Issues in PCI compliance analysis and remediation

This topic lists the limitations and troubleshooting issues found in PCI compliance analysis and remediation:

Limitations in PCI templates

The following issues and limitations exist for compliance analysis and remediation using PCI templates:

  • Remediation of 2.2.4.5 rule in the PCIv2 - RedHat Enterprise Linux 5 template creates folders with permission 777 (world writable directories) on the target machines, making the folders vulnerable.
  • For PCIv2 - Red Hat Enterprise Linux 5 template rule 2.2.4.5, an intermediate file will be created on the target while running compliance. This file will contain list of non-complaint entries, such as files present in Transactions directory, located at NSH directory in the target machine. This directory contains files which are created when remediation jobs are initiated. Remediation of this rule remediates all entries present in the intermediate file. A file present in Transactions directory will not be present in the intermediate file, as it was not present while running compliance, but got created while running remediation. Therefore, the rule remains non-compliant, even though previous remediation was successful, that is, there will be always a non complaint value after remediation for this rule.
  • For PCIv2 - Windows Server 2008 template, remediation is not supported for custom Group Policy Objects (GPO) templates (for example, if you create new GPO templates).
  • For the PCI template for Windows server 2003, remediation is not applied.
  • For the PCIv2 - Red Hat Enterprise Linux 5 template, if the .bashrc file contains multiple umask entries, during remediation, only the last entry is remediated.

  • Remediation for the PCI - Windows server 2003 DC/MS template fails with the following error while updating the Security Settings\Local Policies\User Rights Policy:

    Error 1332: No mapping between account names and security IDs was done.

Troubleshooting issues in PCI templates

The following issues exist with workarounds for compliance analysis and remediation using PCI component templates:

  • When you open a pre-8.2 version of the 2.2.3 BL-D002 rule of the PCI template for AIX, following warning message is displayed:

    No template parts used in compliance will collect... file /var/spool/cron/crontab

    In such a case, select the Recurse subfolders check box for the /var/spool/cron/crontab Compliance part on the Parts tab in the template.

  • 2.2.2.35 rule in the PCIv2 - RedHat Enterprise Linux 5 template does not work on a pure IPv6 RHEL5 target that was associated with the TrueSight Server Automation Application Server because the IPV_PROTOCOL property value remains IPV4 and does not get changed automatically to IPV6 for an IPv6 target.

    Workaround: To enable the use of this rule, you must manually change the value of the to IPV_PROTOCOL property in the Server built-in property class to IPV6 for any IPv6 target that you associate with the Application Server. For more information about this property, see PCI properties in the Server built-in property class.

  • For rule 2.2.3.9 Enable computer and user accounts to be trusted for delegation of the PCIv2 - Windows Server 2008 template, the RSCD Agent modifies the permissions of the following Group Policy Objects (GPOs):

    • 1.8.1 
    • 1.8.15
    • 1.8.28
    • 1.8.29
    • Deny log on locally: RSCD Agent adds BladeLogicRSCD group permissions
    • Manage auditing and security log:  RSCD Agent adds Administrators group permissions    
    • Access compute from Network: RSCD Agent adds Administrators group permissions
    • Change the system time: RSCD Agent adds Administrators group permissions
    • Enable computer and user accounts to be trusted for delegation: If this GPO contains Administrators group permissions, the RSCD Agent removes this group from the GPO.

    To prevent this issue from occurring, add a registry entry GrantMASL of type Binary or DWORD with value 0 in the BSA RSCD registry HKEY_LOCAL_MACHINE\SOFTWARE\BladeLogic\RSCD Agent, and then restart the RSCD Agent. After you apply this workaround, the RSCD Agent will not modify any of the above GPOs.

  • For the PCIv2 - Windows Server 2008 and template, after remediating  network-related MSS Group Policy Object (GPO) rules for Domain Controllers (DC) targets, the gpttmpl.inf file(s) are corrupted.
    Workaround: The issue occurs because lack of access to the sceregvl.inf file causes remediation to create spurious entries in the gpttmpl.inf files that may be invalid if the entries were not registered earlier. To resolve the issue, you must provide access to the sceregvl.inf file, or you must register the entries, making them valid.
    To provide access to the sceregvl.inf file, run the following commands:
    C:\Windows\inf>takeown /f sceregvl.inf
    C:\Windows\inf>icacls sceregvl.inf /grant Administrators:(F)

  • For PCI v3 - RHEL7 template the remediation job is failing due to empty string in UNDO_CMD_INPUT and COMMAND_TO_READ properties.
    Workaround:

    1. Launch the RCP (cosole).
    2. Navigate to Depot/PCI Compliance Content/Remediation Packages/PCI Data Security Standard v3 - Red Hat Enterprise Linux 7/Command-Remediation path.
    3. Go to the Local Properties tab and edit the COMMAND_TO_READ and UNDO_CMD_INPUT properties.
    4. Uncheck the Required field and save the remediation.
    5. Create the remediation job again and execute it.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*