PCI-DSS compliance for Debian 8 using openscap

237 views
Skip to first unread message

0x2a

unread,
Apr 5, 2017, 5:12:20 AM4/5/17
to Wazuh mailing list
Hello,

this table in the documentation (https://documentation-dev.wazuh.com/user-manual/policy-monitoring/openscap/index.html) lists the wazuh default security policies for debian 8 as not PCI compliant,
but not the reason behind it.

Can someone elaborate on this?


regards,
0x2a

Jesus Linares

unread,
Apr 5, 2017, 10:50:26 AM4/5/17
to Wazuh mailing list
Hi,

each security policy has several profiles: standard, server, pci-dss, common, stig, etc. In the case of Debian, there is no profile for PCI-DSS.

Debian profiles:

root@ip-10-0-0-10:/var/ossec/wodles/oscap/content# oscap info ssg-debian-8-ds.xml
...
                Profiles:
                        xccdf_org.ssgproject.content_profile_common
                        xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
                        xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
                        xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
                        xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
...


Redhat profiles:
root@ip-10-0-0-10:/var/ossec/wodles/oscap/content# oscap info ssg-rhel-7-ds.xml
...
                Profiles:
                        xccdf_org.ssgproject.content_profile_standard
                        xccdf_org.ssgproject.content_profile_pci-dss
                        xccdf_org.ssgproject.content_profile_C2S
                        xccdf_org.ssgproject.content_profile_rht-ccp
                        xccdf_org.ssgproject.content_profile_common
                        xccdf_org.ssgproject.content_profile_stig-rhel7-workstation-upstream
                        xccdf_org.ssgproject.content_profile_stig-rhel7-server-gui-upstream
                        xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream
                        xccdf_org.ssgproject.content_profile_ospp-rhel7-server
                        xccdf_org.ssgproject.content_profile_nist-cl-il-al
                        xccdf_org.ssgproject.content_profile_cjis-rhel7-server
                        xccdf_org.ssgproject.content_profile_docker-host
...

I'm going to edit the table because it is not clear.

Check out the SSG project.

Thanks.
Regards.

Jesus Linares

unread,
Apr 5, 2017, 10:54:52 AM4/5/17
to Wazuh mailing list
I forgot to say that maybe some checks in the Common profile for ssg-debian-8-ds.xml could be valid for some PCI requirements. The profiles are only a grouping of checks and very often they are in several profiles.
Reply all
Reply to author
Forward
0 new messages