{"id": "pcidss_ocp4", "policy": "PCI-DSS", "title": "Configuration Recommendations of a GNU/Linux System", "source": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "definition_location": "/aptdata/openscap/scap-security-guide/controls/pcidss_ocp4.yml", "controls": [{"id": "Req-1.1.1", "levels": ["base"], "notes": "This is an organizational control and not something that can be provided\nby the OpenShift Container Platform.", "title": "1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1.2", "levels": ["base"], "notes": "While there are ways and tools where the OpenShift Container Platform could\nhelp address this control, covering the scope of a deployment with the application\nspecific connections is out of scope.\n\nIf such functionality is needed, there are tools such as Advanced Cluster\nSecurity [1] that may help fulfil this control.\n\n[1] https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet", "title": "1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1.3", "levels": ["base"], "notes": "While there are ways and tools where the OpenShift Container Platform could\nhelp address this control, covering the scope of a deployment with the application\nspecific connections is out of scope.\n\nIf such functionality is needed, there are tools such as Advanced Cluster\nSecurity [1] that may help fulfil this control.\n\n[1] https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet", "title": "1.1.3 Current diagram that shows all cardholder data flows across systems and networks", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1.4", "levels": ["base"], "notes": "While there will be a firewall protecting the cluster from outside traffic,\nnetwork connectivity within the cluster is handled by the SDN plugin and\nis configurable via NetworkPolicies [1]. We can ensure that each non-control\nplane namespace has a NetworkPolicy enabled, but it's still the responsibility\nof the system administrator to ensure that the policy is correct.\n\n[1] https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html", "title": "1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1.5", "levels": ["base"], "notes": "This is an organizational control related to the personnel and not something\nthat can be provided by the OpenShift Container Platform.", "title": "1.1.5 Description of groups, roles, and responsibilities for management of network components", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1.6", "levels": ["base"], "notes": "This is an organizational control and not something that can be provided\nby the OpenShift Container Platform.", "title": "1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.", "description": "Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1.7", "levels": ["base"], "notes": "This is an organizational control and not something that can be provided\nby the OpenShift Container Platform.", "title": "1.1.7 Requirement to review firewall and router rule sets at least every six months", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.1", "levels": ["base"], "notes": "", "title": "1.1 Establish and implement firewall and router configuration standards that include the following:", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-1.1.1", "Req-1.1.2", "Req-1.1.3", "Req-1.1.4", "Req-1.1.5", "Req-1.1.6", "Req-1.1.7"]}, {"id": "Req-1.2.1", "levels": ["base"], "notes": "East-West traffic in the cluster can be managed via NetworkPolicies [1]. So,\nwe can verify that each non-control plane namespace has a relevant NetworkPolicy enabled.\nHowever, Egress traffic needs to be taken into account as well, and this setup\nwill vary depending on the SDN plugin used [2][3].\n\n[1] https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html\n[2] https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/configuring-egress-firewall.html\n[3] https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.html", "title": "1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.", "description": null, "rationale": null, "automated": "yes", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.2.2", "levels": ["base"], "notes": "Router configurations are out of scope from the OpenShift Container Platform.\nWhile this is still relevant and something that organizations do, this is\ndependent on where OpenShift is deployed. In cloud deployments, router configurations\nare virtual and need to be verified depending on the implementation; e.g.\nin OpenStack, one would need to verify Neutron's Security Groups.", "title": "1.2.2 Secure and synchronize router configuration files.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.2.3", "levels": ["base"], "notes": "Firewall configurations are out of scope from the OpenShift Container Platform.\nWhile this is still relevant and something that organizations do, this is\ndependent on where OpenShift is deployed.", "title": "1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.2", "levels": ["base"], "notes": "", "title": "1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.", "description": "Note: An \"untrusted network\" is any network that is external\nto the networks belonging to the entity under review, and/or which is out of\nthe entity's ability to control or manage.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-1.2.1", "Req-1.2.2", "Req-1.2.3"]}, {"id": "Req-1.3.1", "levels": ["base"], "notes": "To a limited degree, OpenShift's ingress routing (enabled by default)\nand NetworkPolicies can support restriction of inbound traffic to pods.\nFurther restricting needs to happen on the cloud where OpenShift is deployed\nat, but that's outside of OpenShift's scope.", "title": "1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3.2", "levels": ["base"], "notes": "To a limited degree, OpenShift's ingress routing (enabled by default)\nand NetworkPolicies can support restriction of inbound traffic to pods.\nFurther restricting needs to happen on the cloud where OpenShift is deployed\nat, but that's outside of OpenShift's scope.", "title": "1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3.3", "levels": ["base"], "notes": "Anti-spoofing and blocking forged IP addresses is outside the scope\nof the OpenShift Container Platform.", "title": "1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.", "description": "(For example, block traffic originating from the Internet with an internal source address.)", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3.4", "levels": ["base"], "notes": "OpenShift can support authorization of outbound traffic via\negress policy objects[1][2].\n\n[1] https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/configuring-egress-firewall.html\n[2] https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.html", "title": "1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3.5", "levels": ["base"], "notes": "This will be met by a third-party stateful firewall, and it is external to OpenShift.", "title": "1.3.5 Permit only \"established\" connections into the network.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3.6", "levels": ["base"], "notes": "Segregation of such system components can take place using the same\nnetwork segregation mechanisms that OpenShift already supports [1][2][3]:\n\n* Ingress\n* NetworkPolicies\n* Egress Policies\n\nSpecial attention needs to be taken to audit that these components\nare appropriately segregated by the aforementioned mechanisms\n\n[1] https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html\n[2] https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/configuring-egress-firewall.html\n[3] https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.html", "title": "1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3.7", "levels": ["base"], "notes": "Protection from IP address disclosure can be handled by solutions\noutside of OpenShift.", "title": "1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.", "description": "Note: Methods to obscure IP addressing may include, but are not limited to:\n* Network Address Translation (NAT)\n* Placing servers containing cardholder data behind proxy servers/firewalls,\n* Removal or filtering of route advertisements for private networks that\n employ registered addressing,\n* Internal use of RFC1918 address space instead of registered addresses.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.3", "levels": ["base"], "notes": "", "title": "1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-1.3.1", "Req-1.3.2", "Req-1.3.3", "Req-1.3.4", "Req-1.3.5", "Req-1.3.6", "Req-1.3.7"]}, {"id": "Req-1.4", "levels": ["base"], "notes": "Personal firewall software is outside the scope of the OpenShift\nContainer Platform.", "title": "1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network.", "description": "Firewall configurations include:\n* Specific configuration settings are defined for personal firewall software.\n* Personal firewall software is actively running.\n* Personal firewall software is not alterable by users of mobile and/or\n employee-owned devices.\n", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-1.5", "levels": ["base"], "notes": "The organization will want to ensure that they include in security\npolicies and operational procedures for managing the OpenShift\nSDN and OpenShift NetworkPolicy objects within the OpenShift\nenvironment.", "title": "1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.1", "levels": ["base"], "notes": "The Openshift Platform doesn't come with any hardcoded credentials or passwords.\nAuthenticators are uniquely created at deployment-time, including credentials\nfor an admin user (called `kubeadmin`) which is meant for bootstrapping purposes.\n\nIt is recommended for deployers to delete this account in favor of using an IdP\nand setting up appropriate permissions via RBAC roles.", "title": "2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.", "description": "This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.1.1", "levels": ["base"], "notes": "The OpenShift Container Platform isn't used in a wireless environment and\ndoesn't come with any hardcoded credentials or passwords.", "title": "2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.2.1", "levels": ["base"], "notes": "OpenShift nodes run RHEL CoreOS by default, which contains only the\nnecessary services, protocols and daemons needed to run OpenShift and\ncontainers. OpenShift provides the means to separate application\nworkloads within the cluster onto separate hosts and containers. It\nis the responsibility of the organization to appropriately separate\ntheir applications into relevant containers to meet this control.", "title": "2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server.", "description": "(For example, web servers, database servers, and DNS should be implemented\non separate servers.)\n\nNote: Where virtualization technologies are in use, implement only\none primary function per virtual system component.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.2.2", "levels": ["base"], "notes": "RHEL CoreOS runs only the necessary services, protocols and daemons required\nfor the functionality of OpenShift itself.", "title": "2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.2.3", "levels": ["base"], "notes": "OpenShift does not require any insecure services, protocols or daemons for\nproper functioning. The deployment comes with TLS enabled by default with\nstrong ciphers and an appropriate version enabled.", "title": "2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure", "description": "for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec\nVPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.\n\nNote: SSL and early TLS are not considered strong cryptography and\ncannot be used as a security control after June 30, 2016. Prior to this date,\nexisting implementations that use SSL and/or early TLS must have a formal Risk\nMitigation and Migration Plan in place.\n\nEffective immediately, new implementations must not use SSL or early TLS.\n\nPOS POI terminals (and the SSL/TLS termination points to which they connect) that\ncan be verified as not being susceptible to any known exploits for SSL and early\nTLS may continue using these as a security control after June 30, 2016.'", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.2.4", "levels": ["base"], "notes": "While it's possible to manually configure the security settings\nin the Openshift Container Platform, the Compliance Operator provides\nan automated way of checking for a secure configuration and automatically\nremediating issues according to known security standards. It's usage\nis recommended to ensure appropriate configuration is set and prevent\ndrift.", "title": "2.2.4 Configure system security parameters to prevent misuse.