it operations compliance alert: compliance content ….… · it operations compliance alert page 3...

Disclaimer .................................................................................................................................................. 2

Compliance Content Pack Changes ............................................................................................................. 3

New Resource Type Support ....................................................................................................................... 4

Unix Compliance Control Library................................................................................................................. 4

Software Compliance Control Library .......................................................................................................... 5

Compliance Control Library Changes .......................................................................................................... 7

Unix Compliance Control Library................................................................................................................. 7

Software Compliance Control Library .......................................................................................................... 7

Compliance Benchmark Policy updates ...................................................................................................... 10

Known Issues ........................................................................................................................................... 12

IT Operations Compliance Alert: Compliance Content Changes

(December 11, 2015) Action: Download and install new audit compliance checks from the HPLN Site

IT Operations Compliance Alert

Disclaimer

Periodically, HPE reviews, revises, and reissues existing compliance policies. While reasonable attempts are made to ensure that updated rules return equivalent results there are cases where resolution of a defect will result in different results. Customers should be advised that use of the revised compliance policies and rules may identify additional variances which were not identified with previous versions of the policies or rules. As always customers should fully review any changes and assess the impact of these changes prior to importing content into their environment.


Compliance Content Pack Changes

The Security and Compliance Service for IT Operations Compliance has updated the following Compliance content bundles,

Content Pack Content File Content Offering

Change Summary

Control Library for Unix

itocUnixControlLibrary-5024-20151203.zip

https://hpln.hp.com/contento

ffering/compliance-control-library

Added new platform support for HP-UX 11.31, IBM AIX 7.1, Oracle Solaris 11 and Oracle Solaris 11.1

Control Library for Software

itocSoftwareControlLibrary-4960-20151119.zip

https://hpln.hp.com/contento

ffering/compliance-control-library

Added new platform support for Docker 1.6, 1.7 and 1.8

CIS benchmark policy for Docker

itoc-cis-docker-4988-20151126.zip

https://hpln.hp.com/contentoffering/center-internet-security-cis-benchmark-

policies

Rules added for Docker

CIS HP UX 11 Benchmark V1.5.0

itoc-cis-hpux-11_31-5023-20151202.zip

Rules added for HPUX 11.31

CIS IBM AIX 7.1 Benchmark v1.1.0

itoc-cis-ibm-aix-7_1-4936-20151113.zip

Rules added for IBM AIX 7.1

CIS Oracle Solaris 11 Benchmark v 1.1.0

itoc-cis-sol11-5023-20151202.zip

Rules added for Oracle Solaris 11

CIS Oracle Solaris 11.1 Benchmark v 1.0.0

itoc-cis-sol11_1-5023-20151202.zip

Rules added for Oracle Solaris 11.1

NIST SP 800-53 Revision 4 (FISMA)

itoc-fisma-4894-20151105.zip

https://hpln.hp.com/contentoffering/fisma-sp800-53-benchmark-policies

Added rules for HP-UX 11.31, IBM AIX 7.1 and Oracle Solaris 11.x

NIST SP 800-66 Revision 1 (HIPAA)

itoc-hipaa-4894-20151105.zip

https://hpln.hp.com/contentoffering/hipaa-sp800-66-benchmark-policies


Payment Card Industry (PCI) Data Security Standard version 3.0.0

itoc-pci-4956-20151119.zip

https://hpln.hp.com/contentoffering/pci-dss-benchmark-policies


https://hpln.hp.com/contentoffering/compliance-control-library






https://hpln.hp.com/contentoffering/center-internet-security-cis-benchmark-policies














New Resource Type Support

Unix Compliance Control Library

The Unix Compliance Control Library is updated with the new platform support added for HPUX 11.31, IBM AIX 7.1, Oracle Solaris 11 and Oracle Solaris 11.1. The following different Compliance Benchmark Policies can be used to run the audit against the above mentioned platforms.

