Options
PCI - Build Standards
cjthedj45
Member Posts: 331 ■■■□□□□□□□
Hi All,
Applying and maintaining a build standard. How do you folks do it?
I find this a real beast of a requirement the CIS, or NIST standard are very extensive documents. To read through and apply the CIS standard is tough, but then to maintain it is also very tricky if you are running a manual process.
The only tool that I know to do this is Tripwires compliance tool. This has the standards built in and it runs a test to make sure the system consistently conforms to that standard. It is fairly expensive though. Perhaps there are other tools available now, but a few years ago it was only Tripwire.
I would love to hear how other people meet this requirement as it has caused me some real problems
Thanks
Applying and maintaining a build standard. How do you folks do it?
I find this a real beast of a requirement the CIS, or NIST standard are very extensive documents. To read through and apply the CIS standard is tough, but then to maintain it is also very tricky if you are running a manual process.
The only tool that I know to do this is Tripwires compliance tool. This has the standards built in and it runs a test to make sure the system consistently conforms to that standard. It is fairly expensive though. Perhaps there are other tools available now, but a few years ago it was only Tripwire.
I would love to hear how other people meet this requirement as it has caused me some real problems
Thanks
Comments
-
Options
paul78
Member Posts: 3,016 ■■■■■■■■■■
From a validation and monitoring perspective - I really like Tripwire. The coverage is great and it supports heterogeneous environments. It's been about a decade since I've looked but if all you need is file integrity monitoring - you could try the community version - Open Source Tripwire | Tripwire
Also - if you are budget constraint - you may have seen this - but you may be able to homebrew something using OpenSCAP tools - https://www.open-scap.org/ -
Optionscjthedj45
Member Posts: 331 ■■■□□□□□□□
Thanks Paul. Looks like there is a gap in the market for config management tools. I did find out that CIS actually have a tool as well called CIS-CAT, but it does not look as good as Tripwire. I really don't know how people maintain the standard, unless everyone uses Tripwire.
-
Optionssoccarplayer29
Member Posts: 230 ■■■□□□□□□□
Check out SCCM, Puppet, Red Hat Satellite, etc. to control configurations.
For a semi-automated mechanisms check out doing compliance scanning against those devices using your established hardening requirements.Certs: CISSP, CISA, PMP -
Options
BerkshireHerd
Member Posts: 185
HI, we use Qualys and it's Policy Compliance module to help guide us on build standards.Identity & Access Manager // B.A - Marshall University 2005