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.2.5", "levels": ["base"], "notes": "The OpenShift Container Platform uses RHEL CoreOS by default. In itself, it's\na minimal operating system with the sole purpose of running OpenShift. Therefore\nit doesn't contain extra packages or functionality; only the minimal that's meant\nto run OpenShift. RHCOS is the recommended operating system for OpenShift.", "title": "2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.2", "levels": ["base"], "notes": "This control is addressed by applying the OpenShift CIS recommendations.", "title": "2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.", "description": "Sources of industry-accepted system hardening standards may include,\nbut are not limited to:\n* Center for Internet Security (CIS)\n* International Organization for Standardization (ISO)\n* SysAdmin Audit Network Security (SANS) Institute\n* National Institute of Standards Technology (NIST)", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-2.2.1", "Req-2.2.2", "Req-2.2.3", "Req-2.2.4", "Req-2.2.5"]}, {"id": "Req-2.3", "levels": ["base"], "notes": "", "title": "2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access.", "description": "Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.\nEffective immediately, new implementations must not use SSL or early TLS.\nPOS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.4", "levels": ["base"], "notes": "The payment entity will be responsible for maintaining an inventory\nof system components that are in use for their OpenShift environment.\n\nThis is out of scope for the OpenShift platform as the responsibility lies\non the deployer.", "title": "2.4 Maintain an inventory of system components that are in scope for PCI DSS.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.5", "levels": ["base"], "notes": "This control is not applicable to the OpenShift platform and is instead a\nresponsibility of the deployer. The payment entity will be responsible for\nthe documentation and dissemination of the security policies and\noperational procedures pertaining to their OpenShift deployment and\nverifying that the policies and procedure are in use and being followed.", "title": "2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-2.6", "levels": ["shared_hosting_provider"], "notes": "", "title": "2.6 Shared hosting providers must protect each entity's hosted environment and cardholder data.", "description": "These providers must meet specific requirements as\ndetailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting\nProviders.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.1", "levels": ["base"], "notes": "", "title": "3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:", "description": "* Limiting data storage amount and retention time to that\n which is required for legal, regulatory, and/or business requirements\n* Specific retention requirements for cardholder data\n* Processes for secure deletion of data when no longer needed\n* A quarterly process for identifying and securely deleting stored\n cardholder data that exceeds defined retention.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.2.1", "levels": ["base"], "notes": "", "title": "3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic- stripe data.", "description": "Note: In the normal course of business, the following data elements\nfrom the magnetic stripe may need to be retained:\n\n* The cardholder's name\n* Primary account number (PAN)\n* Expiration date\n* Service code\n\nTo minimize risk, store only these data elements as needed for business.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.2.2", "levels": ["base"], "notes": "", "title": "3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not- present transactions) after authorization.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.2.3", "levels": ["base"], "notes": "", "title": "3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.2", "levels": ["base"], "notes": "Proper design of the application by the payment entity can accommodate this requirement as a processing mandate, restricting in-memory process for this data and taking care not to write to file storage from within the container or pod.", "title": "3.2 Do not store sensitive authentication data after authorization (even if encrypted).", "description": "If sensitive authentication data is received, render all\ndata unrecoverable upon completion of the authorization process.\n\nIt is permissible for issuers and companies that support issuing services\nto store sensitive authentication data if:\n* There is a business justification and\n* The data is stored securely.\n\nSensitive authentication data includes the data as cited in the\nfollowing Requirements 3.2.1 through 3.2.3:", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-3.2.1", "Req-3.2.2", "Req-3.2.3"]}, {"id": "Req-3.3", "levels": ["base"], "notes": "", "title": "3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.", "description": "Note: This requirement does not supersede stricter requirements in\nplace for displays of cardholder data; for example, legal or payment card\nbrand requirements for point-of-sale (POS) receipts.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.4", "levels": ["base"], "notes": "This is the responsibility of the code developer and for bespoke applications using OCP this should become a development standard.", "title": "3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:", "description": "* One-way hashes based on strong cryptography, (hash must be of the entire PAN)\n* Truncation (hashing cannot be used to replace the truncated segment of PAN)\n* Index tokens and pads (pads must be securely stored)\n* Strong cryptography with associated key-management processes and procedures.\n\nNote: It is a relatively trivial effort for a malicious individual to\nreconstruct original PAN data if they have access to both the\ntruncated and hashed version of a PAN. Where hashed and truncated versions of\nthe same PAN are present in an entity's environment, additional controls\nmust be in place to ensure that the hashed and truncated versions cannot be\ncorrelated to reconstruct the original PAN.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.4.1", "levels": ["base"], "notes": "In case where card holder data may be stored on worker nodes disks, OpenShift Container Platform can help to partially\ncomply with this requirement by providing several means of fully encrypting disks.\n* Using RHEL core crypto components which are FIPS certified\n* Or using cloud provider techniques, such as EBS encryption for AWS case.\nFor this requirement, we also check etcd is encrypted, so that secrets, but also routes and oauth configurations are secured.\n\nConcerning Full Disk Encryption:\nFull Disk Encryption can be enabled on OpenShift by installing the cluster with FIPS mode enabled.\nOpenShift Container Platform uses certain FIPS Validated / Modules in Process modules within RHEL and RHCOS\nfor the operating system components that it uses.\nSee RHEL7 core crypto components and https://docs.openshift.com/container-platform/4.9/installing/installing-fips.html for further information.\nWhen installing the cluster, The public ssh key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config\nfiles and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user\non each node, which enables password-less authentication.\nThe management of the private key is up to the customer.\nLUKS/dm-crypt (used by the FIPS mode) provides full-disk encryption that fulfills Req-3.4.1.\nAccess to the stored data is only possible via a decryption password that must be entered when the disk is mounted (must be somehow\nrelated to the ssh keypair?...).\nThe decryption password is stored using TPM v2, in a secure cryptoprocessor contained within a server.\nWhen enabling FIPS mode, machine configs state that encryption using TPM based pinning in clevis is requested for these nodes.", "title": "3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.5.1", "levels": ["base"], "notes": "This requirement largely depends on the solution chosen by the customer to protect card holder data at rest.\n* When Full Disk Encryption is done using AWS EBS encryption, the algorithm used is AES-256.\n Your data key is stored on disk with your encrypted data, but not before EBS encrypts it with your KMS key.\n Your data key never appears on disk in plaintext.\n The same data key is shared by snapshots of the volume and any subsequent volumes created from those snapshots.\n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n* When Full Disk Encryption is done using LUKS with TPM2,full disk encryption utilities such as dm-crypt and\n BitLocker encrypt disks with a TPM bind key, and then store the TPM bind key in the TPM (Trusted Platform Module),\n which is a secure element attached to the motherboard of the node.\n The main benefit of this method is that there is no external dependency, and the node is able to decrypt its own\n disks at boot time without any external interaction.\n* When Full Disk Encryption is done using LUKS with Tang, the booting node attempts to contact a predefined set\n of Tang servers by performing a cryptographic handshake. If it can reach the required number of Tang servers,\n the node can construct its disk decryption key and unlock the disks to continue booting.\nSee https://docs.openshift.com/container-platform/4.9/security/network_bound_disk_encryption/nbde-about-disk-encryption-technology.html", "title": "Additional requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes: ", "description": "* Details of all algorithms, protocols, and keys used for the protection of\n cardholder data, including key strength an d expiry date\n* Description of the key usage for each key\n* Inventory of any HSMs and other SCDs used for key management", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.5.2", "levels": ["base"], "notes": "This requirement largely depends on the solution chosen by the customer to protect card holder data at rest.\n* When Full Disk Encryption is done using AWS EBS encryption, the data key, used for volume encryption, is generated\n by AWS KMS, encrypted with the Key Encryption Key that lies in the KMS and stored with the volume metadata, by EBS.\n It is the payment entity's responsibility to limit the access to this key by ensuring that Grant requests to decrypt\n the data key using the KEK (Key Encryption Key) is given only to the need to know users or AWS resources.\n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n* When Full Disk Encryption is done using LUKS with TPM2, the TPM bind key, which is used to decrypt the data key is\n stored in the TPM (Trusted Platform Module), on the motherboard of the node.\n It is therefore not shared with anyone.\n* When Full Disk Encryption is done using LUKS with Tang, Tang server does not store the encryption key directly,\n and never interacts with it. The metadata needed to decrypt the volume is stored on the disk but can only be\n unlocked and used when the node can correctly establish the handshake with the Tang server.\n The data key is therefore not shared with anyone.", "title": "3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.5.3", "levels": ["base"], "notes": "This requirement depends on the solution chosen by the customer to protect card holder data at rest:\n* When Full Disk Encryption is done using AWS EBS encryption, the data key is encrypted with a Key Encryption Key\n that is stored in the AWS KMS, separately from the data key.\n* When Full Disk Encryption is done using LUKS with TPM2, the TPM bind key, which is used to decrypt the data key is\n stored in the TPM (Trusted Platform Module), on the motherboard of the node.\n* When Full Disk Encryption is done using LUKS with Tang, the encryption key is not stored to disk. Only the provisioning\n metadata is. A POST to the Tang server would allow the node to recompute the encryption key from this metadata.\n See https://github.com/latchset/tang", "title": "3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:", "description": "* Encrypted with a key-encrypting key that is at least as strong\n as the data-encrypting key, and that is stored separately from the\n data-encrypting key\n* Within a secure cryptographic device (such as a hardware (host)\n security module (HSM) or PTS- approved point-of-interaction device)\n* As at least two full-length key components or key shares, in accordance with\n an industry- accepted method\\nNote: It is not required that public keys be stored\n in one of these forms.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.5.4", "levels": ["base"], "notes": "This requirement depends on the solution chosen by the customer to protect card holder data at rest:\n* When Full Disk Encryption is done using AWS EBS encryption, the data key is stored in the volume's metadata only.\n The KEK is stored in the AWS KMS only.