CIS HP UX 11 Benchmark V1.5.0

CIS IBM AIX 7.1 Benchmark v1.1.0

CIS Oracle Solaris 11 Benchmark v 1.1.0

CIS Oracle Solaris 11.1 Benchmark v 1.0.0

NIST SP 800-53 Revision 4 (FISMA)

NIST SP 800-66 Revision 1 (HIPAA)


NOTE:

As of ITOC 1.1.0, the above mentioned Unix platforms are supported only with Server Automation

Integration. Hence the controls and benchmark policies applicable for these platforms can only be

verified against a resource created via Server Automation. Please refer the “ITOC-SA Integration”

chapter under “ITOC_1.1_UG_Integration.pdf“guide for more information.


Software Compliance Control Library

The Software Compliance Control Library is updated with the new platform support added for Docker 1.6, Docker 1.7 and Docker 1.8 The following different Compliance Benchmark Policies can be used to run the audit against the above mentioned platforms.

CIS Docker 1.6 Benchmark

NOTE:

The Resource types Docker 1.6, Docker 1.7 and Docker 1.8 are not by default supported in ITOC releases

1.0.0 and 1.1.0, hence it is required to add these resource types into the hierarchy before importing the

software control library delivered with this release. Without these resource types, controls specific to

Docker will fail to import and also result in failure of rules referring to these controls on import of the

above mentioned compliance benchmark policy.

Please run the following steps to create the required resource hierarchy and then import the required

content.

1. Download createSubResourceType.zip from https://hpln.hpe.com/node/28793/attachment

2. Copy the download createSubResourceType.zip file into ITOC Server /tmp location

3. Extract the zip

#unzip createSubResourceType.zip

On extract it will create a folder names “createSubResourceType” containing the following files

README.txt - Instructions on how to use the scripts to create subResourceType

createSubResourceType.py - Script to create subResourceType hierarchy based on

subResource.txt

createSubResourceType.sh – Script to unset HTTP_PROXY and HTTPS_PROXY if set on the shell

and invoke the python script to create required subResourceType

subResource.txt – subResourceType Hierarchy to be created

4. cd createSubResourceType

5. Execute the python script with the following command line

#<ITOC_INSTALL_PATH>/salt/usr/bin/python createSubResourceType.py <ITOC-server-

FQDN> <itocadmin_password>

Example:

#/opt/hp/itoc/salt/usr/bin/python createSubResourceType.py itoc-server-47.ocm.ind.hp.com

itoc123

https://hpln.hpe.com/node/28793/attachment


NOTE:

If you have HTTP_PROXY or HTTPS_PROXY set as shell environment variable and ITOC Server

FQDN need to be bypassed by proxy, then execute the shell script with the following command

line

$ ./createSubResourceType.sh <itoc-server-FQDN> <itocadmin_password>

6. If the script execution is successful, verify the resource hierarchy on ITOC if the required resource

types are created successfully.

a. Login to ITOC Console

b. Go to Resources Tab in the Dashboard

c. Click on “Action”=>New Resource=>Resource Type

Check if the following Resource Type hierarchy is created under the “Software” category


Compliance Control Library Changes

Unix Compliance Control Library

The new resource type support for HP-UX 11.31, IBM AIX 7.1 and Oracle Solaris 11 enabled for all

applicable controls existing the library.

Software Compliance Control Library

The following Controls are newly added into the Software Control Library

Compliance Control

Control Change Summary

Docker Inspect Newly added control

Supports Docker 1.6, 1.7 and 1.8 resource types

Inspect Docker for Container or Image Configuration

Control Kernel Audit System

Newly added control


This control will check if Kernel Audit System is existing for docker.

Separate Partition For Containers

Newly added control


This control will check if Docker is mounted on separate partition.

Linux Kernel Version

Newly added control


Checks the kernel version as Docker requires Linux kernel 3.10 or above.

Docker Group Members Are Trusted Users

Newly added control


Check if Docker group members can be trusted.

Check Docker Daemon Parameters

Newly added control


Check if Docker daemon is running with required attributes as per the benchmark policy.

Check Docker Daemon Parameter Values

Newly added control


Check if Docker daemon is running with required attributes values as per the benchmark policy.


Compliance Control


Do Not Use The Aufs Storage Driver

Newly added control


To check if Docker instance is using Aufs storage driver.

Docker Inspect Security Options

Newly added control


To check configuration and security options of containers.

