PCI Hardening Standards in Enterprise using Casper Suite

Susan
New Contributor

HI - is anyone using Casper Suite to harden enterprise computers for PCI Compliance? I'd like to collaborate so as to save time and not reinvent the wheel - especially scripts. Currently I'm hardening a mix of 10.6.8 and 10.7.4 clients, and not being a script ninja could really use some advice. Managed Preferences are not really an option as we need to have an administrative account on the employee computers that can access everything.

We are basing our standards on the following:

http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf

and

http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.osx106.100

I'd also like to collaborate on the documentation of the hardening standards for policy creation.

Other software I need to implement across our Macs are Credant Disk Encryption and Trend Micro Systems antivirus.

Thanks,
Susan Spanovich
IT Desktop / IT Apple / Systems Administrator
sspanovich@lifetimefitness.com

12 REPLIES 12

donmontalvo
Esteemed Contributor III

10.6 is history.
10.7 is becoming history.
10.8 is the new standard.

NSA's hardening documents are still at 10.6.

Wow.

Don

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

--
https://donmontalvo.com

nessts
Valued Contributor II

Apple can barely keep up with their Documents and they are the most concerned. :)

rockpapergoat
Contributor III

working someplace affiliated with the government, it's not surprising. these people move slowly. the principles still apply, even if the docs specifically target 10.6.x.

donmontalvo
Esteemed Contributor III

@Susan We are going to be looking at Credant soon, as one of our clients already has it in place for their Windows clients. Have you guys rolled this out to your Macs yet? If so, any Mountain Lion clients?

Don

--
https://donmontalvo.com

gachowski
Valued Contributor II

FYI,

My understanding is that the NSA doc is written in "conjunction" with Apple and it sure looks like the CIS doc is based on the NSA Doc.

cam
Contributor

Hi Susan,
One positive aspect of the PCI-DSS is that it's relatively well defined. If anyone hasn't seen a copy of the full standard yet, it's publicly available here:
https://www.pcisecuritystandards.org/security_standards/documents.php

Interpretations will vary, but most auditors I've worked with tend to stick close to the standard. If there's a specific requirement that anyone is working on let us know; someone in the community may have worked through it before!

ekkehard
Contributor

Updates at:
http://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.unix.osx

gachowski
Valued Contributor II

We used this for our X.9 "build" and it's not any better than was in 2012 : )

alexjdale
Valued Contributor III

In my experience with PCI auditors, they can be incredibly unhelpful about setting standards and simply refer you to select and follow an industry benchmark like CIS, which is what we've done. We go item by item with the CIS benchmark, evaluate, and then develop a policy based on that. We're not implementing every item.

Your mileage may vary based on your PCI auditor, but ours just cared that we had standards and a process to implement/maintain them, he didn't seem to care much about the details.

That said, I would absolutely love it if Casper put some effort towards this, it will be more and more important as enterprises enter the Mac space. There is a major need for an authority on this.

corbinmharris
Contributor

We have had PCI audits and passed. All our Macs are encrypted with Filevault2 via Casper and security policies enforced with Centrify AD.

sgoetz
Contributor

Hey All,

I have a customer service department that falls under PCI. We are suppose to log the following information to a central logging server and Im curious how you guys do it. We tried using SyslogD with the following settings:

authpriv.* @IP.IP.IP.IP

But they information they want is not contained in that.

    OSX Clients are configured to send the following type of messages:

        All actions taken by any individual with root or administrative privileges.
        Invalid logical access attempts.
        Use of and changes to identification and authentication mechanisms, including.
                All elevation of privileges.
                All changes, additions, or deletions to any account with root or administrative privileges.
                Initialization of audit logs.
                Stopping or pausing of audit logs.
                Creation and deletion of system level objects.
    OSX client messages are configured to contain the following fields/attributes:
        User identification
        Type of event
        Date and time
        Success or failure indication
        Origination of event

So I am wondering what you guys are using to log stuff to a central server? Rsyslog?

Thanks

Shawn

jholland
New Contributor III

@sgoetz I have a script tied to a policy that creates a launchdaemon and a local script on the client that syslogs data from /var/log/jamf.log to a local syslog server and then up to SumoLogic in the cloud every 10min. See this link for the script.

You should be able to modify the script (IP's, regex's, etc), add some code to parse out whatever lines from files in /var/log that meet the requirements above and send them to your central syslog server (for me, nothing more than a mac-mini running a Sumo syslog agent that relays to the cloud via TLS). The script uses the logger command, so clients don't need any agent software other than the script and the launchdaemon that get created by the policy/script.

Hope that helps.