\n* When Full Disk Encryption is done using LUKS with TPM2, the TPM bind key is stored in the TPM (Trusted Platform Module) only.\n The encrypted data key is stored on the MBR of the disk only.\n* When Full Disk Encryption is done using LUKS with Tang, the encryption key is not stored to disk. Only the provisioning\n metadata is. A POST to the Tang server would allow the node to recompute the encryption key from this metadata.\n See https://github.com/latchset/tang", "title": "3.5.4 Store cryptographic keys in the fewest possible locations.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.5", "levels": ["base"], "notes": "See sub requirements for details", "title": "3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse:", "description": "Note: This requirement applies to keys used to encrypt stored cardholder\ndata, and also applies to key-encrypting keys used to protect data-encrypting\nkeys; such key-encrypting keys must be at least as strong as the data-encrypting\nkey.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-3.5.1", "Req-3.5.2", "Req-3.5.3", "Req-3.5.4"]}, {"id": "Req-3.6.1", "levels": ["base"], "notes": "", "title": "3.6.1 Generation of strong cryptographic keys", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.2", "levels": ["base"], "notes": "", "title": "3.6.2 Secure cryptographic key distribution", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.3", "levels": ["base"], "notes": "", "title": "3.6.3 Secure cryptographic key storage", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.4", "levels": ["base"], "notes": "It is the responsibility of the payment entity's operations team to rotate the\nencryption keys when they expire, according to the solution chosen for full disk\nencryption:\n* AWS EBS Encryption: Operations team creates a snapshot of the volume and then uses\n the snapshot to create a new, encrypted copy of the volume. While creating the new volume,\n a new encryption key is specified.\n* LUKS encryption with TPM2: The TPM secret cannot be modified after disk creation.\n* LUKS encryption with Tang: The operations performs the Tang Keys rotation as described in\n https://access.redhat.com/solutions/4074891", "title": "3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher- text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.5", "levels": ["base"], "notes": "It is the responsibility of the payment entity's operations team to retire or\nreplace weakened keys", "title": "3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.", "description": "Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.6", "levels": ["base"], "notes": "Manual clear-text cryptographic key-management operations are not used in the context of Openshift Container Platform", "title": "3.6.6 If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.", "description": "Note: Examples of manual key- management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.7", "levels": ["base"], "notes": "This requirement depends on the solution chosen by the payment entity to protect card holder data at rest:\n* When Full Disk Encryption is done using AWS EBS encryption, the authorizations on the cryptographic keys are managed\n in AWS IAM by the payment entity operating the service.\n* When Full Disk Encryption is done using LUKS with TPM2, no substitution of cryptographic keys is possible after disk creation.\n* When Full Disk Encryption is done using LUKS with Tang, the access to the Tang server, where the Tang Keys Rotation process\n can be handled, are the responsibility of the payment entity operating the service.", "title": "3.6.7 Prevention of unauthorized substitution of cryptographic keys.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6.8", "levels": ["base"], "notes": "This requirement is not applicable to the OpenShift Container Platform\nas it instead pertains to the practices and documentation from the\npayment entity. The platform may not generate the entity's policies\nand security practices.", "title": "3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-3.6", "levels": ["base"], "notes": "Although some key management processes rely on OpenShift Container Platform and its underlying components\nfor Full Disk Encryption, the responsibility for documentation and implementation of key-management processes\nand procedures for cryptographic keys used for encryption of cardholder data is still on the payment service and its\noperations team in order to cover all aspects of cardholder data protection.", "title": "3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:", "description": "Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-3.6.1", "Req-3.6.2", "Req-3.6.3", "Req-3.6.4", "Req-3.6.5", "Req-3.6.6", "Req-3.6.7", "Req-3.6.8"]}, {"id": "Req-3.7", "levels": ["base"], "notes": "This requirement is not applicable to the OpenShift Container Platform\nas it instead pertains to the practices and documentation from the\npayment entity. The platform may not generate the entity's policies\nand security practices.", "title": "3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-4.1", "levels": ["base"], "notes": "", "title": "4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:", "description": "* Only trusted keys and certificates are accepted.\n* The protocol in use only supports secure versions or configurations.\n* The encryption strength is appropriate for the encryption methodology in\n use.\n\nNote: SSL and early TLS are not considered strong cryptography and cannot\nbe used as a security control after June 30, 2016. Prior to this date, existing\nimplementations that use SSL and/or early TLS must have a formal Risk Mitigation\nand Migration Plan in place.\n\nEffective immediately, new implementations must not use SSL or early TLS.\n\nPOS POI terminals (and the SSL/TLS termination points to which they connect)\nthat can be verified as not being susceptible to any known exploits for SSL\nand early TLS may continue using these as a security control after\nJune 30, 2016.\n\nExamples of open, public networks include but are not limited to:\n* The Internet\n* Wireless technologies, including 802.11 and Bluetooth\n* Cellular technologies, for example, Global System for Mobile\n communications (GSM), Code division multiple access (CDMA)\n* General Packet Radio Service (GPRS)\n* Satellite communications", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-4.1.1", "levels": ["base"], "notes": "", "title": "4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.", "description": "Note: The use of WEP as a security control is prohibited.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-4.2", "levels": ["base"], "notes": "", "title": "4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-4.3", "levels": ["base"], "notes": "", "title": "4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-5.1.1", "levels": ["base"], "notes": "OpenShift container platforms may install the OpenShift File\nIntegrity Operator [1] which monitors file system integrity on the host.\nThis may allow for the detection of threats on the hosts which attempt\nto modify the file system in malicious ways. Additionally, there exist\nseveral solutions to scan for container vulnerabilities which are indispensible\nfrom any deployment. One such example is Red Hat Quay [2] which supports\nimage verification and continuous security scanning of container images.\n\n[1] https://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-understanding.html\n[2] https://docs.openshift.com/container-platform/latest/security/container_security/security-registries.html", "title": "5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-5.1.2", "levels": ["base"], "notes": "Red Hat Product Security constantly tracks threats to the OpenShift Container\nPlatform to ensure they are addressed. Besides this they also perform\nvulnerability assessments on the platform which aid in keeping up\nwith the constantly evolving threat landscape.", "title": "5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-5.1", "levels": ["base"], "notes": "Security techniques that are commonly used by traditional IT infrastructures\nhave limited functionality in containerized infrastructures. A key aspect to\nsuccessful security of container environments is identifying and\nunderstanding the opportunities or gateways for detection. While this may\nencompass several attack vectors, there are integrations and mechanisms in\nOpenShift that allow for this.", "title": "5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-5.1.1", "Req-5.1.2"]}, {"id": "Req-5.2", "levels": ["base"], "notes": "OpenShift container platforms may install the OpenShift File\nIntegrity Operator [1] which monitors file system integrity on the host.\nThis may allow for the detection of threats on the hosts which attempt\nto modify the file system in malicious ways. Additionally, there exist\nseveral solutions to scan for container vulnerabilities which are indispensible\nfrom any deployment. One such example is Red Hat Quay [2] which supports\nimage verification and continuous security scanning of container images.\n\n[1] https://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-understanding.html\n[2] https://docs.openshift.com/container-platform/latest/security/container_security/security-registries.html", "title": "5.2 Ensure that all anti-virus mechanisms are maintained as follows:", "description": "* Are kept current,\n* Perform periodic scans\n* Generate audit logs which are retained per PCI DSS Requirement 10.7.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-5.3", "levels": ["base"], "notes": "The OpenShift File Integrity Operator runs on a namespace prepended with\nthe `openshift-` prefix. Such namespaces are only accessible by system\nadministrators. Users require explicit roles to access the namespace. On\nthe other hand, given the usage of Custom Resource Definitions, users also\nrequire explicit roles and permissions to access and modify the scan settings\nof the operator.\n\nImage registries such as Red Hat Quay also require special privileges in\norder to modify and access them. Security scanning of images may not be\nturned off.", "title": "5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.", "description": "Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-5.4", "levels": ["base"], "notes": "This requirement is not applicable to the OpenShift Container Platform\nas it instead pertains to the practices and documentation from the\npayment entity. The platform may not generate the entity's policies\nand security practices.", "title": "5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.1", "levels": ["base"], "notes": "Establishing a process to identify security vulnerabilities is outside of\nOpenShift Container Platform's scope. That's up to the payment entity to\ndo and enforce.", "title": "6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high', 'medium', or 'low') to newly discovered security vulnerabilities.", "description": "Note: Risk rankings should be based on industry best practices as well as\nconsideration of potential impact. For example, criteria for ranking\nvulnerabilities may include consideration of the CVSS base score,\nand/or the classification by the vendor, and/or type of systems affected.\n\nMethods for evaluating vulnerabilities and assigning risk ratings\nwill vary based on an organization's environment and risk- assessment strategy.\nRisk rankings should, at a minimum, identify all vulnerabilities considered\nto be a 'high risk' to the environment. In addition to the risk ranking,\nvulnerabilities may be considered 'critical' if they pose an imminent\nthreat to the environment, impact critical systems, and/or would result in a\npotential compromise if not addressed. Examples of critical systems may include\nsecurity systems, public-facing devices and systems, databases, and other systems\nthat store, process, or transmit cardholder data.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.2", "levels": ["base"], "notes": "The OpenShift Container Platform provides the capability of updating\nboth the Kubernetes/OCP layer, as well as the Operating System (Red Hat\nCoreOS) layer in an ubiquitous manner with over-the-air updates using\nthe OpenShift Update Service (OSUS) [1]. This service can also be installed\nin clusters without internet connectivity [2].