PCI - Build Standards

cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
Hi All,

Applying and maintaining a build standard. How do you folks do it?

I find this a real beast of a requirement the CIS, or NIST standard are very extensive documents. To read through and apply the CIS standard is tough, but then to maintain it is also very tricky if you are running a manual process.

The only tool that I know to do this is Tripwires compliance tool. This has the standards built in and it runs a test to make sure the system consistently conforms to that standard. It is fairly expensive though. Perhaps there are other tools available now, but a few years ago it was only Tripwire.

I would love to hear how other people meet this requirement as it has caused me some real problems

Thanks

Comments

  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    From a validation and monitoring perspective - I really like Tripwire. The coverage is great and it supports heterogeneous environments. It's been about a decade since I've looked but if all you need is file integrity monitoring - you could try the community version - Open Source Tripwire | Tripwire

    Also - if you are budget constraint - you may have seen this - but you may be able to homebrew something using OpenSCAP tools - https://www.open-scap.org/
  • cjthedj45cjthedj45 Member Posts: 331 ■■■□□□□□□□
    Thanks Paul. Looks like there is a gap in the market for config management tools. I did find out that CIS actually have a tool as well called CIS-CAT, but it does not look as good as Tripwire. I really don't know how people maintain the standard, unless everyone uses Tripwire.
  • soccarplayer29soccarplayer29 CISSP, CISA, PMP Member Posts: 230 ■■■□□□□□□□
    Check out SCCM, Puppet, Red Hat Satellite, etc. to control configurations.

    For a semi-automated mechanisms check out doing compliance scanning against those devices using your established hardening requirements.
    Certs: CISSP, CISA, PMP
  • BerkshireHerdBerkshireHerd Member Posts: 185
    HI, we use Qualys and it's Policy Compliance module to help guide us on build standards.
    Identity & Access Manager // B.A - Marshall University 2005
Sign In or Register to comment.