2 PCI Compliance Automation Module

This chapter instructs how to install Application Configuration Console's PCI Compliance Automation Module and describes the installed components.

2.1 Prerequisites

PCI compliance in a Windows environment requires that you have the Windows Resource Extensions (WRE) installed. WRE is an Application Configuration Console product add-in that enables you to extract Windows configuration data from Windows servers to create assets in Application Configuration Console. To do this, the Server connects to proxy service, which in turn, runs Visual Basic scripts on target machines to extract the data and pass it back through the Application Configuration Console Server to the Clients.

PCI compliance for Windows functions in the same way, using the proxy service to run scripts against target machines to create PCI assets.

For information on installation and setup of WRE, see the Application Configuration Console Installation Guide. See the Windows Resource Extensions Online Help for a detailed description of WRE and how to use it.

Important

Regardless of whether you have an earlier version of WRE installed, or you are installing the 5.3.2 version to satisfy this prerequisite, you must then unzip a set of PCI scripts to the proxy service host, as follows:

Navigate to the following root folder on the distribution media:
```
\extensions
```
Open the WindowsRE.zip file to expose the contents.
Extract windows_pci_scripts.zip to the following location on the proxy service host:
```
proxyroot\OpenSSH\mValentScripts
```

You must do this for the PCI auditing function to work in your Windows environment. Now proceed with the PCI Compliance Automation Module installation.

2.2 Installing the PCI Compliance Automation Module

To install automation modules, you must start the Application Configuration Console Server, then start the Client and log in as a member of the Administrators group.

Copy the JAR file for the PCI Compliance Automation Module to the Server host system.
In the Client, select Admin > Install Extension in the menu bar.

The Install Extension dialog opens.
Select "automation" as the extension type.
Click Browse to locate the JAR file in the file system.
Click OK to install the automation module.

The automation module features are available immediately after installation. You do not need to restart the Application Configuration Console Server or Clients.

The installation includes Windows, Linux, and Solaris solutions; that is, there are sets of resource specifications and complementary auditing dictionaries for each platform. All PCI resource specifications and dictionaries appear in their respective folders in the Navigator view:

System > Resource Specifications > PCI_AUDIT_AUTOMATION_MODULE
System > Property Dictionaries

2.3 About Resource Specifications

Resource specifications identify resources on external systems from which Application Configuration Console assets will be created. The PCI Compliance Automation Module uses command resource specifications that define commands and scripts to be executed on remote hosts to extract security-related configuration data. Organizations then audit the assets created from the extracted data to see if their settings match the settings recommended for PCI compliance.

2.4 About Auditing Dictionaries

Auditing dictionaries are lists of name value pairs derived from the various PCI standards defined by the Security Standards Council. Where appropriate, a command resource definition includes metadata that names the auditing dictionary against which to validate the configuration settings. When you audit an asset for compliance, configuration settings are compared to the appropriate dictionary, with the following potential outcome:

The named dictionary, as designated by the command resource definition, does not exist; no auditing of the configuration occurs
A property in the dictionary is missing in the configuration
A property value in the configuration differs from the expected value in the dictionary

Not all PCI asset configurations are intended to validate against an auditing dictionary. In these cases, the information will predictably change, but there is no set value that represents compliance. It is sufficient that the supplied resource specifications result in assets that can be automatically monitored as part of the overall security audit.

2.5 Windows Resource Specifications and Dictionaries

The command resource specifications for Windows extract various operating system settings related to security. There are seven resource specifications in this category:

Six that consist of a single command resource definition
One that combines three of the seven command resource definitions from above; these three have complementary dictionaries

These command resource definitions use XML mapping when creating assets. The installation program sets the remote script path in the command resource definition to the machine that hosts the proxy service. Command line arguments are predefined. You should not edit these values unless instructed to do so by Oracle Technical Support or Professional Services personnel.

Table 2-1 identifies the Windows PCI command resource specifications. For Windows, the command resource definition and, where applicable, the auditing dictionary have the same name as the resource specification.

Table 2-1 Windows PCI Resource Specifications and Supported Requirements

Resource Specification	PCI Rule	Description
`PCI_Win32_OS`	2.2.2-3	Enumerates various Windows Server 2003 operating system settings: Computer system summary Operating system summary Logical disk environment Variables startup commands Services
`PCI_Win32_FilePermissions`	2.2.3 11.5	Enumerates NTFS permissions on a predefined list of files recommended by the Windows Server 2003 Hardening Guide.
`PCI_Win32_RSOP_SecurityInfo`	2.2.3 8.5.9-14 10.2.3 10.5.1 10.7	Enumerates security settings applied by a Group Policy Object.
`PCI_Win32_RegistryKeys_GPOSecurityOptions`	2.2.3	Enumerates security-specific Registry keys and their values set by a Group Policy Object (Security Options section) and applied to a Windows Server 2003.
`PCI_Win32_SecurityUpdates`	6.1	Enumerates all installed Hotfixes that are security-related.
`PCI_Win32_UsersAndGroups`	8.1	Enumerates the existing local user and group accounts on a Windows Server 2003.
`PCI_Win32_ComplianceCombo`	2.2.3 8.5.9-14 10.2-3 10.5.1 10.7 11.5	Combines three of the above resource specifications.

The PCI_Win32_ComplianceCombo resource specification is just that, a combination of these three resource specifications:

PCI_Win32_FilePermissions
PCI_Win32_RSOP_SecurityInfo
PCI_Win32_RegistryKeys_GPOSecurityOptions

Together they create an asset consisting of three configurations, each of which has a complementary auditing dictionary of the same name against which to validate. In other words, from a compliance standpoint, you have the option of creating three assets each consisting of a single configuration, or a single asset consisting of three configurations. It's simply a matter of preference.

