diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 67b1bd5b96c..b1a354bfd13 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1293,35 +1293,33 @@ controls: software are defined and understood. levels: - base - status: pending + status: not applicable controls: - id: 5.1.1 title: All security policies and operational procedures that are identified in Requirement 5 are Documented, Kept up to date, In use and Known to all affected parties. levels: - base - status: pending + status: not applicable notes: |- - Examine documentation and interview personnel to verify that security policies and - operational procedures identified in Requirement 5 are managed in accordance with all - elements specified in this requirement. + The responsibility for documentation, maintenance, use and dissemination of the security + policies and procedures is on the payment service and its operations team. - id: 5.1.2 title: Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood. levels: - base - status: pending + status: not applicable notes: |- - Examine documentation and interview personnel to verify that day-to-day responsibilities - for performing all the activities in Requirement 5 are documented, assigned and understood - by the assigned personnel. + The responsibility for documentation, maintenance, use and dissemination of the security + policies and procedures is on the payment service and its operations team. - id: '5.2' title: Malicious software (malware) is prevented, or detected and addressed. levels: - base - status: pending + status: supported notes: |- Related measures are covered by 1.2.6, 1.4.5 and 3.4.2. controls: @@ -1334,18 +1332,41 @@ controls: malware. levels: - base - status: pending + status: supported notes: |- There are many options of anti-malware and the criteria for any adopted solution or approach relies on each site policy. Technologies are supported but manual assessment is required. + OpenShift container platforms may install the OpenShift File + Integrity Operator [1] which monitors file system integrity on the host. + This may allow for the detection of threats on the hosts which attempt + to modify the file system in malicious ways. Additionally, there exist + several solutions to scan for container vulnerabilities which are indispensible + from any deployment. One such example is Red Hat Quay [2] which supports + image verification and continuous security scanning of container images. + Another option is Red Hat Advanced Cluster Security [3] which provides a complete solution + to build, deploy, and run containerized workloads with more security. + + [1] https://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-understanding.html + [2] https://docs.openshift.com/container-platform/latest/security/container_security/security-registries.html + [3] https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet + + rules: [] + related_rules: + - acs_sensor_exists + - container_security_operator_exists + - file_integrity_exists + - id: 5.2.2 title: The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware. levels: - base - status: pending + status: not applicable + notes: |- + It is the payment entity's responsibility to ensure that the chosen anti-malware solutions + cover the required malware types. - id: 5.2.3 title: Any system components that are not at risk for malware are evaluated periodically. @@ -1358,7 +1379,10 @@ controls: protection. levels: - base - status: pending + status: not applicable + notes: |- + It is the payment entity's responsibility to identify and evaluate whether any system + component is at risk of a malware attack. controls: - id: 5.2.3.1 title: The frequency of periodic evaluations of system components identified as not at @@ -1371,13 +1395,15 @@ controls: assessment. levels: - base - status: pending + status: not applicable - id: '5.3' title: Anti-malware mechanisms and processes are active, maintained, and monitored. levels: - base - status: pending + status: not applicable + notes: |- + The requirements in this section depend on the malware solution deployed as part of 5.2.1. controls: - id: 5.3.1 title: The anti-malware solution(s) is kept current via automatic updates. @@ -1385,14 +1411,14 @@ controls: Anti-malware mechanisms can detect and address the latest malware threats. levels: - base - status: pending + status: not applicable - id: 5.3.2 title: The anti-malware solution(s) performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes. levels: - base - status: pending + status: not applicable controls: - id: 5.3.2.1 title: If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of @@ -1405,7 +1431,7 @@ controls: it will be required and must be fully considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable - id: 5.3.3 title: For removable electronic media, the anti-malware solution(s) performs automatic scans @@ -1414,9 +1440,7 @@ controls: logically mounted. levels: - base - status: pending - notes: |- - Related measures are covered by 3.4.2. + status: not applicable - id: 5.3.4 title: Audit logs for the anti-malware solution(s) are enabled and retained in accordance @@ -1426,7 +1450,7 @@ controls: least 12 months. levels: - base - status: pending + status: not applicable - id: 5.3.5 title: Anti-malware mechanisms cannot be disabled or altered by users, unless specifically @@ -1441,9 +1465,7 @@ controls: protection is not active. levels: - base - status: pending - notes: |- - Related measures are covered by 2.2.6 requirement and 8.2 section. + status: not applicable - id: '5.4' title: Anti-phishing mechanisms protect users against phishing attacks. @@ -1467,7 +1489,13 @@ controls: be required and must be fully considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable + rules: [] + related_rules: + # NOTE: (yuumasato) below are some node OS configurations that can help prevent + # and detect spoofing + - firewalld_loopback_traffic_restricted + - sysctl_net_ipv4_conf_all_log_martians - id: '6.1' title: Processes and mechanisms for developing and maintaining secure systems and software are