\n\n[1] https://docs.openshift.com/container-platform/latest/updating/understanding-the-update-service.html\n[2] https://docs.openshift.com/container-platform/latest/updating/installing-update-service.html", "title": "6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.", "description": "Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.3.1", "levels": ["base"], "notes": "This control is applicable to the payment entity running OpenShift\nand not to the platform itself. However, the OpenShift Container Platform\ndoes not ship with development or testing accounts.", "title": "6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.3.2", "levels": ["base"], "notes": "This controls is applicable to the payment entity running OpenShift\nand not to the platform itself. However, code reviews are enforced\nas part of the development of the OpenShift Container Platform.", "title": "6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:", "description": "* Code changes are reviewed by individuals other than the originating\n code author, and by individuals knowledgeable about code-review techniques and\n secure coding practices.\n* Code reviews ensure code is developed according\n to secure coding guidelines\n* Appropriate corrections are implemented\n prior to release.\n* Code-review results are reviewed and approved by management prior to release.\n\nNote: This requirement for code reviews applies to all custom code\n(both internal and public-facing), as part of the system development life cycle.\n\nCode reviews can be conducted by knowledgeable internal personnel or third parties.\nPublic-facing web applications are also subject to additional controls,\nto address ongoing threats and vulnerabilities after implementation,\nas defined at PCI DSS Requirement 6.6.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.3", "levels": ["base"], "notes": "This control is applicable to the payment entity running OpenShift\nand not to the platform itself. However, as part of the development\nof the OpenShift Container Platform, Red Hat does perform extensive\nsecurity reviews on the platform itself by the Product Security organization.", "title": "6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:", "description": "* In accordance with PCI DSS (for example, secure authentication and logging)\n* Based on industry standards and/or best practices.\n* Incorporating information security throughout the software-development\n life cycle\nNote: this applies to all software developed internally as well as\nbespoke or custom software developed by a third party.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-6.3.1", "Req-6.3.2"]}, {"id": "Req-6.4.1", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment entity's\nresponsibility to separate development and test environments.", "title": "6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.2", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment entity's\nresponsibility to separate development and test environments.", "title": "6.4.2 Separation of duties between development/test and production environments", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.3", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment entity's\nresponsibility to not use live PANs for testing and development.", "title": "6.4.3 Production data (live PANs) are not used for testing or development", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.4", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment entity's\nresponsibility to remove test data and accounts, or ensure they're not present\nin production environments.", "title": "6.4.4 Removal of test data and accounts before production systems become active", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.5.1", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow appropriate procedures\nwhen applying updates and software modifications, and that these\nprocedures are thoroughly documented.", "title": "6.4.5.1 Documentation of impact.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.5.2", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow appropriate and documented procedures\nwhen applying updates and software modifications, and that these\nprocedures are approved by an authorized party.", "title": "6.4.5.2 Documented change approval by authorized parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.5.3", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow appropriate and documented procedures\nwhen applying updates and software modifications, as well\nas testing them appropriately before applying them.", "title": "6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.5.4", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow appropriate and documented procedures\nwhen applying updates and software modifications, as well\nhaving back-out procedures in-place and working.\n\nHowever, OpenShift operators and most building blocks of the platform\nable to downgrade automatically if an update doesn't go as expected or\nif API requirements are not satisfied.", "title": "6.4.5.4 Back-out procedures.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4.5", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow appropriate and documented procedures\nwhen applying updates and software modifications.", "title": "6.4.5 Change control procedures for the implementation of security patches and software modifications must include the following:", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-6.4.5.1", "Req-6.4.5.2", "Req-6.4.5.3", "Req-6.4.5.4"]}, {"id": "Req-6.4.6", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow implement and document all relevant requirements\nto new or changed software", "title": "6.4.6- Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.4", "levels": ["base"], "notes": "", "title": "6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following:", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-6.4.1", "Req-6.4.2", "Req-6.4.3", "Req-6.4.4", "Req-6.4.5.1", "Req-6.4.5.2", "Req-6.4.5.3", "Req-6.4.5.4", "Req-6.4.5", "Req-6.4.6"]}, {"id": "Req-6.5.1", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.2", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5.2 Buffer overflows", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.3", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.\n\nHowever, the OpenShift Container Platform does have the ability to\nenforce strong cryptographic algorithms if customers are enabling\nFIPS[1] on their clusters and they used supported container images\nsuch as UBI. This will ensure that their applications use approved\nand string cryptographic algorithms.\n\n[1] https://docs.openshift.com/container-platform/4.9/installing/installing-fips.html", "title": "6.5.3 Insecure cryptographic storage", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.4", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.\n\nHowever, OpenShift does provide tools that can help ensure that\nsecure communications are in place. e.g. OpenShift Routes\ncan easily enforce TLS is enabled for that specific endpoint.", "title": "6.5.4 Insecure communications", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.5", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5.5 Improper error handling", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.6", "levels": ["base"], "notes": "Red Hat Product Security publishes a list of known vulnerabilities that\nallow organizations to measure their security posture and evaluate if\ntheir platform and base images are appropriately patched.", "title": "6.5.6 All \"high risk\" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.7", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5.7 Cross-site scripting (XSS)", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.8", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.\n\nIt is the responsibility of the payment entity to review RBAC permissions\nin the platform.", "title": "6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.9", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5.9 Cross-site request forgery (CSRF)", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5.10", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5.10 Broken authentication and session management", "description": "Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.5", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform.", "title": "6.5 Address common coding vulnerabilities in software-development processes as follows:", "description": "* Train developers in secure coding techniques, including\n how to avoid common coding vulnerabilities, and understanding how sensitive\n data is handled in memory.\n* Develop applications based on secure coding guidelines.\n\nNote: The vulnerabilities listed at 6.5.1 through 6.5.10 were current\nwith industry best practices when this version of PCI DSS was published. However,\nas industry best practices for vulnerability management are updated (for example,\nthe OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best\npractices must be used for these requirements.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-6.5.1", "Req-6.5.2", "Req-6.5.3", "Req-6.5.4", "Req-6.5.5", "Req-6.5.6", "Req-6.5.7", "Req-6.5.8", "Req-6.5.9", "Req-6.5.10"]}, {"id": "Req-6.6", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to identify public-facing web applications\nand ensure threat detection is in place.", "title": "6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:", "description": "* Reviewing public-facing web applications via manual or automated\n application vulnerability security assessment tools or methods, at least annually\n and after any changes\n\n Note: This assessment is not the same as the vulnerability\n scans performed for Requirement 11.2.\n\n* Installing an automated technical solution that detects and prevents\n web-based attacks (for example, a web- application firewall) in\n front of public- facing web applications, to continually check all traffic.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-6.7", "levels": ["base"], "notes": "This is an organizational control, and thus it's in the payment\nentity's responsibility to follow best secure development practices\nwhen developing applications on top of the OpenShift Container Platform,\nand that they're appropriately documented.", "title": "6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.1.1", "levels": ["base"], "notes": "The OpenShift Container Platform comes with the Kubernetes RBAC\nfeature enabled by default. This feature ensures that only if a\nuser or a system account has the appropriate permission, it's able\nto operate on specific system objects. By reviewing the existing\nRole and ClusterRole objects, one is able to see the resources\nthat are accessible for a certain role, as well as the \"verbs\" or\noperations that the role can execute on that resource.", "title": "7.1.1 Define access needs for each role, including:", "description": "* System components and data resources that each role needs\n to access for their job function\n* Level of privilege required (for example, user, administrator,\n etc.) for accessing resources.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.1.2", "levels": ["base"], "notes": "The OpenShift Container Platform contains a ClusterRole called `cluster-admin`\nthis role is allowed to do anything in the system. It is recommended to monitor\nthe usage of this ClusterRole to prevent misuse.", "title": "7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.1.3", "levels": ["base"], "notes": "The application of this control is the responsibility of the\npayment entity, and is not something the OpenShift Container Platform\ncan enforce.", "title": "7.1.3 Assign access based on individual personnel's job classification and function.\"", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.1.4", "levels": ["base"], "notes": "The application of this control is the responsibility of the\npayment entity, and is not something the OpenShift Container Platform\ncan enforce.", "title": "7.1.4 Require documented approval by authorized parties specifying required privileges.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.1", "levels": ["base"], "notes": "The OpenShift Container Platform comes with the Kubernetes RBAC\nfeature enabled by default. This feature ensures that only if a\nuser or a system account has the appropriate permission, it's able\nto operate on specific system objects.", "title": "7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-7.1.1", "Req-7.1.2", "Req-7.1.3", "Req-7.1.4"]}, {"id": "Req-7.2.1", "levels": ["base"], "notes": "The OpenShift Container Platform has RBAC enabled by default. With this\nfeature, any requests to the API is denied unless an explicit\nRole or ClusterRule is bound to the entity making the request.\n\nAll objects in Kubernetes/OpenShift are bound to RBAC permissions.", "title": "7.2.1 Coverage of all system components", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.2.2", "levels": ["base"], "notes": "The application of this control is the responsibility of the\npayment entity, and is not something the OpenShift Container Platform\ncan enforce.", "title": "7.2.2 Assignment of privileges to individuals based on job classification and function.