it operations compliance alert: compliance content ….… · it operations compliance alert page 3...
TRANSCRIPT
Disclaimer .................................................................................................................................................. 2
Compliance Content Pack Changes ............................................................................................................. 3
New Resource Type Support ....................................................................................................................... 4
Unix Compliance Control Library................................................................................................................. 4
Software Compliance Control Library .......................................................................................................... 5
Compliance Control Library Changes .......................................................................................................... 7
Unix Compliance Control Library................................................................................................................. 7
Software Compliance Control Library .......................................................................................................... 7
Compliance Benchmark Policy updates ...................................................................................................... 10
Known Issues ........................................................................................................................................... 12
IT Operations Compliance Alert: Compliance Content Changes
(December 11, 2015) Action: Download and install new audit compliance checks from the HPLN Site
IT Operations Compliance Alert Page 2
Disclaimer
Periodically, HPE reviews, revises, and reissues existing compliance policies. While reasonable attempts are made to ensure that updated rules return equivalent results there are cases where resolution of a defect will result in different results. Customers should be advised that use of the revised compliance policies and rules may identify additional variances which were not identified with previous versions of the policies or rules. As always customers should fully review any changes and assess the impact of these changes prior to importing content into their environment.
IT Operations Compliance Alert Page 3
Compliance Content Pack Changes
The Security and Compliance Service for IT Operations Compliance has updated the following Compliance content bundles,
Content Pack Content File Content Offering
Change Summary
Control Library for Unix
itocUnixControlLibrary-5024-20151203.zip
https://hpln.hp.com/contento
ffering/compliance-control-library
Added new platform support for HP-UX 11.31, IBM AIX 7.1, Oracle Solaris 11 and Oracle Solaris 11.1
Control Library for Software
itocSoftwareControlLibrary-4960-20151119.zip
https://hpln.hp.com/contento
ffering/compliance-control-library
Added new platform support for Docker 1.6, 1.7 and 1.8
CIS benchmark policy for Docker
itoc-cis-docker-4988-20151126.zip
https://hpln.hp.com/contentoffering/center-internet-security-cis-benchmark-
policies
Rules added for Docker
CIS HP UX 11 Benchmark V1.5.0
itoc-cis-hpux-11_31-5023-20151202.zip
Rules added for HPUX 11.31
CIS IBM AIX 7.1 Benchmark v1.1.0
itoc-cis-ibm-aix-7_1-4936-20151113.zip
Rules added for IBM AIX 7.1
CIS Oracle Solaris 11 Benchmark v 1.1.0
itoc-cis-sol11-5023-20151202.zip
Rules added for Oracle Solaris 11
CIS Oracle Solaris 11.1 Benchmark v 1.0.0
itoc-cis-sol11_1-5023-20151202.zip
Rules added for Oracle Solaris 11.1
NIST SP 800-53 Revision 4 (FISMA)
itoc-fisma-4894-20151105.zip
https://hpln.hp.com/contentoffering/fisma-sp800-53-benchmark-policies
Added rules for HP-UX 11.31, IBM AIX 7.1 and Oracle Solaris 11.x
NIST SP 800-66 Revision 1 (HIPAA)
itoc-hipaa-4894-20151105.zip
https://hpln.hp.com/contentoffering/hipaa-sp800-66-benchmark-policies
Added rules for HP-UX 11.31, IBM AIX 7.1 and Oracle Solaris 11.x
Payment Card Industry (PCI) Data Security Standard version 3.0.0
itoc-pci-4956-20151119.zip
https://hpln.hp.com/contentoffering/pci-dss-benchmark-policies
Added rules for HP-UX 11.31, IBM AIX 7.1 and Oracle Solaris 11.x
IT Operations Compliance Alert Page 4
New Resource Type Support
Unix Compliance Control Library
The Unix Compliance Control Library is updated with the new platform support added for HPUX 11.31, IBM AIX 7.1, Oracle Solaris 11 and Oracle Solaris 11.1. The following different Compliance Benchmark Policies can be used to run the audit against the above mentioned platforms.
