.

PCI compliance for Windows functions in the same way, using the proxy service to run scripts against target machines to create PCI assets.

For information on installation and setup of WRE, see the Application Configuration Console Installation Guide. See the Windows Resource Extensions Online Help for a detailed description of WRE and how to use it.

Important

Regardless of whether you have an earlier version of WRE installed, or you are installing the 5.3.2 version to satisfy this prerequisite, you must then unzip a set of PCI scripts to the proxy service host, as follows:

  1. Navigate to the following root folder on the distribution media:

    \extensions
    
  2. Open the WindowsRE.zip file to expose the contents.

  3. Extract windows_pci_scripts.zip to the following location on the proxy service host:

    proxyroot\OpenSSH\mValentScripts
    

You must do this for the PCI auditing function to work in your Windows environment. Now proceed with the PCI Compliance Automation Module installation.

2.2 Installing the PCI Compliance Automation Module

To install automation modules, you must start the Application Configuration Console Server, then start the Client and log in as a member of the Administrators group.

  1. Copy the JAR file for the PCI Compliance Automation Module to the Server host system.

  2. In the Client, select Admin > Install Extension in the menu bar.

    The Install Extension dialog opens.

  3. Select "automation" as the extension type.

  4. Click Browse to locate the JAR file in the file system.

  5. Click OK to install the automation module.

The automation module features are available immediately after installation. You do not need to restart the Application Configuration Console Server or Clients.

The installation includes Windows, Linux, and Solaris solutions; that is, there are sets of resource specifications and complementary auditing dictionaries for each platform. All PCI resource specifications and dictionaries appear in their respective folders in the Navigator view:

2.3 About Resource Specifications

Resource specifications identify resources on external systems from which Application Configuration Console assets will be created. The PCI Compliance Automation Module uses command resource specifications that define commands and scripts to be executed on remote hosts to extract security-related configuration data. Organizations then audit the assets created from the extracted data to see if their settings match the settings recommended for PCI compliance.

2.4 About Auditing Dictionaries

Auditing dictionaries are lists of name value pairs derived from the various PCI standards defined by the Security Standards Council. Where appropriate, a command resource definition includes metadata that names the auditing dictionary against which to validate the configuration settings. When you audit an asset for compliance, configuration settings are compared to the appropriate dictionary, with the following potential outcome:

Not all PCI asset configurations are intended to validate against an auditing dictionary. In these cases, the information will predictably change, but there is no set value that represents compliance. It is sufficient that the supplied resource specifications result in assets that can be automatically monitored as part of the overall security audit.

2.5 Windows Resource Specifications and Dictionaries

The command resource specifications for Windows extract various operating system settings related to security. There are seven resource specifications in this category:

These command resource definitions use XML mapping when creating assets. The installation program sets the remote script path in the command resource definition to the machine that hosts the proxy service. Command line arguments are predefined. You should not edit these values unless instructed to do so by Oracle Technical Support or Professional Services personnel.

Table 2-1 identifies the Windows PCI command resource specifications. For Windows, the command resource definition and, where applicable, the auditing dictionary have the same name as the resource specification.

Table 2-1 Windows PCI Resource Specifications and Supported Requirements

Resource Specification PCI Rule Description

PCI_Win32_OS

2.2.2-3

Enumerates various Windows Server 2003 operating system settings:


Computer system summary
Operating system summary
Logical disk environment
Variables startup commands
Services

PCI_Win32_FilePermissions

2.2.3 11.5

Enumerates NTFS permissions on a predefined list of files recommended by the Windows Server 2003 Hardening Guide.

PCI_Win32_RSOP_SecurityInfo

2.2.3 8.5.9-14 10.2.3 10.5.1 10.7

Enumerates security settings applied by a Group Policy Object.

PCI_Win32_RegistryKeys_GPOSecurityOptions

2.2.3

Enumerates security-specific Registry keys and their values set by a Group Policy Object (Security Options section) and applied to a Windows Server 2003.

PCI_Win32_SecurityUpdates

6.1

Enumerates all installed Hotfixes that are security-related.

PCI_Win32_UsersAndGroups

8.1

Enumerates the existing local user and group accounts on a Windows Server 2003.

PCI_Win32_ComplianceCombo

2.2.3 8.5.9-14 10.2-3 10.5.1 10.7 11.5

Combines three of the above resource specifications.


The PCI_Win32_ComplianceCombo resource specification is just that, a combination of these three resource specifications:

Together they create an asset consisting of three configurations, each of which has a complementary auditing dictionary of the same name against which to validate. In other words, from a compliance standpoint, you have the option of creating three assets each consisting of a single configuration, or a single asset consisting of three configurations. It's simply a matter of preference.

The Windows auditing dictionaries are based on the following standards documents:

2.6 Linux Resource Specifications and Dictionaries

The command resource specifications for Linux extract various operating system settings related to security. There are four resource specifications in this category:

These command resource definitions use Java Properties mapping when creating assets. The remote script path and command line arguments are predefined. You should not edit these values unless instructed to do so by Oracle Technical Support or Professional Services personnel.

