PCI DSS 3.0 article 11.5

PCI DSS 3.0 Section 11.5 says this: "deploy a change detection mechanism (for example, file integrity monitoring tools) to personnel alert of unauthorized critical system, files of configuration file changes or content files; and configure the software to perform comparisons of critical files at least once a week. »

Has anyone found a solution for this?  I submitted a ticket support VMware asking and they said they don't have any tool/app today that makes it could they recommend all.  I find it rather surprising that standard has been effective since 1 January 2015 and there is very little information on what people do to accomplish this (and 11.5.1) requirement.  Thank you!

Hello

So, you really want to look into HyTrust CloudCOntrol vSecurity and/or mocking because it will monitor the evolution to a host for you. The declaration is to monitor derivatives change or unauthorized changes. How you do that depends on how feel you you should do. If I followed the contents of a file to change, this does not mean I have to watch the entire file to change. Content is really what is important not the real of the file itself.

If your QSA is really stuck on you need to have a monitor integrity of files, then they are sticking to the letter of the law, so to speak, instead of the intention. I fires and one who truly understands the intention. In addition, if you control access to the management console, it's also a control to compensate for and who is captured as well. You need to think how these files change first place and if I can control said change, newspaper said change, etc., then I have a control of compensation that is sufficient.

I can also use the hardening guide to monitor critical files change as well by monitoring critical parameters within these files. I have a tool that does just that, like many others.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009-2015

Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

Tags: VMware

Similar Questions

  • How will I know if my pci DSS goes

    How will I know if my pci DSS goes wrong and there is a cheque that I can do?

    There is no predictive value.

    However, there are apps that try to predict, using a lot of value with formulas for prediction.

    These formulas are (and should be) different models of different discs. Therefore, a good app must have a large database of records and formulas tested for them.

    A few years back I made a test reasonably thorough of these apps and lost three discs in the process.

    The one I use now is binaryfruit.com DriveDx

  • What products are supplied to the pci - dss standard monitoring?

    What products has MS to provide 10 PCI - DSS requirements.

    Thank you

    Hi Elba Stevenson,

    What operating system is installed on the computer?

    I suggest you to see the following link:

    Payment card industry Data Security Standard compliance Planning Guide
    http://www.Microsoft.com/download/en/details.aspx?displaylang=en&ID=18015

  • Mini PCI DSS in U350

    I would try to put a mini 60MB PCI SSD in my U350 as the start/program disk and leave the HD existing as my data disc.  From my reading of various Councils, this sounds like a clean reinstall of the operating system for the SSD is the best way to do it.  I also heard that it is better to remove all the other disks during installation to avoid conflicts.  My question is, if I uninstall the existing HD, install the PCI DSS and do the reinstall using Lenova provided, recovery disks it will work? The Bios detects the PCI DSS?

    It is the SSD, I'm looking at:

    http://www.Amazon.com/Kingston-SSDNow-internal-SMS100S2-64G/DP/B0062CHMZG/ref=pd_cp_pc_2

    Any guidance would be appreciated.

    Note: this assumes that the U350 has an mSata slot, which is not the same as just mini pci even though they look like. Is it won't work but you have to do a clean install of windows and not just use the standard restore disks. Be sure to get a list of the device drivers before installing new ones.

  • PCI - DSS compliance

    Hi all

    11.2.0.3

    We scan our db server for PCI DSS Compliance Audit with NESSUS.

    And he pointed out something like this: PCI DSS Compliance: database accessible from the Internet?

    102.10.10.21 (tcp/1521)

    An Oracle TNS listener is listening on this port.

    Databases may not be accessible from the Internet, according to the PCI DSS.

    Why is accessible from the internet? How can this be avoided?

    Thank you all,

    pK

    Really?

    This has absolutely nothing to do with Oracle and everything to do with your network/firewall configuration.

  • SSL and PCI compliance?

    I install a new 5520 with IPS for a client, and they ask on the SSL (WebVPN) being self-signed PCI compliance.  I don't know what document to find this information under the PCI DSS.  There was also mention on double authentication required, but without seeing the actual needs, I guess just to her.

    If anyone can point me in the right direction or explain the low down on what is needed to make SSL compatible PCI, I would be very grateful.

    I am not aware of a pure and simple ban against self-signed certificates, but personally would prefer those to a root of trust CA - PKI company or third party. For me, it shows a greater awareness to safety.

    PCI DSS 8.3 requirements requires two-factor authentication:

    8.3 incorporate two-factor authentication for remote access (access level network from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and remote service (RADIUS) with tokens, access controller access control system terminal access (GANYMEDE) with chips; or other technologies that facilitate two-factor authentication.)