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.2.3", "levels": ["base"], "notes": "The OpenShift Container Platform has RBAC enabled by default. With this\nfeature, any requests to the API is denied unless an explicit\nRole or ClusterRule is bound to the entity making the request.", "title": "7.2.3 Default 'deny-all' setting.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-7.2", "levels": ["base"], "notes": "The OpenShift Container Platform has RBAC enabled by default. With this\nfeature, any requests to the API is denied unless an explicit\nRole or ClusterRule is bound to the entity making the request.", "title": "7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to 'deny all' unless specifically allowed.", "description": "This access control system must include the following:", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-7.2.1", "Req-7.2.2", "Req-7.2.3"]}, {"id": "Req-7.3", "levels": ["base"], "notes": "The application of this control is the responsibility of the\npayment entity, and is not something the OpenShift Container Platform\ncan enforce.", "title": "7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.1", "levels": ["base"], "notes": "Openshift should be configured to work with an external third-party\nidentity provider, through the payment entity\u2019s chosen identity\nand authentication provider, unique identifiers can be setup\nfor each user prior to allowing the user to access components\nof the OpenShift environment. The third party identity provider\ncheck applies to all sub section within 8.1", "title": "8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.2", "levels": ["base"], "notes": "OpenShift can integrate with third-party identity providers through\nseveral mechanisms including LDAP. Control of identifier objects\nshould be performed with the chosen identity provider. Once the identity\nand authenticator(s) have been verified, the OAuth server built into\nthe OpenShift Control Plane issues an OAuth access token to the user to\nallow for authentication to the API. When a person requests a new OAuth\ntoken, the OAuth server uses the configured identity provider to\ndetermine the identity of the person making the request. The OAuth\nserver determines what user that the identity maps to, creates an\naccess token for that user, and returns the token for use.", "title": "8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.3", "levels": ["base"], "notes": "Revocation of access for terminated users would be performed with the\nidentity provider. Users with revoked access would not be able\nto access OpenShift", "title": "8.1.3 Immediately revoke access for any terminated users.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.4", "levels": ["base"], "notes": "Likewise, removal or disabling of inactive user accounts within 90\ndays would be handled with the identity provider. All user IDs,\nincluding those handled by third parties to access, support, or\nmaintain system components via remote access, would be handled\nexternally to OpenShift.", "title": "8.1.4 Remove/disable inactive user accounts within 90 days.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.5", "levels": ["base"], "notes": "The options for controlling remote access for third parties is the\nresponsibility of the payment entity", "title": "8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:", "description": "\uf0b7 Enabled only during the time period needed and disabled when not in use.\n\uf0b7 Monitored when in use.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.6", "levels": ["base"], "notes": "Account lockout for failed attempts would be managed by the identity\nprovider as all authentication attempts that occur prior to granting\naccess from OpenShift. Establishing a threshold for limiting repeated\nfailed attempts would be configured with the chosen identity provider.", "title": "8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.7", "levels": ["base"], "notes": "Likewise, the lockout duration for the account and mechanisms to unlock\nthe account for use would be established with the identity provider.", "title": "8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1.8", "levels": ["base"], "notes": "Session timeouts can be enabled with OpenShift to limit the amount of\ntime that a session can be active. It is, however, recommended that\nthe payment entity control idle session timeouts at the user or\nadministrator endpoint, rather than at the OpenShift console.", "title": "8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.1", "levels": ["base"], "notes": "For section 8 OpenShift should be configured to work with an external third-party\nidentity provider. The only check would be to verify that the identity provider\nis configured and which is checked in sub-section 8.1.1", "title": "8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows:", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-8.1.1", "Req-8.1.2", "Req-8.1.3", "Req-8.1.4", "Req-8.1.5", "Req-8.1.6", "Req-8.1.7", "Req-8.1.8"]}, {"id": "Req-8.2.1", "levels": ["base"], "notes": "The protection of the authentication credentials such as rendering the\npasswords and passphrases unreadable during transmission and the storage\nof credentials on system components is the responsibility of the\nthird-party identity provider.", "title": "8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.2.2", "levels": ["base"], "notes": "Likewise, modification of authentication credentials is handled by the\nthird-party identity provider. All access to modify parameters for\nauthentication tokens or for generating keys within OpenShift is\nmanaged with RBAC and requires prior authentication before the\nuser is authorized to act.", "title": "8.2.2 Verify user identity before modifying any authentication credential", "description": "for example, performing password resets, provisioning new tokens, or generating\nnew keys.\"", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.2.3", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are also handled by the third-party.\nidentity provider", "title": "8.2.3 Passwords/phrases must meet the following:", "description": "* Require a minimum length of at least seven characters.\n* Contain both numeric and alphabetic characters.\n\nAlternatively, the passwords/phrases must have complexity\nand strength at least equivalent to the parameters specified\nabove.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.2.4", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are also handled by the third-party.\nidentity provider", "title": "8.2.4 Change user passwords/passphrases at least once every 90 days.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.2.5", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are also handled by the third-party.\nidentity provider", "title": "8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.2.6", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are also handled by the third-party.\nidentity provider", "title": "8.2.6 Set passwords/phrases for first- time use and upon reset to a unique value for each user, and change immediately after the first use.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.2", "levels": ["base"], "notes": "The type of authenticators to be used (for example, password or passphrase,\ntoken device or smart card, or biometrics) are also managed externally\nto OpenShift by the identity provider", "title": "8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:", "description": "* Something you know, such as a password or passphrase\n* Something you have, such as a token device or smart card\n* Something you are, such as a biometric.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-8.2.1", "Req-8.2.2", "Req-8.2.3", "Req-8.2.4", "Req-8.2.5", "Req-8.2.6"]}, {"id": "Req-8.3", "levels": ["base"], "notes": "Where multi-factor authentication is required, this also occurs outside of OpenShift", "title": "8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.", "description": "Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.4", "levels": ["base"], "notes": "Payment entities are required to communicate policies and procedures pertaining to identity and authentication", "title": "8.4 Document and communicate authentication policies and procedures to all users including:", "description": "* Guidance on selecting strong authentication credentials\n* Guidance for how users should protect their authentication credentials\n* Instructions not to reuse previously used passwords\n* Instructions to change passwords if there is any suspicion the password\n could be compromised.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.5", "levels": ["base"], "notes": "The payment entity is also required to not use group, shared, or generic\nIDs, passwords, or other authentication methods (8.5). Access tokens that\nare issued by OpenShift upon authentication should only be used by the\nperson for whom it was issued.", "title": "8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:", "description": "* Generic user IDs are disabled or removed.\n* Shared user IDs do not exist for system administration and other critical functions.\n* Shared and generic user IDs are not used to administer any system components.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.5.1", "levels": ["base"], "notes": "The payment entity is also required to not use group, shared, or generic IDs,\npasswords, or other authentication methods. Access tokens that are issued by\nOpenShift upon authentication should only be used by the person\nfor whom it was issued.", "title": "8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.", "description": "Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.\nNote: Requirement 8.5.1 is a best practice until June 30, 2015, after which it becomes a requirement.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.6", "levels": ["base"], "notes": "As the authentication mechanism used is external to OpenShift via a third-party\nidentity provider this section falls outside the scope of OpenShift.", "title": "8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:", "description": "\uf0b7 Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.\n\uf0b7 Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.7", "levels": ["base"], "notes": "The implementation of a database is application specific and falls outside the\nscope of OpenShift", "title": "8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:", "description": "\uf0b7 All user access to, user queries of, and user actions on databases are through programmatic methods.\n\uf0b7 Only database administrators have the ability to directly access or query databases.\n\uf0b7 Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-8.8", "levels": ["base"], "notes": "This section is the responsibility of the application implementation team and falls outside\nthe scope of OpenShift.", "title": "8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.1.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.1.1 Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.", "description": "Note: \u201cSensitive areas\u201d refers to any\ndata center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.1.2", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.1.2 Implement physical and/or logical controls to restrict access to publicly accessible network jacks.", "description": "For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.1.3", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-9.1.1", "Req-9.1.2", "Req-9.1.3"]}, {"id": "Req-9.2", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.2 Develop procedures to easily distinguish between onsite personnel and visitors", "description": "include:\n* Identifying onsite personnel and visitors (for example, assigning badges)\n* Changes to access requirements\n* Revoking or terminating onsite personnel and expired visitor identification\n (such as ID badges).", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.3", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.3 Control physical access for onsite personnel to sensitive areas as follows:", "description": "* Access must be authorized and based on individual job function.\n* Access is revoked immediately upon termination, and all physical access\n mechanisms, such as keys, access cards, etc., are returned or disabled.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.4.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.4.2", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.4.3", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.4.4", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.", "description": "Document the visitor's name, the firm represented, and the onsite\npersonnel authorizing physical access on the log.\nRetain this log for a minimum of three months, unless otherwise restricted\nby law.