Did you know? CloudPassage provides security configuration policies that directly impact PCI regulations. These policies will examine your system, scan your configuration and files, and alert you if the system fails certain controls required by PCI DSS 2.0.
PCI standards require system administrators to harden the underlying OS. To do this we provide OS Core v2 and OS Extended v2 SCA policies that will give you coverage for the configuration of your linux OS. These policies scan your system for common security configurations and then report back to you if something has not been set up in a secure manner.
CloudPassage can also look at different applications and how they are set up. Both Apache and MySQL are common applications for which we provide policies. These are pretty standard and should need few changes to be used to help harden your applications. Other checks can be created to address unique and specific settings. Here we provide a policy that looks at your OS and make sure it’s running a ntp service.
Verify Time Server Settings (Linux) v1
Another one for applications is here:
Verify Use of Strong Crypto (Linux) v1
This one verifies and makes sure you are using the proper encryption for your credit card data.
After your encryption keys have expired, another PCI requirement, you can validate proper retirement with the following SCA policy.
Verify Retirement of Encryption Keys (Linux) v1 – Example
Because the CloudPassage security configuration policies are fully customizable, you can create your own checks and policies. Remember that all of these policies are all examples on how to check for different PCI objective controls. These policies will most likely need to be modified and customized to fit your environment.
File integrity monitoring policies for PCI
A core piece of PCI security is monitoring the system state and alerting you if the state changes. CloudPassage offers the ability to monitor files and report on the integrity of those files. We provide FIM policies that monitor the Linux base OS. The “Monitor Privilege Escalation” looks at files that could allow an attacker to escalate their privileges while making permission changes to certain applications. Monitor SETUID Changes looks at files on systems that are very likely to have programs that can briefly become root to do their job, even if they’re run by non-root users. Programs with the setuid flag turned on are ones that may be used to give an attacker higher privileges, and so are considered more critical than normal programs.Custom policies can be created to cover a variety of applications.