    Note: Two-factor authentication requires two of the three authentication methods (see 8.2 requirement for a description of the authentication methods) be used for authentication. Using a factor twice (for example, using two separate passwords) is not two-factor authentication.

    You can configure an ASA with two factors schemens (RSA SecureID and LDAP etc.).

  • error message iTunes displays locked drive, itl locked files, or do not have administrative privileges on the PC after a clean install of Windows 10

    Yesterday I did a clean install of Windows 10 on my PC with a backup of the hard disk external. I downloaded iTunes, but get an error message that the drive is locked, the .itl files are locked, or I don't have administrative rights to these files. I deleted and reinstalled the PCI DSS several times correctly in the PCI slot hoping that would be a solution, but to no avail. I am the only user on this computer and do not have administrative rights. Any help you can offer will be appreciated. Thank you

    This can help (from turingtest2):

    Fix iTunes for Windows security permissions

  • Install a new SSL certificate for Server 2008 R2

    Hello

    We have a Windows 2008 R2 server running of the machine. As a company that manages payments, we need to be registered PCI DSS and the scan picked up a point of failure is that we do not have an SSL certificate installed. I bought a via GoDaddy and followed the instructions on their site to install it, but the PCI DSS Analysis is always a failure for the following reason: -.

    "The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certification authority."

    The certificate at the top of the string is the default "integrated". How to promote the certificate GoDaddy installed at the top of the chain?

    Thank you

    This issue is beyond the scope of this site and must be placed on Technet or MSDN

    http://social.technet.Microsoft.com/forums/en-us/home

    http://social.msdn.Microsoft.com/forums/en-us/home

  • Department of foreign for GANYMEDE + via ISE - is RSA Secure ID the only option?

    I'm running Cisco Secure ACS to GANYMEDE and other things.  I have to move to another platform due to the requirements of PCI DSS 3.2.

    ISE is the head to replace ACS but I also have a requirement to implement a multifactor authentication (MFA) everywhere.

    2.1 ISE implementation guide says that RSA Secure ID is supported for the Ministry of Foreign Affairs with the GANYMEDE connections.  I did not have RSA Secure ID and probably never have it.

    The implementation guide and my provider Cisco also make the State more general that ISE will work with any solution of Ministry of Foreign Affairs which has a front end compliant RADIUS.  Well, it's because I already have one of these (SafeNet/SafeWord).  What they are not, is if it will work specifically to authenticate the RADIUS authentications.  The only docs I can find on this subject are all/only on ISE do this for the RADIUS clients such as ASA Cisco Anyconnect VPN client handling.

    Someone at - he obtained ISE GANYMEDE to work with the Ministry of Foreign Affairs with anything other than Secure ID? You have any links?

    Click on your name in the upper right to see your profile. Then choose the 'Message' tab and click 'New Message'.

  • Duration of lock FireSIGHT/SourceFire user configuration?

    Hi all

    I've been searching in the documentation for 5.3 and 5.4, and I don't find no information for what the account lockout duration is for when a user does not have the number of logins set to the value of maximum number of connections has failed in a user account. Is there an official documentation anywhere for this (and where to check or raw balls does show a lock-out)? I have a client through a PCI DSS audit and the auditor is demanding this information. Either way, it seems that the default Administrator account cannot be disabled (the Setup Guide explains he cannot be deleted, but can it be disabled via the CLI)?

    Appreciate any help you can provide.

    Thank you

    Richard

    Hello Richard,.

    External authentication would be the only way to get the limit past reuse.

    To get locked, you must enable STIG this will allow locking of accounts, other than that there no way to do it without STIG.

    I'll open a bug in development of your request to add this feature in the road map.

    Assess and correct if my message will help.

    Concerning

    Jetsy

  • Prevent the owner of the schema using development tools

    Hello world

    We are doing some tasks to meet the PCI DSS requirements. One of them is preventing the schema owner to log in using development tools (TOAD, sqlplus, plsqldev, SQL Developer...). I found a solution here:

    http://kamranagayev.com/2009/10/04/block-developers-from-using-Toad-and-other-tools-on-production-databases/

    But as comment said, if we change the name of the .exe file, we can easily connect. I thought to do info = module, no program info. I tried with no success. I read somewhere that in after logon, the client info trigger is not set completely. So that we can't get info module exactly after logon trigger (I tried and I have seen this module was same as program interviewed since the session$ v).

    Another comment suggested that we allow some programs to connect instead of refuse many unauthorized tools. I think it is a good idea. But I wonder if some guys know rename tool dev as our authorized tools and it can connect.

    If anyone has any ideas or solutions, please help me. Thank you.