CIS HP UX 11 Benchmark V1.5.0
CIS IBM AIX 7.1 Benchmark v1.1.0
CIS Oracle Solaris 11 Benchmark v 1.1.0
CIS Oracle Solaris 11.1 Benchmark v 1.0.0
NIST SP 800-53 Revision 4 (FISMA)
NIST SP 800-66 Revision 1 (HIPAA)
Payment Card Industry (PCI) Data Security Standard version 3.0.0
NOTE:
As of ITOC 1.1.0, the above mentioned Unix platforms are supported only with Server Automation
Integration. Hence the controls and benchmark policies applicable for these platforms can only be
verified against a resource created via Server Automation. Please refer the “ITOC-SA Integration”
chapter under “ITOC_1.1_UG_Integration.pdf“guide for more information.
IT Operations Compliance Alert Page 5
Software Compliance Control Library
The Software Compliance Control Library is updated with the new platform support added for Docker 1.6, Docker 1.7 and Docker 1.8 The following different Compliance Benchmark Policies can be used to run the audit against the above mentioned platforms.
CIS Docker 1.6 Benchmark
NOTE:
The Resource types Docker 1.6, Docker 1.7 and Docker 1.8 are not by default supported in ITOC releases
1.0.0 and 1.1.0, hence it is required to add these resource types into the hierarchy before importing the
software control library delivered with this release. Without these resource types, controls specific to
Docker will fail to import and also result in failure of rules referring to these controls on import of the
above mentioned compliance benchmark policy.
Please run the following steps to create the required resource hierarchy and then import the required
content.
1. Download createSubResourceType.zip from https://hpln.hpe.com/node/28793/attachment
2. Copy the download createSubResourceType.zip file into ITOC Server /tmp location
3. Extract the zip
#unzip createSubResourceType.zip
On extract it will create a folder names “createSubResourceType” containing the following files
README.txt - Instructions on how to use the scripts to create subResourceType
createSubResourceType.py - Script to create subResourceType hierarchy based on
subResource.txt
createSubResourceType.sh – Script to unset HTTP_PROXY and HTTPS_PROXY if set on the shell
and invoke the python script to create required subResourceType
subResource.txt – subResourceType Hierarchy to be created
4. cd createSubResourceType
5. Execute the python script with the following command line
#<ITOC_INSTALL_PATH>/salt/usr/bin/python createSubResourceType.py <ITOC-server-
FQDN> <itocadmin_password>
Example:
#/opt/hp/itoc/salt/usr/bin/python createSubResourceType.py itoc-server-47.ocm.ind.hp.com
itoc123
IT Operations Compliance Alert Page 6
NOTE:
If you have HTTP_PROXY or HTTPS_PROXY set as shell environment variable and ITOC Server
FQDN need to be bypassed by proxy, then execute the shell script with the following command
line
$ ./createSubResourceType.sh <itoc-server-FQDN> <itocadmin_password>
6. If the script execution is successful, verify the resource hierarchy on ITOC if the required resource
types are created successfully.
a. Login to ITOC Console
b. Go to Resources Tab in the Dashboard
c. Click on “Action”=>New Resource=>Resource Type
Check if the following Resource Type hierarchy is created under the “Software” category
IT Operations Compliance Alert Page 7
Compliance Control Library Changes
Unix Compliance Control Library
The new resource type support for HP-UX 11.31, IBM AIX 7.1 and Oracle Solaris 11 enabled for all
applicable controls existing the library.
Software Compliance Control Library
The following Controls are newly added into the Software Control Library
Compliance Control
Control Change Summary
Docker Inspect Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Inspect Docker for Container or Image Configuration
Control Kernel Audit System
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
This control will check if Kernel Audit System is existing for docker.
Separate Partition For Containers
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
This control will check if Docker is mounted on separate partition.
Linux Kernel Version
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Checks the kernel version as Docker requires Linux kernel 3.10 or above.
Docker Group Members Are Trusted Users
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Check if Docker group members can be trusted.
Check Docker Daemon Parameters
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Check if Docker daemon is running with required attributes as per the benchmark policy.
Check Docker Daemon Parameter Values
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Check if Docker daemon is running with required attributes values as per the benchmark policy.
IT Operations Compliance Alert Page 8
Compliance Control
Control Change Summary
Do Not Use The Aufs Storage Driver
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
To check if Docker instance is using Aufs storage driver.
