Embed Size (px)
Citation preview
SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
RONLAB
PCI ConfigurationSettingsJanuary 17, 2013 at 8:12pm ESTRon Gula [rongula]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 1.0
Tenable Network Security 1
PCI 1.0
This section lists each system with compliant and non-compliant settings that pertain to section 1.0 of the PCI DSS specification. For each compliant and non-compliant setting, the number of corresponding systems are enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'. An emptyreport indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested, configurationsettings may or may not be available that are relevant to PCI.
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 1.0
Tenable Network Security 2
PCI 1.0 Settings per System
IP Address DNS Name Score Info High
192.168.1.14 godzilla.home 20 2 2
192.168.1.16 gigan.lab 10 2 1
172.26.22.100 0 2 0
192.168.1.11 win7-pc.home 0 4 0
PCI 1.0 - Failing Settings
Total Plugin Name
2PCI 1.4.a Mobile and/or employee-owned computers with direct Internet connectivity havepersonal firewall software 'alf'
1PCI 1.4.a Mobile and/or employee-owned computers with direct Internet connectivity havepersonal firewall software 'firewall stealth mode'
PCI 1.0 - Passing Settings
Total Plugin Name
2PCI 1.4.a Mobile and/or employee-owned computers with direct Internet connectivity havepersonal firewall software 'firewall logging'
2PCI 1.4.a Verify that mobile and/or employee-owned computers have a personal firewallinstalled (domain profile registry check)
2PCI 1.4.a Verify that mobile and/or employee-owned computers have a personal firewallinstalled (standard profile registry check)
1PCI 1.4.a Mobile and/or employee-owned computers with direct Internet connectivity havepersonal firewall software 'firewall stealth mode'
1PCI 1.4.a Mobile and/or employee-owned computers with direct Internet connectivity havepersonal firewall software 'ipfw'
1PCI 1.4.a Verify that mobile and/or employee-owned computers have a personal firewallinstalled (root\SecurityCenter2)
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 1.0
Tenable Network Security 3
Total Plugin Name
1PCI 1.4.a Verify that mobile and/or employee-owned computers have a personal firewallinstalled (root\SecurityCenter)
PCI 9.0 - Systems per Setting
IP Address DNS Name Score Info High
172.20.10.47 hpuxrisc.lab.tenablesecurity.com 160 11 16
192.168.1.14 godzilla.home 20 0 2
192.168.1.16 gigan.lab 20 0 2
172.26.22.100 10 1 1
192.168.1.11 win7-pc.home 10 1 1
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 4
PCI 2.0
This section lists each system with compliant and non-compliant settings that pertain to section 2.0 of the PCI DSS specification. For each compliant and non-compliant setting, the number of corresponding systems are enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'. An emptyreport indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested, configurationsettings may or may not be available that are relevant to PCI.
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 5
PCI 2.0 - Settings per System
IP Address DNS Name Score Info High
172.20.10.47 hpuxrisc.lab.tenablesecurity.com 1030 69 103
192.168.1.16 gigan.lab 880 37 88
192.168.1.14 godzilla.home 820 44 82
172.20.101.83 Lap24112.local 520 15 52
172.26.22.100 360 42 36
192.168.1.11 win7-pc.home 240 51 24
PCI 2.0 - Failing Settings
Total Plugin Name
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH MaxAuthTries<=4'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHClientAliveInterval <=300'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH LoginGraceTime<=120'
3 PCI 2.2.3 Configure system security parameters to prevent misuse 'sudo timeout'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/traceroute6'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/traceroute'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/scselect'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/lib/sa/sadc'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/write'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/wall'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/rsh'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/rlogin'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/procmail'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/postqueue'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/postdrop'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 6
Total Plugin Name
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/newgrp'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/crontab'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/atrm'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/atq'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/at'
3PCI 2.2.3 Configure system security parameters to prevent misuse'DiskManagementTool'
3PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Printers/Libraries/csregprinter'
3PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Printers/Libraries/aehelper'
3 PCI 2.2.3 Configure system security parameters to prevent misuse 'PrinterSharingTool'
3PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/sbin/mount_nfs'
3 PCI 2.2.3 Configure system security parameters to prevent misuse '/bin/rcp'
3 PCI 2.2.3 Configure system security parameters to prevent misuse 'ARDAgent'
3 PCI 2.2.3 Configure system security parameters to prevent misuse 'iodbcadmintool'
3PCI 2.2.3 Configure system security parameters to prevent misuse '/Applications/SystemPreferences.app/Contents/Resources/installAssistant'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH LogLevelverbose'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH AllowUsers/AllowGroups'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHClientAliveCountMax 0'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHPermitUserEnvironment no'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHPermitEmptyPasswords no'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHHostbasedAuthentication no'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH IgnoreRhostsyes'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 7
Total Plugin Name
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH PermitRootLoginno'
3 PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH Protocol 2'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSH X11Forwardingno'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHGSSAPICleanupCredentials yes'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'SSHGSSAPIAuthentication yes'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'Apache UserDirdisabled'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'ApacheServerSignature off'