    One solution is to use two schemas - detail a. has no privs assigned to it (not even CREATE SESSION), but contains all of the objects (tables, indexes, views, code, etc.). Diagram B does not all objects, but given privileges to operate on the objects belongs to priv a. withdrawal CREATE SESSION from scheme a scheme b (in for example Prod) will achieve your requirement.

  • blocking direct access to the oracle server

    Dear Sir

    One of our condition of pci - dss to stop direct access to the db. One solution I know:

    TCP.validnode_checking = YES

    TCP.invited_nodes = (192.168.1.91, visionhost.solutionbeacon.com)

    But this option will allow the IP address of the node invited with sqlplus using tns names also. Have any have experience to solve the problem of ending up with pci - dss?

    In which paragraph of the PCI - DSS doc that makes you think that there is a problem? I work with version 3.0 (November 2013) and I can't find anything like that. For example, paragraph 8.7 c, "review of database access control settings and application of database to verify configuration settings that the user access directly to the or queries of databases are limited to database administrators" does not say that the DBA is not able to connect to the application server. And all the stuff of firewall in requirement 1 close the access to the network and between networks, not within the network.

    Are you sure that you have a problem? There is no interest to 'fix' something that doesn't have a reference in the doc.

  • What is the best laptop to use for first Pro 2015 cc?

    I am currently using a Macbook Pro with:

    Processor: 2.9 Ghz Inter Core i7

    Memory: 12 GB 1600 MHz DDr3

    Graphics card: Intel HD Graphics 4000 1526 MB

    Should I update my graphics card?  When I work with .mov, when I read his jerky.

    Eric advice is correct... especially with the 4K more for a standard video.  4K editing or even several stream 1080 p with effects requires a laptop much 'bigger' than what you have.

    In the meantime, before acquring a new machine, you can:

    1. increase the system memory of the laptop, as Eric suggested, of at least 16 GB or more

    2. I suppose that you have only one hard drive Bay and not two in your machine. If you have a spinning mechanical hard drive... is a 7200 RPM or, ESPECIALLY if you have a disk of 5 400 rpm... Replace it with a quality SATA III SSD.

    The best, especially for editing purposes, is the Samsung 850 Pro model... the prices are down and they are now more affordable. Start with a model of this SSD 256 GB or more. Crucial SSD 200 MX are almost the same in quality, but they are cheaper... no other SSD is recommended due to other types of used controllers.

    You would like to clone the image of your hard drive in the new SSD using an external USB 3 docking station to connect the SSD drive in as a "cartridge"... they are cheap (~ $25 - $ 30). Then place the new drive in the internal Bay. Even if you would use that one disc, the new SSD would greatly improve the speed of data read and write operations and overall performance of the computer.

    3. If your machine has 3 USB port, it MAY (or may NOT), be able to take advantage of what we call 'USAP '. This would allow an external drive, such as the Samsung Q1 SSD to operate at nearly the same speed as the internall SSD. For example: a new Samsung 850Pro would go to over 500 MB/sec read and write compared to the humble 150 - 75 MB/s of the HARD original internal drive. A Samsung Q1 might run externally at over 400 MB/sec in reading and enter vs 200 Mbps USB 3 WITHOUT 'USAP '. This would allow you to place all the media, project files, presents a preview and export to the T1, while placing the media cache and the cache files on the disk SSD internal flash for easy removal when the projects are completed. The high-performance T1 can be plugged into other machines to get back to work. Speed training is VERY IMPORTANT and may be the main cause of current sluggish performance, but also inadequate hardware components. Of course, you can ALSO have high speed external port 'Thunderbolt', but using this port storage solutions are very expensive.

    4. MORE IMPORTANT! Since it seems that the GPU on your machine is low, you may need to 'transcode' the images you want to edit in a more EASY codec for your machine to manage.  You can try the DNxHD "visually lossless" codec to Quicktime.  Windows users can also use the "Cineform" free of the Go Pro webssite codec... I don't know if Mac users can use Cineform, being a Windows Guy.

    If you are a serious Editor, you will DEFINITELY need a new machine very soon. For optimal performance, users are building Haswell E Windows desktops with the 5960 X overclocked to 4.5 Ghz CPU and a GPU of NVidia 980ti and either 32 or 64 GB of memory system.  They use a Samsung 850 Pro SSD as a boot drive for the OS, programs and Windows pagefile ONLY.  All other files, go to the new Samsung 950 NVMe PCI DSS Pro who has read more than 2 GB/s speed and 1.5 GB/s write speed AND which is "two-way", meaning that it reads and writes at the same time... Unlike SATA, it relates to one or the other and not BOTH at the same time. For the greater data capacity, a large RAID 0 array off the coast of 3 or moreSamsung 850 SSD Pro motherboard can also provide fast performance.

