PCI DSS Compliance
Need to get your Linux systems PCI DSS compliant? Lynis Enterprise supports all common distributions like Debian, Ubuntu, and RHEL. What makes us different is that we also support macOS, BSD, and other Unix platforms like AIX, HP-UX and Solaris. As Unix specialists ourselves, we help you passing your audits, by providing best practices, snippets and tips.
Table of Contents
- 1.1 Establish and implement firewall/router standards
- 1.1.5 Roles for network management
- 1.1.6 Documentation and business justification for services
- 5.1 Anti-virus software deployment
- 5.2 Testing effectiveness of anti-virus solution
- 5.3 Anti-virus is running
- 8.1.6 Lockout accounts after a number of access attempts
- 8.1.7 Account lockout duration
- 8.1.8 Session idle time out
- 8.5 Groups, shared and functional accounts
- 10.2.4 Invalid logical access attempts
- 10.2.5 Usage and changes to identification and authentication mechanisms
- 10.3 Audit trail fields
- 10.4 Time-synchronization technology
- 10.5 Secure audit trails so they cannot be altered
Networking components are an important part in the chain of moving data between systems. Therefore a clear standard should exist for firewall and routers.
1.1 Establish and implement firewall/router standards
1.1.5 Roles for network management
Computer systems have a primary goal to assist the business of the company. Some systems are focused on delivering functionality to core business processes, others support the IT department. Collecting running services on Linux is fairly easily, assigning them a clear business justification is usually harder.
1.1.6 Documentation and business justification for services
Deploying anti-virus software is required by the PCI DSS standard, to counter the threat of malicious software (malware). This section describes reviewing the anti-virus solution, policy and procedures.
5.1 Anti-virus software deployment
To ensure a proper functioning anti-virus solution, the effectiveness should be tested. This PCI DSS section defines regular scans and automated updates of the malware signatures.
5.2 Testing effectiveness of anti-virus solution
Anti-virus software should be actively running on the system to catch malware before it is being executed.
5.3 Anti-virus is running
By using repeated login attempts, also known as "brute force" attacks, the right password might be guessed. To prevent this from happening, PCI DSS describes that accounts should have a lock mechanism in place.
8.1.6 Lockout accounts after a number of access attempts
A lockout duration should be configured when authentication attempts several times failed. A related time should be configured to re-enable the account again, or by manual reset of an administrator.
8.1.7 Account lockout duration
Access to open machines should be limited, to reduce the risk of non-authorized people accessing a system. A session time out value or tool should be used to control this risk.
8.1.8 Session idle time out
Brute force and logon attempts might be a first indication of a possible break-in. This is the reason such attempts should be properly logged and reviewed on a regular basis. On Linux this PCI DSS control might be configured by using the Linux audit system.
10.2.4 Invalid logical access attempts
Within the field of intrusion detection, it is important to know what accounts where used for proper investigation purposes. This section of PCI DSS wants to know how the root user is used on Linux systems, including the creation, modification and deletion of users.
To achieve full accountability, audit trails should be properly logged by the system. When it comes to auditing system components, at least the following fields needs to be available: user identification, type, date/time, success/failure status, originator and an identifier.
10.3 Audit trail fields
Log files, audit trails, and even some protocols depend on the time. A high level of accuracy is needed to ensure the quality of the logs, which might be needed for forensics or troubleshooting. Protocols like kerberos can stop working if the time is not properly synced. On Linux systems, it is therefore common to find an NTP daemon or a service responsible for time-synchronization.
10.4 Time-synchronization technology
Audit trails form the basis for forensics, troubleshooting, and accountability. This section of PCI DSS defines what to do to secure these audit trails against tampering.
10.5 Secure audit trails so they cannot be altered