3PCI 2.2.3 Configure system security parameters to prevent misuse 'Apache ServerTokensprod'
3PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'IOAudioFamily.kext'
3PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'AppleUSBVideoSupport.kext'
3PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'Apple_iSight.kext'
3PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'BluetoothIOBluetoothHIDDriver.kext'
3PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'BluetoothIOBluetoothFamily.kext'
3PCI 2.2.3 Configure system security parameters to prevent misuse'accounts_bad_home_permissions'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'wake on Bluetooth'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'wake on lan'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'modem wake on ring'
2 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/ipcs'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'show password hint'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'password hint'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'firmware password'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 8
Total Plugin Name
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable core dumps'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'automatic logout'
2PCI 2.2.3 Configure system security parameters to prevent misuse 'password for systempanes'
2PCI 2.2.3 Configure system security parameters to prevent misuse 'set corner for screensaver'
2PCI 2.2.3 Configure system security parameters to prevent misuse 'screensaver inactivityinterval'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'IPv6com.apple.mDNSResponder.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'remote controlIR receiver'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'disable_discoverable_ if Bluetooth is required'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'Bluetoothinternet sharing'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'per-accountBluetooth'
2 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'Bluetooth'
2PCI 2.1/2.2.3 Attempt to log on to devices using default vendor-supplied accounts andpasswords 'guest'
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Deny Guest accessto this computer from the network
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Deny Log on as abatch job
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Limit Access thiscomputer from the network
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Rename GuestAccount
2PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.11 Verify common security parameter settings - PasswordMust Meet Complexity Requirements
2PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.10 Verify common security parameter settings - MinimumPassword Length
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Minimum PasswordAge
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 9
Total Plugin Name
2PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.12 Verify common security parameter settings - EnforcePassword History
2 PCI 2.2.2 Enable only necessary services - VSS
2 PCI 2.2.2 Enable only necessary services - TapiSrv
2 PCI 2.2.2 Enable only necessary services - Spooler
2 PCI 2.2.2 Enable only necessary services - SNMPTRAP
2 PCI 2.2.2 Enable only necessary services - SharedAccess
2 PCI 2.2.2 Enable only necessary services - Schedule
2 PCI 2.2.2 Enable only necessary services - RpcLocator
2 PCI 2.2.2 Enable only necessary services - RemoteRegistry
2 PCI 2.2.2 Enable only necessary services - RasMan
2 PCI 2.2.2 Enable only necessary services - RasAuto
2 PCI 2.2.2 Enable only necessary services - Netman
2 PCI 2.2.2 Enable only necessary services - Browser
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'chargen'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'daytime'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'discard'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'dtspc'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'echo'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'exec'
1PCI 2.2.2/8.4 Enable only necessary and secure services, protocols / use strongcryptography 'ftp'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'ident'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'klogin'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'kshell'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'login'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'ntalk'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'printer'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'recserv'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'registrar'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'shell'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 10
Total Plugin Name
1PCI 2.2.2/8.4 Enable only necessary and secure services, protocols / use strongcryptography 'telnet'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons '/etc/inittabperms'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'LP=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'DESKTOP='
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'SENDMAIL_SERVER=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'OSPFMIB=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'OPCAGT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'SNMP_HPUNIX_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'SNMP_MASTER_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'SNMP_MIB2_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'SNMP_TRAPDEST_START=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'OVOPC'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'MROUTED=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'RWHOD=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'DDFA=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'START_RBOOTD=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'RARPD=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'PTYDAEMON_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'VTDAEMON_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'CIFSCLIENT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NFS_SERVER=0'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 11
Total Plugin Name