Docker Inspect Security Options
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
To check configuration and security options of containers.
Avoid Container Sprawl
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
This control will check if we are running manageable number of containers on a particular host
Avoid Image Sprawl
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
To check and report any unused or old images if present on the host
Docker Version Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Check if Docker server is up to date.
Bind incoming container traffic to a specific host interface
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Check if container ports are tied to a particular interface and not to the wild card IP address - '0.0.0.0'.
Do not map privileged ports within containers
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
This control will check if any container port is mapped to privileged port
Process in Docker Containers
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Use this control to check for specific process in all the running Docker Containers
Docker Inspect Namespace
Newly added control
Supports Docker 1.6, 1.7 and 1.8 resource types
Inspect Docker for Container configuration with respect to host namespace
IT Operations Compliance Alert Page 9
The following Controls are updated in the Software Control Library
Compliance Control
Control Change Summary
File Owning User Support added for resource types - Docker 1.6, 1.7 and 1.8
File Owning Group Support added for resource types - Docker 1.6, 1.7 and 1.8
File Permissions Support added for resource types - Docker 1.6, 1.7 and 1.8
IT Operations Compliance Alert Page 10
Compliance Benchmark Policy updates
Policies that are newly added in the release
Policy Title CIS benchmark policy for Docker
Description This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Docker 1.6 or later technology
Policy Release Notes
Benchmark reference https://benchmarks.cisecurity.org/downloads/show-
single/?file=docker16.100
Rule Name Change
NA Rules added for Docker resource type as per the CIS benchmark document
Policy Title CIS HP UX 11 Benchmark V1.5.0
Description This document, Security Configuration Benchmark for HP-UX 11i, provides prescriptive guidance for establishing a secure configuration posture for HP-UX 11i v3
Policy Release Notes
Benchmark reference https://benchmarks.cisecurity.org/downloads/show-single/?file=hpux.150
Rule Name Change
NA Rules added for HPUX 11.31 resource type as per the CIS benchmark document
Policy Title CIS Oracle Solaris 11.1 Benchmark v 1.0.0
Description This document is intended to address the recommended security settings for the Solaris 11 operating system (Solaris 11 OS) running on x86 or SPARC platforms. Specifically, the guidelines included in this document have been designed for and tested against the Solaris 11 11/11 release
Policy Release Notes
Benchmark reference https://benchmarks.cisecurity.org/downloads/show-
single/?file=solaris11.110
Rule Name Change
NA Rules added for Oracle Solaris 11 resource type as per the CIS benchmark document
Policy Title CIS IBM AIX 7.1 Benchmark v1.1.0
Description This document, CIS IBM AIX 7.1 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for IBM Advanced Interactive eXecutive(AIX) version 7.1
Policy Release Notes
Benchmark reference https://benchmarks.cisecurity.org/downloads/show-single/?file=aix71.110
Rule Name Change
NA Rules added for IBM AIX 7.1 resource type as per the CIS benchmark document
IT Operations Compliance Alert Page 11
Policies that have been modified for the release
Policy Title
Payment Card Industry (PCI) Data Security Standard version 3.0.0
Description The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures
Policy Release Notes
Benchmark reference
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Rule Name Change
NA Rules added for resource types – HPUX 11.31, IBM AIX 7.1 and Oracle Solaris 11
Policy Title NIST SP 800-66 Revision 1 (HIPAA)
Description Audit Policy for NIST Special Publication 800-66 Revision 1 - Recommended Security Controls for Health Insurance Portability and Accountability Act
Policy Release Notes https://hpln.hp.com/node/2097/attachment
Benchmark reference http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
Rule Name Change
NA Rules added for resource types – HPUX 11.31, IBM AIX 7.1 and Oracle Solaris 11
Policy Title NIST SP 800-53 Revision 4 (FISMA)
Description Audit Policy for NIST Special Publication 800-53 Revision 4 - Recommended Security Controls for Federal Information Systems and Organizations
Policy Release Notes
Benchmark reference http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
Rule Name Change
NA Rules added for resource types – HPUX 11.31, IBM AIX 7.1 and Oracle Solaris 11
IT Operations Compliance Alert Page 12
Known Issues
NA