The Windows auditing dictionaries are based on the following standards documents:

Payment Card Industry Data Security Standard version 1.1
Windows Server 2003 Hardening Guide
The Center for Internet Security's Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers version 2.0

2.6 Linux Resource Specifications and Dictionaries

The command resource specifications for Linux extract various operating system settings related to security. There are four resource specifications in this category:

One all-purpose Linux OS specification that consists of eight command resource definitions, each of which has a complementary dictionary
Three specialized specifications, each of which has a single command resource definition and no complementary dictionary

These command resource definitions use Java Properties mapping when creating assets. The remote script path and command line arguments are predefined. You should not edit these values unless instructed to do so by Oracle Technical Support or Professional Services personnel.

The Linux auditing dictionaries are based on the Payment Card Industry Data Security Standard version 1.1.

Table 2-2 identifies the PCI_Linux resource specification, which has eight command resource definitions and complementary auditing dictionaries.

Table 2-2 PCI_Linux Command Resource Definitions and Supported Requirements

Resource Definition/Auditing Dictionary	PCI Rule	Description
`System Log File Permissions PCI_Linux_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on logs such as: `var/log/boot.log` `var/log/btmp` `var/log/cron`
`At_Cron File Permissions PCI_Linux_CronPermissions`	7.1	Extracts permissions, and owner and group status on files that restrict access to submit at and `cron` jobs, such as: `etc/at.allow` `etc/cron.allow` `etc/cron/deny`
`User Environment File Permissions PCI_Linux_UserEnvFilePermissions`	8.5	Extracts permissions, and owner and group status on files that contain information on user accounts, such as: `etc/group` `etc/gshadow` `etc/passwd` `etc/shadow`
`Login Configuration File PCI_Linux_LoginConfiguration`	8.5.9-10	Extracts password-related information, such as: Maximum days use of a password Days warning before password expiration Minimum days between password changes
`Empty Password Verification PCI_Linux_EmptyPassword`	8.5.10	Reports on empty passwords on existing accounts
`Warning Banner File Permissions PCI_Linux_WarningBannerPermissions`	7.1	Extracts permissions, owner and group status, and size of the file that contains system display information, such as message of the day
`System Services PCI_Linux_SystemServices`	2.2.2	Reports on run-level information for system services such as Telnet, ftp, and so forth
`TCP Wrapper Support Services PCI_Linux_TCPWrapperSupportServices`	1.3	Reports on services that are compiled with TCP wrapper support

2.7 Solaris Resource Specifications and Dictionaries

The command resource specifications for Solaris extract various operating system settings related to security. There are four resource specifications in this category:

One all-purpose Solaris OS specification that consists of 12 command resource definitions, each of which has a complementary dictionary
Three specialized specifications, each of which has a single command resource definition and no complementary dictionary

The Solaris auditing dictionaries are based on the Payment Card Industry Data Data Security Standard version 1.1

Table 2-3 identifies the PCI_Solaris resource specification, which has 12 command resource definitions and complementary auditing dictionaries.

Table 2-3 PCI_Solaris Command Resource Definitions and Supported Requirements

Resource Definition/Auditing Dictionary	PCI Rule	Description
`At-Cron File Permissions PCI_Solaris_CronPermissions`	7.1	Extracts permissions, and owner and group status on files that restrict access to submit at and `cron` jobs, such as: `etc/at.allow` `etc/cron.allow` `etc/cron/deny`
`User Environment File Permissions PCI_Solaris_UserEnvFilePermissions`	8.5	Extracts permissions, and owner and group status on files that contain information on user accounts, such as: `etc/group` `etc/gshadow` `etc/passwd` `etc/shadow`
`Empty Password Verification PCI_Solaris_EmptyPassword`	8.5.10	Reports on empty passwords on existing accounts
`Warning Banner File Permissions PCI_Solaris_WarningBannerPermissions`	7.1	Extracts permissions, owner and group status, and size of the file that contains system display information, such as message of the day
`System Log File Permissions PCI_Solaris_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on logs such as: `var/adm/boot.log` `var/adm/last.log` `var/adm/secure`
`System Log File Permissions 2 PCI_Solaris_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on logs such as: `var/cron` `var/samba`
`System Log File Permissions 3 PCI_Solaris_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on logs such as: `var/log/syslog` `var/log/rpmpkgs`
`System Log File Permissions 4 PCI_Solaris_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on `var/lib/pgsql`
`System Log File Permissions 5 PCI_Solaris_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on `usr/bin/dmesg`
`System Log File Permissions 6 PCI_Solaris_SysLogFilePermissions`	10.5.5	Extracts permissions, and owner and group status on `dev/ksyms`
`Login Configuration PCI_Solaris_LoginConfiguration`	8.5.9	Extracts password-related information, such as: Whether a password is required Number of login retries allowed `UMASK` value used
`Login Configuration 2 PCI_Solaris_LoginConfiguration`	8.5.9-10	Extracts password-related information, such as: Minimum password length Minimum time before a password change Maximum time a password can be valid

Table 2-4 identifies the three specialized resource specifications and their command resource definitions. There are no complementary dictionaries for these definitions.

Table 2-4 Other Solaris Resource Specifications and Supported Requirements

Resource Specification/Resource Definition	PCI Rule	Description
`PCI_Solaris_Default_Logins Default Logins`	2.1	Reports on default logins that should be restricted such as anonymous, guest, and so forth
`PCI_Solaris_UnauthorizedSUIDBinaries Unauthorized SUID Binaries`	7.1	Reports on programs that are set as `SUID/GUID` root programs
`PCI_Solaris_WorldWritableStickyBitDirs World Writable Sticky Bit Directories`	7.1	Reports on world-writable directories that do not have the sticky bit set

Chapter 3 shows how to use the supplied resource specifications to create PCI assets.