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NFS_CLIENT=0'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'Protocol=2'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'IgnoreRhosts=yes'
1PCI 2.2.3 Configure system security parameters to prevent misuse'RhostsAuthentication=no'
1PCI 2.2.3 Configure system security parameters to prevent misuse'RhostsRSAAuthentication=no'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'PermitRootLogin=no'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'Banner'
1PCI 2.2.3 Configure system security parameters to prevent misuse '/opt/ssh/etc/sshd_config perms'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'executable_stack=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'tcp_syn_rcvd_max=4096'
1PCI 2.2.3 Configure system security parameters to prevent misuse'arp_cleanup_interval=60000'
1PCI 2.2.3 Configure system security parameters to prevent misuse'ip_forward_src_routed=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'ip_forward_directed_broadcasts=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'ip_respond_to_timestamp=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'ip_respond_to_timestamp_broadcast=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'ip_respond_to_address_mask_broadcast=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'ip_respond_to_echo_broadcast=0'
1PCI 2.2.3 Configure system security parameters to prevent misuse'tcp_isn_passprase=<RANDOM_STRING>'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ip_forwarding=0'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ip_send_redirects=0'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 12
Total Plugin Name
1PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/rc.config.d/nddconf perms'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'no passwords in /etc/passwd'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/shadow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'SYSLOGD_OPTS'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'Dtlogin.requestPort'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'lockTimeout'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ftp allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ftp deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'telnet allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'telnet deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'login allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'login deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'shell allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'shell deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'exec allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'exec deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ntalk allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ntalk deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ident allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'ident deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'printer allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'printer deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'daytime allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'daytime deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'time allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'time deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'echo allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'echo deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'discard allow'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 13
Total Plugin Name
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'discard deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'chargen allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'chargen deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'rpc allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'rpc deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'kshell allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'kshell deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'klogin allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'klogin deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'dtspc allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'dtspc deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'recserv allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'recserv deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'registrar allow'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'registrar deny'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/securetty perms'
1PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/default/securityUMASK'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'restrict sudo users'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/pppd'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/vpnd'
1PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/libexec/xgrid/IdleTool'
1PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/libexec/dumpemacs'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/lppasswd'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/chpass'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'Locum'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'PCIELaneConfigTool'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'check_afp'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 14
Total Plugin Name
1PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Filesystems/AppleShare/afpLoad'
1PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/sbin/route'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'secure virtualmemory'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'disable sleep whenconnected to power'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'display sleep'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'screensaver/sleeppassword'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable SMB sharing'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable AFP sharing'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable user list'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'disable automaticlogin'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'Apache TraceEnableoff'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'MobileMe'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'internetsharing MultipleSessionEnabled'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'internetsharing com.apple.InternetSharing'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'org.postfix.master'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.RemoteDesktop.plist'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.UserNotificationCenter.plist'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.mDNSResponder.plist'
