Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
General
Off-Topic
OSSEC and PCI-DSS
the_Grinch
I haven't been in PCI Compliance in awhile, but I heard something I wanted to get confirmed. Does using OSSEC (the free open source version) prevent a vendor from being PCI Compliant?
Find more posts tagged with
Comments
someslacker
Looking at 10.5, 10.5.5, 11.5 of the DSS, it simply states deploying FIM. The "standard" is very vague and really depends on your QSA and if they are OK with OSSEC vs. TripWire vs. X-Vendor-FIM. I know of several medium to large retailers that use OSSEC on their POS/PCI systems to satisfy those sections for which their assessors signed off on. Definitely have that dialogue with your QSA, they are usually helpful in deciphering the DSS.
the_Grinch
Thanks! I will review those sections to get an idea. It's not for me, but for a company we regulate. Personally I feel they just don't want to do what we are asking and are attempting to use this as an excuse. No other vendors have brought this up and they have all had at least one quarterly scan completed with OSSEC in use.
jibbajabba
Unfortunately a lot of times it depends who your QSA is and his or her background. Some QSAmight just hear OSSEC and are happy whilst others may have never heard about it and want you to drill down.
As an example. I dealt with a QSA once who was by trade network architect and didn't 'get' virtualization. And very obviously didn't like it either. He was very easy to put everything in scope. For example, one PCI environment was made of three blades. So he'd put all 16 blades in the chassis in scope, not being interested in any technical explanation as to why these blades were still totally separate from the environment (mind you, we used passthrough so these blades were even on separate FC and LAN switches).
Another QSA was fine once we presented our build guides which were base on VMware's own documentation.
It is a shame that there arent any hard guidelines for QSA, leaving a lot open for individual interpretation.
Version 3 got a lot better in terms of details, but there is still a lot of work to be done.
Oh and don't forget, you don't just have PCI requirements. Sometimes cc companies have their additional requirements and limitations so make sure you know what they demand, too.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