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.4", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.4 Implement procedures to identify and authorize visitors.", "description": "Procedures should include the following:", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-9.4.1", "Req-9.4.2", "Req-9.4.3", "Req-9.4.4"]}, {"id": "Req-9.5", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.5 Physically secure all media.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.5.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location\\u2019s security at least annually.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.6.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.6.1 Classify media so the sensitivity of the data can be determined.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.6.2", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.6.3", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.6", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following:'", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-9.6.1", "Req-9.6.2", "Req-9.6.3"]}, {"id": "Req-9.7.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.7", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.7 Maintain strict control over the storage and accessibility of media.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-9.7.1"]}, {"id": "Req-9.8.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.8.1 Shred, incinerate, or pulp hard- copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.8.2", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.8", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.8 Destroy media when it is no longer needed for business or legal reasons as follows:", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-9.8.1", "Req-9.8.2"]}, {"id": "Req-9.9.1", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.9.1 Maintain an up-to-date list of devices.", "description": "The list should include the following:\n* Make, model of device\n* Location of device (for example, the address of the site or facility\n where the device is located)\n* Device serial number or other method of unique identification.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.9.2", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).", "description": "Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.9.3", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices.", "description": "Training should include the following: * Verify the identity of any third-party persons claiming to be repair\n or maintenance personnel, prior to granting them access to modify\n or troubleshoot devices.\n* Do not install, replace, or return devices without verification. * Be aware of suspicious behavior around devices (for example, attempts\n by unknown persons to unplug or open devices).\n* Report suspicious behavior and indications of device tampering or\n substitution to appropriate personnel (for example, to a manager or\n security officer).", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-9.9", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.", "description": "Note: These requirements apply to card- reading devices used in card-present\ntransactions (that is, card swipe or dip) at the point of sale. This requirement\nis not intended to apply to manual key-entry components such as computer keyboards\nand POS keypads.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-9.9.1", "Req-9.9.2", "Req-9.9.3"]}, {"id": "Req-9.10", "levels": ["base"], "notes": "Physical controls such as this on are not applicable to the OpenShift platform", "title": "9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.1", "levels": ["base"], "notes": "All actions taken by users of OpenShift are logged and capable of being used to satisfy audit requirements.", "title": "10.1 Implement audit trails to link all access to system components to each individual user.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.1", "levels": ["base"], "notes": "All user and/or service account accesses to OpenShift components are logged. The payment entity would be responsible for enabling logging for access to applications within workloads hosted in containers in OpenShift.", "title": "10.2.1 All individual user accesses to cardholder data", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.2", "levels": ["base"], "notes": "All actions taken by individual with root or administrative privileges to OpenShift and Red Hat CoreOS are logged.", "title": "10.2.2 All actions taken by any individual with root or administrative privileges", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.3", "levels": ["base"], "notes": "Access to audit trails relative to OpenShift are made available at the OS level with administrator accounts. Red Hat CoreOS can be configured to log access to the journal or log file. For better protection of audit trails, including improved access controls, it is recommended to direct logs to an external log server or Security Information Event Management (SIEM) solution.", "title": "10.2.3 Access to all audit trails", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.4", "levels": ["base"], "notes": "Invalid logical access attempts pertaining to incorrect input of credentials would be handled by the payment entity\u2019s chosen identity provider. Unauthorized attempts to access system components or run unauthorized commands against OpenShift are logged.", "title": "10.2.4 Invalid logical access attempts", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.5", "levels": ["base"], "notes": "Like 10.2.4, changes to identification and authentication mechanisms would be handled by the payment entity\u2019s chosen identity provider. Changes that are made to RBAC within OpenShift are logged. These logged events may be an indication of attempts to modify defined roles to grant additional privileges.", "title": "10.2.5 Use of and changes to identification and authentication mechanisms -- including but not limited to creation of new accounts and elevation of privileges -- and all changes, additions, or deletions to accounts with root or administrative privileges", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.6", "levels": ["base"], "notes": "Stopping the mechanisms for log creation in OpenShift requires stopping the OpenShift Control Plane itself, which would have the effect of preventing any further access for any users to the API, CLI, or Web UI. Auditing within OpenShift cannot be reconfigured or stopped without reconfiguring OpenShift. Any attempt to reconfigure OpenShift will be logged.", "title": "10.2.6 Initialization, stopping, or pausing of the audit logs", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2.7", "levels": ["base"], "notes": "Creation and deletion of system levels objects is logged by OpenShift (for OpenShift objects) and by Red Hat CoreOS.", "title": "10.2.7 Creation and deletion of system- level objects", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.2", "levels": ["base"], "notes": "", "title": "10.2 Implement automated audit trails for all system components to reconstruct the following events:", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-10.2.1", "Req-10.2.2", "Req-10.2.3", "Req-10.2.4", "Req-10.2.5", "Req-10.2.6", "Req-10.2.7"]}, {"id": "Req-10.3.1", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include user identification.", "title": "10.3.1 User identification", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.3.2", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include the type of event.", "title": "10.3.2 Type of event", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.3.3", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include the date and time of the event.", "title": "10.3.3 Date and time", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.3.4", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include a success or failure indication.", "title": "10.3.4 Success or failure indication", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.3.5", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include the origination of the event.", "title": "10.3.5 Origination of event", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.3.6", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include the identity or name of affected data, system component, or resource.", "title": "10.3.6 Identity or name of affected data, system component, or resource.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.3", "levels": ["base"], "notes": "", "title": "10.3 Record at least the following audit trail entries for all system components for each event:'", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-10.3.1", "Req-10.3.2", "Req-10.3.3", "Req-10.3.4", "Req-10.3.5", "Req-10.3.6"]}, {"id": "Req-10.4.1", "levels": ["base"], "notes": "", "title": "10.4.1 Critical systems have the correct and consistent time.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.4.2", "levels": ["base"], "notes": "Time data is protected as it is part of the underlying OS that is obfuscated from the OpenShift user interfaces.", "title": "10.4.2 Time data is protected.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.4.3", "levels": ["base"], "notes": "", "title": "10.4.3 Time settings are received from industry-accepted time sources.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.4", "levels": ["base"], "notes": "One example of time synchronization technology is Network Time Protocol (NTP).", "title": "10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-10.4.1", "Req-10.4.2", "Req-10.4.3"]}, {"id": "Req-10.5.1", "levels": ["base"], "notes": "It is recommended to use an external log aggregation solution or SIEM solution for securing audit trails. While the logs reside on the Red Hat CoreOS server, access can be controlled using RBAC. An external solution may be better equipped to secure audit trails in alignment with compliance requirements. RBAC controls in Red Hat CoreOS can be used to limit the ability to review audit logs and journals. An external solution may be able to provide improved granularity as well as search capability that would be of better use to the payment entity to satisfy requirements.", "title": "10.5.1 Limit viewing of audit trails to those with a job-related need.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.5.2", "levels": ["base"], "notes": "Limited access to the audit trails on OpenShift hosts provides minimal protection from unauthorized modification. Use of an external log collector or SIEM solution may provide improved protections against unauthorized modifications by adding additional features such as file integrity monitoring, digital signing, or Write Once, Read Many (WORM) storage.", "title": "10.5.2 Protect audit trail files from unauthorized modifications.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.5.3", "levels": ["base"], "notes": "Limited access to the audit trails on OpenShift hosts provides minimal protection from unauthorized modification. Use of an external log collector or SIEM solution may provide improved protections against unauthorized modifications by adding additional features such as file integrity monitoring, digital signing, or Write Once, Read Many (WORM) storage.", "title": "10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.5.4", "levels": ["base"], "notes": "Limited access to the audit trails on OpenShift hosts provides minimal protection from unauthorized modification. Use of an external log collector or SIEM solution may provide improved protections against unauthorized modifications by adding additional features such as file integrity monitoring, digital signing, or Write Once, Read Many (WORM) storage.", "title": "10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.5.5", "levels": ["base"], "notes": "", "title": "10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.5", "levels": ["base"], "notes": "", "title": "10.5 Secure audit trails so they cannot be altered.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-10.5.1", "Req-10.5.2", "Req-10.5.3", "Req-10.5.4", "Req-10.5.5"]}, {"id": "Req-10.6.1", "levels": ["base"], "notes": "", "title": "10.6.1 Review the following at least daily:", "description": "* All security events\n* Logs of all system components that store, process, or transmit CHD and/or SAD\n* Logs of all critical system components\n* Logs of all servers and system components that perform security functions\n (for example, firewalls, intrusion-detection systems/intrusion-prevention\n systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.6.2", "levels": ["base"], "notes": "", "title": "10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.6.3", "levels": ["base"], "notes": "", "title": "10.6.3 Follow up exceptions and anomalies identified during the review process.