1PCI 2.1/2.2.3 Attempt to log on to devices using default vendor-supplied accounts andpasswords 'root'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 15
Total Plugin Name
1PCI 2.1 Attempt to log on to devices using default vendor-supplied accounts andpasswords 'multiple'
1PCI 2.2.3/2.2.3.b/2.2.3.c/8.4 Verify common security parameter settings - Do not storeLAN Manager password hash value on next password change
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - CheckLegalNoticeCaption is specified
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - CheckLegalNoticeText is specified
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Do Not Display LastUser Name
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Unsigned DriverInstallation Behavior: Warn, but allow
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Prevent users frominstalling printer drivers
1PCI 2.2.3/2.2.3.b/2.2.3.c/10.2.7 Verify common security parameter settings - AuditSystem Events
1PCI 2.2.3/2.2.3.b/2.2.3.c/10.2.2 Verify common security parameter settings - AuditPrivilege Use
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Audit PolicyChange
1 PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Audit Logon Events
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Audit AccountManagement
1PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.1 Verify common security parameter settings - Audit AccountLogon Events
1 PCI 2.2.2 Enable only necessary services - W3SVC
1 PCI 2.2.2 Enable only necessary services - upnphost
1 PCI 2.2.2 Enable only necessary services - SNMP
1 PCI 2.2.2 Enable only necessary services - Ntfrs
1 PCI 2.2.2 Enable only necessary services - IISADMIN
1 PCI 2.2.2 Enable only necessary services - HTTPFilter
1 PCI 2.2.2 Enable only necessary services - helpsvc
1 PCI 2.2.2 Enable only necessary services - FAX
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 16
PCI 2.0 - Passing Settings
Total Plugin Name
3 PCI 2.2.3 Configure system security parameters to prevent misuse 'screen sharing'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'remote management'
2 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/pppd'
2 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/sbin/vpnd'
2PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/libexec/xgrid/IdleTool'
2PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/libexec/dumpemacs'
2 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/lppasswd'
2 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/chpass'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'Locum'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'PCIELaneConfigTool'
2 PCI 2.2.3 Configure system security parameters to prevent misuse 'check_afp'
2PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Filesystems/AppleShare/afpLoad'
2PCI 2.2.3 Configure system security parameters to prevent misuse '/System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav'
2 PCI 2.2.3 Configure system security parameters to prevent misuse '/sbin/route'
2PCI 2.2.3 Configure system security parameters to prevent misuse 'no corner disablesscreen saver'
2PCI 2.2.3 Configure system security parameters to prevent misuse 'no corner sets sleepdisplay'
2PCI 2.2.3 Configure system security parameters to prevent misuse 'Apache TraceEnableoff'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.dashboard.advisory.fetch.plist'
2 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'iSight camera'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'Bluetoothcom.apple.blued'
2 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'Airport'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.webdavfs_load_kext'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 17
Total Plugin Name
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.RFBEventHelper'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.racoon'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.nis.ypbind'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'QuicktimeUSBVDCDigitizer.component'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.RemoteUI.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.IIDCAssistant.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.RemoteDesktop.PrivilegeProxy.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.InternetSharing.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.xgridcontrollerd.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.xgridagentd.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.mDNSResponderHelper.plist'
2 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'eppc.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'org.apache.httpd.plist'
2 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'smbd.plist'
2PCI 2.2.2/8.4 Enable only necessary and secure services, protocols / use strongcryptography 'ftp.plist'
2PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.AppleFileServer.plist'
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Enable Safe DLLsearch mode
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - RenameAdministrator Account
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 18
Total Plugin Name
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Limit blankpasswords to console logon only
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Guest acccount isdisabled
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Maximum SystemLog Size (KB)
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Maximum SecurityLog Size (KB)
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - MaximumApplication Log Size (KB)
2PCI 2.2.3/2.2.3.b/2.2.3.c/10.1/10.2.1/10.2.3 Verify common security parameter settings -Audit Object Access
2PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.13Verify common security parameter settings - ResetAccount Lockout Counter After
2PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.13 Verify common security parameter settings - AccountLockout Threshold
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Account LockoutDuration
2PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Store PasswordsUsing Reversible Encryption
2PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.9 Verify common security parameter settings - MaximumPassword Age
