OSSEC and PCI-DSS

the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
I haven't been in PCI Compliance in awhile, but I heard something I wanted to get confirmed. Does using OSSEC (the free open source version) prevent a vendor from being PCI Compliant?
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff

Comments

  • someslackersomeslacker Member Posts: 37 ■■□□□□□□□□
    Looking at 10.5, 10.5.5, 11.5 of the DSS, it simply states deploying FIM. The "standard" is very vague and really depends on your QSA and if they are OK with OSSEC vs. TripWire vs. X-Vendor-FIM. I know of several medium to large retailers that use OSSEC on their POS/PCI systems to satisfy those sections for which their assessors signed off on. Definitely have that dialogue with your QSA, they are usually helpful in deciphering the DSS.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Thanks! I will review those sections to get an idea. It's not for me, but for a company we regulate. Personally I feel they just don't want to do what we are asking and are attempting to use this as an excuse. No other vendors have brought this up and they have all had at least one quarterly scan completed with OSSEC in use.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Unfortunately a lot of times it depends who your QSA is and his or her background. Some QSAmight just hear OSSEC and are happy whilst others may have never heard about it and want you to drill down.

    As an example. I dealt with a QSA once who was by trade network architect and didn't 'get' virtualization. And very obviously didn't like it either. He was very easy to put everything in scope. For example, one PCI environment was made of three blades. So he'd put all 16 blades in the chassis in scope, not being interested in any technical explanation as to why these blades were still totally separate from the environment (mind you, we used passthrough so these blades were even on separate FC and LAN switches).

    Another QSA was fine once we presented our build guides which were base on VMware's own documentation.

    It is a shame that there arent any hard guidelines for QSA, leaving a lot open for individual interpretation.

    Version 3 got a lot better in terms of details, but there is still a lot of work to be done.

    Oh and don't forget, you don't just have PCI requirements. Sometimes cc companies have their additional requirements and limitations so make sure you know what they demand, too.
    My own knowledge base made public: http://open902.com :p
Sign In or Register to comment.