Technical white paper PCI-DSS Compliance for an HP-UX Host Table of contents Disclaimer 3 Intended Audience 3 PCI-DSS Compliance for a HP-UX Host 3 Scope of the document 3 Requirement 1: Install and maintain a firewall configuration to protect cardholder data 4 Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters 6 Requirement 3: Protect stored cardholder data 7 Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 11: Regularly test security systems and processes 16 Requirement 12: Maintain a policy that addresses information security for all personnel 18 Appendix A 18 References 24 2
Disclaimer This whitepaper must be used as a guide in planning compliance related tasks and not as a checklist to verify the same. The suggestions given may not be suitable for all environments and reader’s discretion is advised in implementing the same. Intended Audience This whitepaper is for personnel who have an underlying knowledge of Payment Card Industry Standard and an awareness of HP-UX Security and Enterprise products.
Figure 1: Example topology of a PCI-DSS environment Requirement 1: Install and maintain a firewall configuration to protect cardholder data Sub Req# Requirement Products 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data (including wireless); that use various technical settings for each implementation; and stipulate a review of configuration rule sets at least every six months.
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment This requirement mainly deals with securing internal network from malicious attacks. HP-UX IPFilter provides firewall services and network address translation (NAT) for many UNIX-like operating systems. HP-UX IPFilter is a stateful system firewall that filters IP packets to control packet flow in or out of a system.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Sub Req# Requirement Products 2.1 Changing Vendor Supplied Defaults Change passwords of default UIDs of HP-UX and other products. 2.2 Configuration Standards Configure HP-UX Bastille 2.3 Encrypt Non-Console Administrative Access Use “HP-UX Secure Shell”, disable insecure protocols 2.4 Shared hosting providers to protect hosting environment and cardholder data Not in Scope 2.
2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL or TLS for webbased management and other non-console administrative access 1 It is generally safe to carry out administrative functions through a console because one must have physical access to the device. It is not practical though, to limit administrative access to the physical port. In general administrators are allowed to access the console over the network.
EVFS can encrypt data at both the volume and file level and can be used to protect cardholder data as mentioned previously. Depending on whether the volume or file level encryption is desired, EVFS can be configured either in EVS mode (Encrypted Volume System) or in EFS mode (Encrypted File system). EVFS volumes (EVS mode) are configured as pseudo-devices below the HP-UX file system.
mechanisms on NFS filesystems, ranging from enhanced user authentication to full data encryption. OpenSSH can be used in heterogeneous systems environment to encrypt card holder data. Internet Protocol Security (IPSec) is a protocol suite operating at Network Layer for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
Figure 2: Example of end-to-end end use of IPSec in the Intranet HP-UX UX HIDS can be used to potentially detect unprotected PANs sent sen by end-user user messaging technologies if (and only if) the contents of messaging technologies are logged in a plain pla text log file. Enable log file monitoring template for monitoring the contents of these log files. For more information about HP-UX HIDS, see Appendix A.
6.1 Ensure latest security patches are installed Requirement 6.1 intends to ensure that all system components and software have the latest vendor-supplied security patches installed and also to have a process in place to deploy critical patches within a month of release. HP-UX Software Assistant (SWA) is a tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems.
Requirement 7: Restrict access to cardholder data by business need to know Sub Req# Requirement Products 7.1 Limit access to system components and cardholder data HP-UX RBAC 7.2 Establish an access control system for systems components with multiple users HP-UX RBAC 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access 7.
8.2 In addition to assigning a unique ID employ one of the following methods to authenticate all users Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Requirement 8.1 and 8.2, deals with ensuring that every person accessing the cardholder data is identified uniquely and authenticated. Unique user IDs can be assigned to user using the basic HP-UX command useradd or through HP-UX Directory Server (HPDS).
8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography This requirement mandates the password used to be transmitted and stored securely. This can be met using the HPUX EVFS, IPSec and secure NFS. For more information on configuring these products, see Requirement-3 and Requirement-4. 8.
10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user It is critical to have a process or system that links user access to system components accessed, and in particular, for those users with administrative privileges. This system provides the ability to trace back suspicious activity to a specific user. Post-incident forensic teams depend on these logs to initiate the investigation.
10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time If a malicious individual has entered the network, they often attempt to change the time stamps of their actions within the audit logs to prevent detection of their activity. For post-incident forensics teams, the time of each activity is critical in determining how the systems are compromised.
11.4 Use either intrusion detection systems or intrusion prevention systems or both to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises Intrusion Detection Intrusion detection detects illegal and improper use of computing resources by unauthorized personnel, before such misuse results in excessive damage. This detection system constantly monitors critical systems and data to protect them from attacks.
Requirement 12: Maintain a policy that addresses information security for all personnel This requirement is not in the purview of this document. Appendix A HP-UX IPFilter HP-UX IPFilter can be used to explicitly permit or deny a packet from passing through a system based on the following characteristics: IP address or a range of IP addresses can be like IP protocol (ICMP/ICMPv6/TCP/UDP) or different IP fragments or options or IP security classes or TCP/UDP port number or ICMP message type or NIC cards.
APACHE Umaskyn Do you want to set the default umask Umask What umask is default for users on the system Hidepasswords Would you like to hide the encrypted passwords on this system? Single_user_password Would you like to password protect single-user mode? System_auditing Do you want basic system security auditing enabled? ABORT_LOGIN_ON_MISSING_ HOMEDIR Do not allow logins unless the home directory exists? Passwordpolicies Do you want to setup password policies? MIN_PASSWORD_LENGTH What shoul
SecureInetd Bindapachenic Would you like to bind the web server to a particular interface? Bindapacheaddress Address to bind the web server to? [127.0.0.
to make any changes. The EVS mode supports all disk file systems. Data in EVFS volumes is encrypted using symmetric encryption keys. A number of symmetric key algorithms like 128-bit, 192-bit, and 256-bit key AES-CBC, 128-bit, 192-bit, and 256-bit key AES CFB are supported by EVFS. These encryption keys are again wrapped using a public or private keypair. 1024-bit, 1536-bit, and 2048-bit RSA keys are supported for this purpose. These keys are for authentication for administrative access and during startup.
HP-UX RBAC provides a set of configuration files: auths config file to define all valid authorizations cmd_priv config file containing command and file authorizations and privileges role_auth, to define the authorizations for each role roles config file ,to define roles user_role config file, to define the roles for each user, through which authorizations, roles and their mappings can be defined Plan the required roles for users, plan the authorizations required for the roles, and then plan the
HP-UX NTP NTP central time server can be configured on HP-UX by following the steps: 1. For machines designated as central time servers, the /etc/ntp.conf file must be edited to add the external source’s IP address. For all other machines, the config file must be edited to refer to the central time server. NOTE: NTPv3 supports only IPv4 addressing scheme. 2. 3. 4. Bring the time difference between the external time source and the central time server to milliseconds.
HPOM notifies you of a status change, an event, or a problem on a managed node by sending you a message. If the event that triggers the message is a problem, HPOM can start an action to correct the problem. The original message, the result of the corrective action, and other associated information (for example, user annotations) are stored in the database. For more information about HP Operations Manager, see HP Operations Manager Support Manuals.