2 PCI 2.2.2 Enable only necessary services - WZCSVC
2 PCI 2.2.2 Enable only necessary services - WMServer
2 PCI 2.2.2/2.3.b Enable only necessary services - TlntSvr
2 PCI 2.2.2 Enable only necessary services - TFTPD
2 PCI 2.2.2 Enable only necessary services - TemService
2 PCI 2.2.2 Enable only necessary services - srvcsurg
2 PCI 2.2.2 Enable only necessary services - SMTPSVC
2 PCI 2.2.2 Enable only necessary services - Remote_Storage_User_Link
2 PCI 2.2.2 Enable only necessary services - Remote_Storage_Server
2 PCI 2.2.2 Enable only necessary services - RemoteAccess
2 PCI 2.2.2 Enable only necessary services - Pop3Svc
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 19
Total Plugin Name
2 PCI 2.2.2 Enable only necessary services - NWCWorkstation
2 PCI 2.2.2 Enable only necessary services - NntpSvc
2 PCI 2.2.2 Enable only necessary services - MSFtpsvc
2 PCI 2.2.2 Enable only necessary services - mnmsrvc
2 PCI 2.2.2 Enable only necessary services - Messenger
2 PCI 2.2.2 Enable only necessary services - MacPrint
2 PCI 2.2.2 Enable only necessary services - MacFile
2 PCI 2.2.2 Enable only necessary services - LicenseService
2 PCI 2.2.2 Enable only necessary services - ClipSrv
2 PCI 2.2.2 Enable only necessary services - CiSvc
2 PCI 2.2.2 Enable only necessary services - BINLSVC
2 PCI 2.2.2 Enable only necessary services - Appmon
2 PCI 2.2.2 Enable only necessary services - AppMgr
2 PCI 2.2.2 Enable only necessary services - Alerter
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'auth'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'bootps'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'cmsd'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'finger'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'instl_boots'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'kcms_server'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'rpc.quotad'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'rpc.ttdbserver'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'rstatd'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'ruserd'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'rwalld'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'sprayd'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'tftp'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'uucp'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'getty'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 20
Total Plugin Name
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NIS_MASTER_SERVER=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NIS_SLAVE_SERVER=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NIS_CLIENT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NISPLUS_SERVER=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NISPLIS_CLIENT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'XPRINTSERVERS='
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'PC_CLIENT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons, etc., asrequired '/sbin/rc2.d/S570SnmpFddi'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'START_SNAPLUS=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'START_SNANODE=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'START_SNAINETD=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DCE_KRPC=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DFS_CORE=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DFS_CLIENT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DFS_SERVER=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DFS_EPISODE=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'EPIINIT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DFSEXPORT=0'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 21
Total Plugin Name
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'BOSSERVER=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'DFSBIND=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'FXD=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'MEMCACHE=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'DFSGWD=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'DISKCACHEFORDFS=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'RDPD=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'PEER_SNMPD_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'START_I4LMD=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'RUN_X_FONT_SERVER=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'AUDIO_SERVER=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'SLSD_DAEMON=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons, etc., asrequired .. '/sbin/rc2.d/400nfs.core'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'RUN_SAMBA=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'RUN_CIFSCLIENT=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'NS_FTRACK=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'APACHE_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'HPWS_APACHE_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'HPWS_APACHE32_START=0'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 22
Total Plugin Name
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'HPWS_TOMCAT_START=0'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'HPWS_WEBMIN_START=0'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'NAMED=0'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'X11Forwarding=yes'
1PCI 2.2.3 Configure system security parameters to prevent misuse'PermitEmptyPasswords=no'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/inetd.conf perms'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'saverTimeout'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '+ in /etc/passwd'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '+ in /etc/group'
1PCI 2.2.3 Configure system security parameters to prevent misuse'dot_in_root_path_variable'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/home/*/'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/profile UMASK'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/csh.login UMASK'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/d.profile UMASK'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/etc/d.login UMASK'
1 PCI 2.3/4.1 Use strong encryption and security protocols
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'restrict sudo users'