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.6", "levels": ["base"], "notes": "", "title": "10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.", "description": "Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-10.6.1", "Req-10.6.2", "Req-10.6.3"]}, {"id": "Req-10.7", "levels": ["base"], "notes": "", "title": "10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-10.8", "levels": ["base"], "notes": "", "title": "10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.1.1", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.1.2", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.1", "levels": ["base"], "notes": "wireless access points are not within the realm of the OpenShift Platform and the\ndeployment expectations of it. Normally it will be deployed within cloud\ninfrastructure where the cloud provider is responsible for keeping network\ndevices monitored. However, when deployed on Bare-metal, it is the responsibility\nof the deployer or the payment entity (if they are the ones deploying) to\neffectuate this monitoring.", "title": "11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.", "description": "Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.\nWhichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-11.1.1", "Req-11.1.2"]}, {"id": "Req-11.2.1", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all 'high-risk' vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.2.2", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.", "description": "Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).\nRefer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.2.3", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.2", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself. However, there are products such as Red Hat Advanced\nCluster Security [1] which may help in such network scanning.\n\n[1] https://docs.openshift.com/acs/3.66/welcome/index.html", "title": "11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).", "description": "Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.\nFor initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-11.2.1", "Req-11.2.2", "Req-11.2.3"]}, {"id": "Req-11.3.1", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.3.2", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.3.3", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.3.4", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.3", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.3 Implement a methodology for penetration testing that includes the following:", "description": "* Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)\n* Includes coverage for the entire CDE perimeter and critical systems\n* Includes testing from both inside and outside the network\n* Includes testing to validate any segmentation and scope-reduction controls\n* Defines application-layer penetration tests to include, at a minimum,\n the vulnerabilities listed in Requirement 6.5\n* Defines network-layer penetration tests to include components that support\n network functions as well as operating systems\n* Includes review and consideration of threats and vulnerabilities experienced in\n the last 12 months\n* Specifies retention of penetration testing results and remediation activities results.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-11.3.1", "Req-11.3.2", "Req-11.3.3", "Req-11.3.4"]}, {"id": "Req-11.4", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself. However, there are products such as Red Hat Advanced\nCluster Security [1] which may help in such network scanning.\n\n[1] https://docs.openshift.com/acs/3.66/welcome/index.html", "title": "11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.", "description": "Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.5.1", "levels": ["base"], "notes": "While this is a control that's meant for the payment entity to set up a process\nto respond to alerts, OpenShift Container Platform's File Integrity Operator\nsupports alerts via that can be ingested by AlertManager.[1]\n\n[1] https://docs.openshift.com/container-platform/latest/monitoring/managing-alerts.html", "title": "11.5.1 Implement a process to respond to any alerts generated by the change- detection solution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-11.5", "levels": ["base"], "notes": "The OpenShift Container Platform controls the whole stack (from the Kubernetes layer to\nthe Operating System layer). It is possible to Install the File Integrity Operator\nwhich does file-integrity monitoring and is able to alert administrators if\nan unexpected change happened [1].\n\n[1] https://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-understanding.html", "title": "11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.", "description": "Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre- configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-11.5.1"]}, {"id": "Req-11.6", "levels": ["base"], "notes": "This is the responsibility of the payment entity and not of the Openshift\nPlatform itself.", "title": "11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.1.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.1.1 Review the security policy at least annually and update the policy when the environment changes.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.1 Establish, publish, maintain, and disseminate a security policy.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-12.1.1"]}, {"id": "Req-12.2", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.2 Implement a risk-assessment process that:", "description": "* Is performed at least annually and upon significant changes\n to the environment (for example, acquisition, merger, relocation, etc.),\n* Identifies critical assets, threats, and vulnerabilities, and\n* Results in a formal, documented analysis of risk.\n\nExamples of risk-assessment methodologies include but are not limited\nto OCTAVE, ISO 27005 and NIST SP 800-30.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.1 Explicit approval by authorized parties", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.2", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.2 Authentication for use of the technology", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.3", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.3 A list of all such devices and personnel with access", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.4", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.5", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.5 Acceptable uses of the technology", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.6", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.6 Acceptable network locations for the technologies", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.7", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.7 List of company-approved products", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.8", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.9", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3.10", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.", "description": "Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.3", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.3 Develop usage policies for critical technologies and define proper use of these technologies.", "description": "Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e- mail usage and Internet usage.\nEnsure these usage policies require the following:", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-12.3.1", "Req-12.3.2", "Req-12.3.3", "Req-12.3.4", "Req-12.3.5", "Req-12.3.6", "Req-12.3.7", "Req-12.3.8", "Req-12.3.9", "Req-12.3.10"]}, {"id": "Req-12.4", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.5.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.5.1 Establish, document, and distribute security policies and procedures.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.5.2", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.5.3", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.5.4", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity. Also, note that on a technical side, user accounts are the\nresponsibility of an IdP, and not of the OpenShift Container Platform.", "title": "12.5.4 Administer user accounts, including additions, deletions, and modifications.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.5.5", "levels": ["base"], "notes": "All accesses and operations to OpenShift objects are audited\naccordingly. Auditing cannot be turned off in the OpenShift\nContainer Platform.", "title": "12.5.5 Monitor and control all access to data.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.5", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.5 Assign to an individual or team the following information security management responsibilities:", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-12.5.1", "Req-12.5.2", "Req-12.5.3", "Req-12.5.4", "Req-12.5.5"]}, {"id": "Req-12.6.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.6.1 Educate personnel upon hire and at least annually.", "description": "Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.6.2", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.6", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-12.6.1", "Req-12.6.2"]}, {"id": "Req-12.7", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)", "description": "Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.8.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.8.1 Maintain a list of service providers.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.8.2", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.", "description": "Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.8.3", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.8.4", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status at least annually.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.8.5", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.8", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-12.8.1", "Req-12.8.2", "Req-12.8.3", "Req-12.8.4", "Req-12.8.5"]}, {"id": "Req-12.9", "levels": ["base"], "notes": "This is not a technical control, and thus there isn't something that could be\nleveraged from the OpenShift Container Platform to address this.", "title": "12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.", "description": "Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.\nNote: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10.1", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:", "description": "* Roles, responsibilities, and communication and contact strategies\n in the event of a compromise including notification of the payment brands, at\n a minimum\n* Specific incident response procedures\n* Business recovery\n and continuity procedures\n* Data backup processes\n* Analysis of legal requirements for reporting compromises\n* Coverage and responses of all critical system components\n* Reference or inclusion of incident response procedures from the payment\n brands.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10.2", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.10.2 Test the plan at least annually.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10.3", "levels": ["base"], "notes": "This is an organizational and personnel-related control which is the responsibility of the payment\nentity.", "title": "12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10.4", "levels": ["base"], "notes": "This is an organizational and personnel-related control which is the responsibility of the payment\nentity.", "title": "12.10.4 Provide appropriate training to staff with security breach response responsibilities.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10.5", "levels": ["base"], "notes": "This is a requirement for the incident response program, and its the responsibility of the\npayment entity to include such information. However, the OpenShift Container Platform\ndoes come with a monitoring stack that allows for transforming metrics into relevant\nalerts [1]\nOpenShift Container Platform's File Integrity Operator supports alerts via AlertManager\n[1] https://docs.openshift.com/container-platform/4.9/monitoring/managing-alerts.html", "title": "12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion- prevention, firewalls, and file-integrity monitoring systems.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10.6", "levels": ["base"], "notes": "This is an procedural control which is the responsibility of the payment\nentity.", "title": "12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-12.10", "levels": ["base"], "notes": "This is an organizational control which is the responsibility of the payment\nentity.", "title": "12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-12.10.1", "Req-12.10.2", "Req-12.10.3", "Req-12.10.4", "Req-12.10.5", "Req-12.10.6"]}, {"id": "Req-A.1.1", "levels": ["shared_hosting_provider"], "notes": "", "title": "A.1.1 Ensure that each entity only runs processes that have access to that entity's cardholder data environment.