  • Discover the bottleneck

    Hello

    I just installed a PC brand new with:

    ASRock X99M Extreme4

    Intel Core i7 - 5930 k

    SSD 128 GB for the OS

    2 x 2 TB Seagate SSHD (in RAID 0)

    16 GB DDR4 Crucial 3000MHz

    Gigabyte GTX 6 GB 980ti


    Just all installed and realized the rendering is only twice as fast as on my 2.8 GHz I7 MacBook Pro. The result is slower than I expected.

    Any recommendations for tweaking? Or y at - it a tool that allows me to discover the hardware bottleneck?


    concerning

    Jürgen


    Yes... RJL is correct... you have too little memory system AND the readers who hold your video files are holding your performance. You can add a PCI DSS as a Samsung SM 951, Intel 750 to place your active media, files, previews and all cache files. The largest, runs drives then can be used as an archive and for backup, while SSD PCI would treat your records ASSETS used in publishing... all run at a speed MUCH faster than 1.5 GB per second or MORE and maybe NO latency "two-way" interface, if you have a... traditional NVME SATA SSD model nature can not read and write at the same time... the SATA interface is "half duplex" allowing one type of operation at a time.

    You can test your current computer on the PPBM8.com site, managed by Bill Gehrke here on this forum, using its test for the edition with the body. Then, re-test after adding memory (64 GB would be great... Much better than the current 32 GB) and a faster Media Player. Your CPU is made to OVERCLOCK... the clock speed of the CPU is KING by providing for an increase in the performance... ENJOY this one!

    You can study many several machines on this site test results and by downloading the free "Speccy" Piriform, you can study the details of their material, as well as your own. many run their Haswell E CPUs to 4.5 Ghz!

    Many users of SSD at low prices for their OS readers do not get good results... Series Samsung 850 Pro and the cheapest MX200 Crucial are recommended... models "EVO", are NOT. Some SSDS are slower at the level of 128 GB and see the best performance starting at 256GB and more... you can check Anand Tech customers (or similar), see your, and then test your. The many small read and written by Windows page on your 'C' drive file operations can hinder performance if you use lower SSD for your boot drive. Disable 'indexing' on all drives for better performance. Also, make sure that your "power" settings are ALL set 'Maximum Performance' or Windows will THROTTLE your CPU and GPU even to impede performance.

    In addition, be aware that the CURRENT of PPro CCloud version is better and improved over previous versions such as CS6 in the treatment of 4 K and other codecs. These new versions have the memory usage improved for better performance and ELIMINATED a common problem in editing. MOV files of Canon cameras allowing to set up a 32-bit operation that would PARALYSE the 64-bit body!

    Good luck!!

  • How can I change my CS6 Master Collection when the "Update" function is grayed out?

    I bought a used iMac (mid-2009) in 2012/13. It had pre-installed CS6 Master Collection. I thought I was getting updates for the software, but I'm wrong apparently. I have to update the applications to meet the requirements of security and anti-fraud PCI/DSS for my B & B business. If I don't respect I can't use my machine credit card to take payments from customers. In each application, the "Update" function is grayed out, then how can I update the software? Adobe support is the only place where I can get an answer on the Forums. I bought and for more than 20 years of Adobe products used but no serial number doesn't appear in my Adobe ID

    If the software is installed with an opportunity machine that was purchased, the software is not for you unless that seller officially transferred ownership of the procedure defined in the information below.

    Transfer an Adobe product license

    As far as updates go try direct updates
    https://www.Adobe.com/downloads/updates/

Maybe you are looking for

  • Smart TV 48T 544 - Manual of the requested user

    Hello I have a new 48T 544 Smart TV; can someone send me the link for the user guide. I spent 1 hour looking for toshiba web site and I wasn't able to find Thank you

  • Inadvertently activated the screen rotation

    Hello I was cleaning up just my keys on my laptop and rotating the screen in position portrait rather than landscape. Any help please?

  • How to get the index of element of constant of cluster

    Is it possible to programmatically determine the index (order) of a particular item in a constant of cluster (typedef)?  The cluster is a group of commands, using the control [] array is not an option. It seems that this would be an operation of prop

  • UPDATE ENCARTA FOR WINDOWS 7

    Hello Sorry I don't know which category this would be, but I recently was looking through old records and fell on encarta that I had on my old windows 95. I felt a sense of nostalgia to find that I spent many hours playing through the mindmaze game.

  • With the help of vpn type 2

    Hello Can I use remote access vpn and site to site vpn at the same time? Right now my company uses customer vpn switch, in the future that we want to use to peer vpn. If possible one of my Branch will always be using vpn client to switch. Thank you T