The Linux auditing dictionaries are based on the Payment Card Industry Data Security Standard version 1.1.

Table 2-2 identifies the PCI_Linux resource specification, which has eight command resource definitions and complementary auditing dictionaries.

Table 2-2 PCI_Linux Command Resource Definitions and Supported Requirements

Resource Definition/Auditing Dictionary PCI Rule Description

System Log File Permissions PCI_Linux_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on logs such as:


var/log/boot.log
var/log/btmp
var/log/cron

At_Cron File Permissions PCI_Linux_CronPermissions

7.1

Extracts permissions, and owner and group status on files that restrict access to submit at and cron jobs, such as:


etc/at.allow
etc/cron.allow
etc/cron/deny

User Environment File Permissions PCI_Linux_UserEnvFilePermissions

8.5

Extracts permissions, and owner and group status on files that contain information on user accounts, such as:


etc/group
etc/gshadow
etc/passwd
etc/shadow

Login Configuration File PCI_Linux_LoginConfiguration

8.5.9-10

Extracts password-related information, such as:


Maximum days use of a password
Days warning before password expiration
Minimum days between password changes

Empty Password Verification PCI_Linux_EmptyPassword

8.5.10

Reports on empty passwords on existing accounts

Warning Banner File Permissions PCI_Linux_WarningBannerPermissions

7.1

Extracts permissions, owner and group status, and size of the file that contains system display information, such as message of the day

System Services PCI_Linux_SystemServices

2.2.2

Reports on run-level information for system services such as Telnet, ftp, and so forth

TCP Wrapper Support Services PCI_Linux_TCPWrapperSupportServices

1.3

Reports on services that are compiled with TCP wrapper support


2.7 Solaris Resource Specifications and Dictionaries

The command resource specifications for Solaris extract various operating system settings related to security. There are four resource specifications in this category:

These command resource definitions use Java Properties mapping when creating assets. The remote script path and command line arguments are predefined. You should not edit these values unless instructed to do so by Oracle Technical Support or Professional Services personnel.

The Solaris auditing dictionaries are based on the Payment Card Industry Data Data Security Standard version 1.1

Table 2-3 identifies the PCI_Solaris resource specification, which has 12 command resource definitions and complementary auditing dictionaries.

Table 2-3 PCI_Solaris Command Resource Definitions and Supported Requirements

Resource Definition/Auditing Dictionary PCI Rule Description

At-Cron File Permissions PCI_Solaris_CronPermissions

7.1

Extracts permissions, and owner and group status on files that restrict access to submit at and cron jobs, such as:


etc/at.allow
etc/cron.allow
etc/cron/deny

User Environment File Permissions PCI_Solaris_UserEnvFilePermissions

8.5

Extracts permissions, and owner and group status on files that contain information on user accounts, such as:


etc/group
etc/gshadow
etc/passwd
etc/shadow

Empty Password Verification PCI_Solaris_EmptyPassword

8.5.10

Reports on empty passwords on existing accounts

Warning Banner File Permissions PCI_Solaris_WarningBannerPermissions

7.1

Extracts permissions, owner and group status, and size of the file that contains system display information, such as message of the day

System Log File Permissions PCI_Solaris_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on logs such as:


var/adm/boot.log
var/adm/last.log
var/adm/secure

System Log File Permissions 2 PCI_Solaris_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on logs such as:


var/cron
var/samba

System Log File Permissions 3 PCI_Solaris_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on logs such as:


var/log/syslog
var/log/rpmpkgs

System Log File Permissions 4 PCI_Solaris_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on var/lib/pgsql

System Log File Permissions 5 PCI_Solaris_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on usr/bin/dmesg

System Log File Permissions 6 PCI_Solaris_SysLogFilePermissions

10.5.5

Extracts permissions, and owner and group status on dev/ksyms

Login Configuration PCI_Solaris_LoginConfiguration

8.5.9

Extracts password-related information, such as:


Whether a password is required
Number of login retries allowed
UMASK value used

Login Configuration 2 PCI_Solaris_LoginConfiguration

8.5.9-10

Extracts password-related information, such as:


Minimum password length
Minimum time before a password change
Maximum time a password can be valid

Table 2-4 identifies the three specialized resource specifications and their command resource definitions. There are no complementary dictionaries for these definitions.

Table 2-4 Other Solaris Resource Specifications and Supported Requirements

Resource Specification/Resource Definition PCI Rule Description

PCI_Solaris_Default_Logins Default Logins

2.1

Reports on default logins that should be restricted such as anonymous, guest, and so forth

PCI_Solaris_UnauthorizedSUIDBinaries Unauthorized SUID Binaries

7.1

Reports on programs that are set as SUID/GUID root programs

PCI_Solaris_WorldWritableStickyBitDirs World Writable Sticky Bit Directories

7.1

Reports on world-writable directories that do not have the sticky bit set


Chapter 3 shows how to use the supplied resource specifications to create PCI assets.