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A.1.2", "levels": ["shared_hosting_provider"], "notes": "", "title": "A.1.2 Restrict each entity's access and privileges to its own cardholder data environment only.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A.1.3", "levels": ["shared_hosting_provider"], "notes": "", "title": "A.1.3 Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment and consistent with PCI DSS Requirement 10.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A.1.4", "levels": ["shared_hosting_provider"], "notes": "", "title": "A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A.1", "levels": ["shared_hosting_provider"], "notes": "", "title": "A.1 Protect each entity's (that is, merchant, service provider, or other entity) hosted environment and data, per A.1.1 through A.1.4:\"", "description": "A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS.\nNote: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-A.1.1", "Req-A.1.2", "Req-A.1.3", "Req-A.1.4"]}, {"id": "Req-A3.1.1", "levels": ["desv"], "notes": "", "title": "A3.1.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:", "description": "* Overall accountability for maintaining PCI DSS compliance\n* Defining a charter for a PCI DSS compliance program\n* Providing updates to executive management and board of directors on PCI DSS compliance\n initiatives and issues, including remediation activities, at least annually\n\nPCI DSS Reference: Requirement 12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.1.2", "levels": ["desv"], "notes": "", "title": "A3.1.2 A formal PCI DSS compliance program must be in place to include:", "description": "* Definition of activities for maintaining and monitoring overall\n PCI DSS compliance, including business-as-usual activities\n* Annual PCI DSS assessment processes\n* Processes for the continuous validation of PCI DSS requirements\n (for example: daily, weekly, quarterly, etc. as applicable per requirement)\n* A process for performing business- impact analysis to determine potential\n PCI DSS impacts for strategic business decisions\n\nPCI DSS Reference: Requirements 1-12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.1.3", "levels": ["desv"], "notes": "", "title": "A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and formally assigned to one or more personnel, including at least the following:", "description": "* Managing PCI DSS business-as-usual activities\n* Managing annual PCI DSS assessments\n* Managing continuous validation of PCI DSS requirements\n (for example: daily, weekly, quarterly, etc. as applicable per\n requirement)\n* Managing business-impact analysis to determine potential\n PCI DSS impacts for strategic business decisions\n\nPCI DSS Reference: Requirement 12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.1.4", "levels": ["desv"], "notes": "", "title": "A3.1.4 Provide up-to-date PCI DSS and/or information security training at least annually to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).", "description": "PCI DSS Reference: Requirement 12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.1", "levels": ["desv"], "notes": "", "title": "A3.2.1 Document and confirm the accuracy of PCI DSS scope at least quarterly and upon significant changes to the in-scope environment. At a minimum, the quarterly scoping validation should include:", "description": "* Identifying all in-scope networks and system components\n* Identifying all out-of-scope networks and justification for networks\n being out of scope, including descriptions of all segmentation controls implemented\n* Identifying all connected entities. e.g., third-party entities with\n access to the cardholder data environment (CDE)\n\nPCI DSS Reference: Scope of PCI DSS Requirements\"", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.2", "levels": ["desv"], "notes": "", "title": "A3.2.2 Determine PCI DSS scope impact for all changes to systems or networks, including additions of new systems and new network connections. Processes must include:", "description": "* Performing a formal PCI DSS impact assessment\n* Identifying applicable PCI DSS requirements to the system or network\n* Updating PCI DSS scope as appropriate\n* Documented sign-off of the results of the impact assessment by\n responsible personnel (as defined in A3.1.3)\n\nPCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.2.1", "levels": ["desv"], "notes": "", "title": "A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to:", "description": "* Network diagram is updated to reflect changes.\n* Systems are configured per configuration standards, with all default\n passwords changed and unnecessary services disabled.\n* Systems are protected with required controls.\n e.g., file-integrity monitoring (FIM), anti-virus, patches, audit logging.\n* Verify that sensitive authentication data (SAD) is not stored\n and that all cardholder data (CHD) storage is documented and incorporated into\n data-retention policy and procedures\n* New systems are included in the quarterly vulnerability scanning process.\n\nPCI DSS Reference: Scope of PCI DSS Requirements; Requirement 1-12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.3", "levels": ["desv"], "notes": "", "title": "A3.2.3 Changes to organizational structure -- for example, a company merger or acquisition, change or reassignment of personnel with responsibility for security controls -- result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls.", "description": "PCI DSS Reference: Requirement 12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.4", "levels": ["desv"], "notes": "", "title": "A3.2.4 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.", "description": "PCI DSS Reference: Requirement 11", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.5.1", "levels": ["desv"], "notes": "", "title": "A3.2.5.1 Ensure effectiveness of methods used for data discovery\u2014\u2013e.g., methods must be able to discover clear-text PAN on all types of system components (for example, on each operating system or platform) and file formats in use.", "description": "The effectiveness of data-discovery methods must be confirmed at least annually.\nPCI DSS Reference: Scope of PCI DSS Requirements", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.5.2", "levels": ["desv"], "notes": "", "title": "A3.2.5.2 Implement response procedures to be initiated upon the detection of clear- text PAN outside of the CDE to include:", "description": "* Procedures for determining what to do if clear-text PAN is\n discovered outside of the CDE, including its retrieval, secure deletion and/or\n migration into the currently defined CDE, as applicable\n* Procedures for determining how the data ended up outside of the CDE\n* Procedures for remediating data leaks or process gaps that resulted in the data\n being outside of the CDE\n* Procedures for identifying the source of the data\n* Procedures for identifying whether any track data is stored with the PANs", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.5", "levels": ["desv"], "notes": "", "title": "A3.2.5 Implement a data-discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear- text PAN at least quarterly, and upon significant changes to the cardholder environment or processes.", "description": "Data-discovery methodology must take into consideration the potential for clear-text PAN to reside on systems and networks outside of the currently defined CA3.\nPCI DSS Reference: Scope of PCI DSS Requirements", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["Req-A3.2.5.1", "Req-A3.2.5.2"]}, {"id": "Req-A3.2.6", "levels": ["desv"], "notes": "", "title": "A3.2.6 Implement mechanisms for detecting and preventing clear-text PAN from leaving the CDE via an unauthorized channel, method, or process, including generation of audit logs and alerts.", "description": "PCI DSS Reference: Scope of PCI DSS Requirements", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.2.6.1", "levels": ["desv"], "notes": "", "title": "A3.2.6.1 Implement response procedures to be initiated upon the detection of attempts to remove clear-text PAN from the CDE via an unauthorized channel, method, or process.", "description": "Response procedures must include:\n* Procedures for the timely investigation of alerts by responsible\n personnel\n* Procedures for remediating data leaks\\nor process gaps, as\n necessary, to prevent any data loss", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.3.1", "levels": ["desv"], "notes": "", "title": "A3.3.1 Implement a process to immediately detect and alert on critical security control failures.", "description": "Examples of critical security controls include, but are not\nlimited to:\n\n* Firewalls\n* IDS/IPS\n* FIM\n* Anti-virus\n* Physical access controls\n* Logical access controls\n* Audit logging mechanisms\n* Segmentation controls (if used)\n\nPCI DSS Reference: Requirements 1-12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.3.1.1", "levels": ["desv"], "notes": "", "title": "A3.3.1.1 Respond to failures of any critical security controls in a timely manner.", "description": "Processes for responding to failures in security controls must include:\n\n* Restoring security functions\n* Identifying and documenting the duration (date and time start to end)\n of the security failure\n* Identifying and documenting cause(s) of failure, including root cause,\n and documenting remediation required to address root cause\n* Identifying and addressing any security issues that arose during the failure\n* Performing a risk assessment to determine whether further actions are\n required as a result of the security failure\\n\\\n* Implementing controls to prevent cause of failure from reoccurring\n* Resuming monitoring of security controls\n\nPCI DSS Reference: Requirements 1-12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.3.2", "levels": ["desv"], "notes": "", "title": "A3.3.2 Review hardware and software technologies at least annually to confirm whether they continue to meet the organization's PCI DSS requirements.", "description": "(For example, a review of technologies that are no longer supported by the vendor\nand/or no longer meet the security needs of the organization.)\nThe process includes a plan for remediating technologies that no longer\nmeet the organization\\u2019s PCI DSS requirements, up to and including replacement\nof the technology, as appropriate.\n\nPCI DSS Reference: Requirement 2, 6\"", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.3.3", "levels": ["desv"], "notes": "", "title": "A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed.", "description": "Reviews must be performed by personnel assigned to the PCI DSS compliance\\\n program (as identified in A3.1.3), and include the following:\n\n* Confirmation that all BAU activities (e.g., A3.2.2, A3.2.6,\n and A3.3.1) are being performed\n* Confirmation that personnel are following security policies and\n operational procedures (for example, daily log reviews,\n firewall rule-set reviews, configuration standards for new systems, etc.)\n* Documenting how the reviews were completed, including how all BAU activities\n were verified as being in place.\n* Collection of documented evidence as required for the annual\n PCI DSS assessment\n* Review and sign off of results by personnel assigned responsibility for\n the PCI DSS compliance program (as identified in A3.1.3)\n* Retention of records and documentation for at least 12 months,\n covering all BAU activities\n\nPCI DSS Reference: Requirements 1-12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.4.1", "levels": ["desv"], "notes": "", "title": "A3.4.1 Review user accounts and access privileges to in-scope system components at least every six months to ensure user accounts and access remain appropriate based on job function, and authorized.", "description": "PCI DSS Reference: Requirement 7", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "Req-A3.5.1", "levels": ["desv"], "notes": "", "title": "A3.5.1 Implement a methodology for the timely identification of attack patterns and undesirable behavior across systems--for example, using coordinated manual reviews and/or centrally-managed or automated log correlation tools-- to include at least the following:", "description": "* Identification of anomalies or suspicious activity as they\n occur\n* Issuance of timely alerts upon detection of suspicious activity\n or anomaly to responsible personnel\n* Response to alerts in accordance with documented response procedures\n\nPCI DSS Reference: Requirements 10, 12", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "base", "inherits_from": null}, {"id": "shared_hosting_provider", "inherits_from": ["base"]}, {"id": "desv", "inherits_from": ["base"]}]}