Avoid Container Sprawl

Newly added control


This control will check if we are running manageable number of containers on a particular host

Avoid Image Sprawl

Newly added control


To check and report any unused or old images if present on the host

Docker Version Newly added control


Check if Docker server is up to date.

Bind incoming container traffic to a specific host interface

Newly added control


Check if container ports are tied to a particular interface and not to the wild card IP address - '0.0.0.0'.

Do not map privileged ports within containers

Newly added control


This control will check if any container port is mapped to privileged port

Process in Docker Containers

Newly added control


Use this control to check for specific process in all the running Docker Containers

Docker Inspect Namespace

Newly added control


Inspect Docker for Container configuration with respect to host namespace


The following Controls are updated in the Software Control Library

Compliance Control


File Owning User Support added for resource types - Docker 1.6, 1.7 and 1.8

File Owning Group Support added for resource types - Docker 1.6, 1.7 and 1.8

File Permissions Support added for resource types - Docker 1.6, 1.7 and 1.8


Compliance Benchmark Policy updates

Policies that are newly added in the release

Policy Title CIS benchmark policy for Docker

Description This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Docker 1.6 or later technology

Policy Release Notes

Benchmark reference https://benchmarks.cisecurity.org/downloads/show-

single/?file=docker16.100

Rule Name Change

NA Rules added for Docker resource type as per the CIS benchmark document

Policy Title CIS HP UX 11 Benchmark V1.5.0

Description This document, Security Configuration Benchmark for HP-UX 11i, provides prescriptive guidance for establishing a secure configuration posture for HP-UX 11i v3


Benchmark reference https://benchmarks.cisecurity.org/downloads/show-single/?file=hpux.150

Rule Name Change

NA Rules added for HPUX 11.31 resource type as per the CIS benchmark document

Policy Title CIS Oracle Solaris 11.1 Benchmark v 1.0.0

Description This document is intended to address the recommended security settings for the Solaris 11 operating system (Solaris 11 OS) running on x86 or SPARC platforms. Specifically, the guidelines included in this document have been designed for and tested against the Solaris 11 11/11 release


Benchmark reference https://benchmarks.cisecurity.org/downloads/show-

single/?file=solaris11.110

Rule Name Change

NA Rules added for Oracle Solaris 11 resource type as per the CIS benchmark document

Policy Title CIS IBM AIX 7.1 Benchmark v1.1.0

Description This document, CIS IBM AIX 7.1 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for IBM Advanced Interactive eXecutive(AIX) version 7.1


Benchmark reference https://benchmarks.cisecurity.org/downloads/show-single/?file=aix71.110

Rule Name Change

NA Rules added for IBM AIX 7.1 resource type as per the CIS benchmark document

https://benchmarks.cisecurity.org/downloads/show-single/?file=docker16.100

https://benchmarks.cisecurity.org/downloads/show-single/?file=docker16.100

https://benchmarks.cisecurity.org/downloads/show-single/?file=hpux.150

https://benchmarks.cisecurity.org/downloads/show-single/?file=solaris11.110

https://benchmarks.cisecurity.org/downloads/show-single/?file=solaris11.110

https://benchmarks.cisecurity.org/downloads/show-single/?file=aix71.110


Policies that have been modified for the release

Policy Title


Description The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures


Benchmark reference

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Rule Name Change

NA Rules added for resource types – HPUX 11.31, IBM AIX 7.1 and Oracle Solaris 11

Policy Title NIST SP 800-66 Revision 1 (HIPAA)

Description Audit Policy for NIST Special Publication 800-66 Revision 1 - Recommended Security Controls for Health Insurance Portability and Accountability Act

Policy Release Notes https://hpln.hp.com/node/2097/attachment

Benchmark reference http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

Rule Name Change


Policy Title NIST SP 800-53 Revision 4 (FISMA)

Description Audit Policy for NIST Special Publication 800-53 Revision 4 - Recommended Security Controls for Federal Information Systems and Organizations


Benchmark reference http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

Rule Name Change


https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

https://hpln.hp.com/node/2097/attachment


Known Issues

NA

it operations compliance alert: compliance content ….… · it operations compliance alert page 3...

Documents