PCI-DSS Compliance for an HP-UX Host

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software

8.4 Render all passwords unreadable during transmission and storage on

all system components using strong cryptography

This requirement mandates the password used to be transmitted and stored securely. This can be met using the HP-

UX EVFS, IPSec and secure NFS. For more information on configuring these products, see Requirement-3 and

Requirement-4.

8.5 Ensure proper user identification and authentication management for

non-consumer users and administrators on all system components

This requirement mainly deals with addition, deletion, monitoring, and modification of user account. It also briefs on

password management policies and session management.

HPDS provides various Password policies and account lockout features that help to define a set of rules that govern

how passwords and accounts are managed in the directory server. It also provides plug-ins to monitor inactive

accounts. The new account policy plug-in tracks login time stamps and provides the administrator with the option to

lock accounts based on the duration of inactivity since the last login time. HP-DS also provides support for custom

plug-in API’s.

The HP-UX RBAC product can also be used for management of terminated users. For more information about usage

of HP-UX RBAC product, see Requirement-7.

Apart from the products mentioned previously, the HP ArcSight ESM Compliance Insight Package for PCI helps in

setting various policies on the user accounts and passwords. It can automatically collect information from various

system components covered under PCI-DSS 2.0 and provides an intelligent layer of analysis and reporting on the

ArcSight ESM platform. It also helps in meeting various other requirements of PCI-DSS 2.0.

For more information about HP Arcsight security, see Appendix A.

Requirement 9: Restrict physical access to cardholder data

This requirement is not in the purview of this document.

Requirement 10: Track and monitor all access to network

resources and cardholder data

Sub Req# Requirement Products

10.1

Establish a process for linking all access to system

components (especially access done with administrative

privileges such as root) to each individual user.

HP-UX RBAC

10.2

Implement automated audit trails for all system

components to reconstruct events.

HP-UX Audit

10.3

Record at least the following audit trail entries for all

system components for each event: :User identification,

Type of event, Date and time, Success or failure indication,

Origination of event, Identity or name of affected data,

system component, or resource.

HP-UX Audit

10.4

Using time-synchronization technology, synchronize all

critical system clocks and times and ensure that the

following is implemented for acquiring, distributing, and

storing time.

NTP

10.5

Secure audit trails so they cannot be altered. DAC, HP-UX Whitelisting

10.6 Review logs for all system components at least daily. Log

reviews must include those servers that perform security

functions like intrusion-detection system (IDS) and

authentication, authorization, and accounting protocol

(AAA) servers (for example, RADIUS).

Not in the purview of this document

10.7 Retain audit trail history for at least one year, with a

minimum of three months immediately available for

analysis (for example, online, archived, or restorable from

back-up).

Not in the purview of this document