Merge pull request #12283 from yuumasato/pcidss_requirement_11

CMP-2463: PCI-DSS v4 Requirement 11

applications/openshift/general/acs_sensor_exists/rule.yml

@@ -27,7 +27,7 @@ identifiers:
   cce@ocp4: CCE-86171-6
 
 references:
-  pcidss: Req-6.3.2,Req-11.3.1.1,Req-11.5.1.1
+  pcidss: Req-6.3.2,Req-11.5.1.1
 
 ocil_clause: 'ACS Sensor is not deployed'
 

controls/pcidss_4_ocp4.yml

@@ -1285,7 +1285,7 @@ controls:
           - base
         status: not applicable
         notes: |-
-          OpenShift doesn't manage wireless environments nor they security configurations.
+          OpenShift doesn't manage wireless environments nor their security configurations.
 
     - id: 4.2.2
       title: PAN is secured with strong cryptography whenever it is sent via end-user messaging
@@ -3163,14 +3163,14 @@ controls:
       defined and understood.
     levels:
       - base
-    status: pending
+    status: not applicable
     controls:
     - id: 11.1.1
       title: All security policies and operational procedures that are identified in Requirement
         11 are Documented, Kept up to date, In use and Known to all affected parties.
       levels:
         - base
-      status: pending
+      status: not applicable
       notes: |-
         Examine documentation and interview personnel to verify that security policies and
         operational procedures identified in Requirement 11 are managed in accordance with all
@@ -3181,7 +3181,7 @@ controls:
         documented, assigned, and understood.
       levels:
         - base
-      status: pending
+      status: not applicable
       notes: |-
         Examine documentation and interview personnel to verify that day-to-day responsibilities
         for performing all the activities in Requirement 11 are documented, assigned and
@@ -3192,13 +3192,15 @@ controls:
       points are addressed.
     levels:
       - base
-    status: pending
+    status: not applicable
+    notes: |-
+      OpenShift doesn't manage wireless environments nor their security configurations.
     controls:
     - id: 11.2.1
       title: Authorized and unauthorized wireless access points are managed.
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.2.2
       title: An inventory of authorized wireless access points is maintained, including a
@@ -3208,101 +3210,103 @@ controls:
         points.
       levels:
         - base
-      status: pending
+      status: not applicable
 
   - id: '11.3'
     title: External and internal vulnerabilities are regularly identified, prioritized, and
       addressed.
     levels:
       - base
-    status: pending
+    status: not applicable
+    notes: |-
+      This control is about the payment entity keeping keeping processes and personnel to conduct
+      vulnerability scans.
     controls:
     - id: 11.3.1
       title: Internal vulnerability scans are performed.
       levels:
         - base
-      status: pending
+      status: not applicable
       controls:
       - id: 11.3.1.1
         title: All other applicable vulnerabilities (those not ranked as high-risk or critical per
           the entity's vulnerability risk rankings defined at Requirement 6.3.1) are managed
         levels:
           - base
-        status: automated
-        rules:
-          - acs_sensor_exists
+        status: not applicable
 
       - id: 11.3.1.2
         title: Internal vulnerability scans are performed via authenticated scanning.
         levels:
           - base
-        status: pending
+        status: not applicable
 
       - id: 11.3.1.3
         title: Internal vulnerability scans are performed after any significant change.
         levels:
           - base
-        status: pending
-
+        status: not applicable
     - id: 11.3.2
       title: External vulnerability scans are performed.
       levels:
         - base
-      status: pending
+      status: not applicable
+      notes: |-
+        The scans are to be performed by a PCI SCC Approved Scanning Vendor
       controls:
       - id: 11.3.2.1
         title: External vulnerability scans are performed after any significant change.
         levels:
           - base
-        status: pending
+        status: not applicable
 
   - id: '11.4'
     title: External and internal penetration testing is regularly performed, and exploitable
       vulnerabilities and security weaknesses are corrected.
     levels:
       - base
-    status: pending
+    status: not applicable
     controls:
     - id: 11.4.1
       title: A penetration testing methodology is defined, documented, and implemented by the
         entity.
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.4.2
       title: Internal penetration testing is performed.
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.4.3
       title: External penetration testing is performed.
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.4.4
       title: Exploitable vulnerabilities and security weaknesses found during penetration testing
         are corrected
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.4.5
       title: If segmentation is used to isolate the CDE from other networks, penetration tests are
         performed on segmentation controls.
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.4.6
       title: 'Additional requirement for service providers only: If segmentation is used to
         isolate the CDE from other networks, penetration tests are performed on segmentation
         controls.'
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 11.4.7
       title: 'Additional requirement for multi-tenant service providers only: Multi-tenant service
@@ -3313,20 +3317,20 @@ controls:
         by providing access or evidence that comparable technical testing has been undertaken.
       levels:
         - base
-      status: pending
+      status: not applicable
 
   - id: '11.5'
     title: Network intrusions and unexpected file changes are detected and responded to.
     levels:
       - base
-    status: pending
+    status: automated
     controls:
     - id: 11.5.1
       title: Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or
         prevent intrusions into the network.
       levels:
         - base
-      status: pending
+      status: partial
       controls:
       - id: 11.5.1.1
         title: 'Additional requirement for service providers only: Intrusion-detection and/or
@@ -3341,7 +3345,7 @@ controls:
           must be fully considered during a PCI DSS assessment.
         levels:
           - base
-        status: automated
+        status: partial
         notes: |-
           The policy is not explicit about any specific solution. The solution might vary
           depending on site policies.
@@ -3352,22 +3356,26 @@ controls:
     title: A change-detection mechanism (for example, file integrity monitoring tools) is deployed.
     levels:
       - base
-    status: pending
-    rules: []
+    status: partial
+    notes: |-
+      Once configured the File Integrity Operator (FIO) can detect unexpected changes in the node
+      filesystem.
+    rules:
+      - file_integrity_exists
 
   - id: '11.6'
     title: Unauthorized changes on payment pages are detected and responded to.
     levels:
       - base
-    status: pending
+    status: not applicable
+    notes: |-
+      OpenShift does not directly handle payment pages.
     controls:
     - id: 11.6.1
       title: A change- and tamper-detection mechanism is deployed.
       levels:
         - base
-      status: pending
-      notes: |-
-        It depends on controls in application level, which varies based on site policies.
+      status: not applicable
 
   - id: '12.1'
     title: A comprehensive information security policy that governs and provides direction for