1 PCI 2.2.3 Configure system security parameters to prevent misuse '/usr/bin/ipcs'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'secure virtualmemory'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'disable sleep whenconnected to power'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'display sleep'
1PCI 2.2.3 Configure system security parameters to prevent misuse 'screensaver/sleeppassword'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable SMB sharing'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable AFP sharing'
1 PCI 2.2.3 Configure system security parameters to prevent misuse 'disable user list'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 23
Total Plugin Name
1PCI 2.2.3 Configure system security parameters to prevent misuse 'disable automaticlogin'
1 PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'MobileMe'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'internetsharing MultipleSessionEnabled'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons 'internetsharing com.apple.InternetSharing'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'org.postfix.master'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.RemoteDesktop.plist'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.UserNotificationCenter.plist'
1PCI 2.2.2 Enable only necessary and secure services, protocols, daemons'com.apple.mDNSResponder.plist'
1PCI 2.1/2.2.3 Attempt to log on to devices using default vendor-supplied accounts andpasswords 'root'
1PCI 2.1 Attempt to log on to devices using default vendor-supplied accounts andpasswords 'multiple'
1PCI 2.2.3 Configure system security parameters to prevent misuse'accounts_bad_home_permissions'
1PCI 2.2.3/2.2.3.b/2.2.3.c/8.4 Verify common security parameter settings - Do not storeLAN Manager password hash value on next password change
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Unsigned DriverInstallation Behavior: Warn, but allow
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Prevent users frominstalling printer drivers
1PCI 2.2.3/2.2.3.b/2.2.3.c/10.2.7 Verify common security parameter settings - AuditSystem Events
1PCI 2.2.3/2.2.3.b/2.2.3.c/10.2.2 Verify common security parameter settings - AuditPrivilege Use
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Audit PolicyChange
1 PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Audit Logon Events
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 2.0
Tenable Network Security 24
Total Plugin Name
1PCI 2.2.3/2.2.3.b/2.2.3.c Verify common security parameter settings - Audit AccountManagement
1PCI 2.2.3/2.2.3.b/2.2.3.c/8.5.1 Verify common security parameter settings - Audit AccountLogon Events
1 PCI 2.2.2 Enable only necessary services - W3SVC
1 PCI 2.2.2 Enable only necessary services - upnphost
1 PCI 2.2.2 Enable only necessary services - SNMP
1 PCI 2.2.2 Enable only necessary services - Ntfrs
1 PCI 2.2.2 Enable only necessary services - IISADMIN
1 PCI 2.2.2 Enable only necessary services - HTTPFilter
1 PCI 2.2.2 Enable only necessary services - helpsvc
1 PCI 2.2.2 Enable only necessary services - FAX
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 3.0
Tenable Network Security 25
PCI 3.0
This section lists each system with compliant and non-compliant settings that pertain to section 3.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 3.0 - Settings per Systems
IP Address DNS Name Score Info High
192.168.1.11 win7-pc.home 0 1 0
PCI 3.0 - Failing Settings
PCI 3.0 - Passing Settings
Total Plugin Name
1PCI 3.4.1.a If disk encryption is used, verify that logical access is not allowed using localuser account databases
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 4.0
Tenable Network Security 26
PCI 4.0
This section lists each system with compliant and non-compliant settings that pertain to section 4.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 4.0 - Settings per System
PCI 4.0 - Failing Settings
PCI 4.0 - Passing Settings
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 5.0
Tenable Network Security 27
PCI 5.0
This section lists each system with compliant and non-compliant settings that pertain to section 5.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 5.0 - Settings per System
IP Address DNS Name Score Info High
192.168.1.11 win7-pc.home 0 3 0
PCI 5.0 - Failing Settings
PCI 5.0 - Passing Settings
Total Plugin Name
1PCI 5.2 Ensure that all anti-virus mechanisms are current, actively running, andgenerating audit logs (WMI)
1PCI 5.1 Deploy anti-virus software on all systems commonly affected by malicioussoftware (root\SecurityCenter2)
1PCI 5.1 Deploy anti-virus software on all systems commonly affected by malicioussoftware (root\SecurityCenter)
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 6.0
Tenable Network Security 28
PCI 6.0
This section lists each system with compliant and non-compliant settings that pertain to section 6.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 6.0 - Settings per System
PCI 6.0 - Failing Settings
PCI 6.0 - Passing Settings
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 7.0
Tenable Network Security 29
PCI 7.0
This section lists each system with compliant and non-compliant settings that pertain to section 7.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 7.0
Tenable Network Security 30
PCI 7.0 - Systems per Setting
IP Address DNS Name Score Info High
172.20.10.47 hpuxrisc.lab.tenablesecurity.com 100 3 10
172.26.22.100 0 3 0
192.168.1.11 win7-pc.home 0 3 0
PCI 7.0 - Failing Settings
Total Plugin Name
1 PCI 7.1.1/7.2.3 Restrict access rights / default deny 'at.allow, root'
1 PCI 7.1.1/7.2.3 Restrict access rights / default deny 'cron.allow, root'
1PCI 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary'cron.allow perms'
1PCI 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary'at.allow perms'
1PCI 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary'crontab perms'
1PCI 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary'securetty perms'
1PCI 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary'secure RPC'
1PCI 7.1.4 Implementation of an automated access control system / default deny 'block inall'
1PCI 7.1.4 Implementation of an automated access control system 'pass in from<allowed net>/<mask>'
1 PCI 7.1.4/7.2.1/7.2.3 Automated access control / default deny
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 7.0
Tenable Network Security 31
PCI 7.0 - Passing Settings
Total Plugin Name
2PCI 7.2.2/10.5.1 Assignment of privileges to individuals based on job classification andfunction - System Log Restrict Guest Access
2PCI 7.2.2/10.5.1 Assignment of privileges to individuals based on job classification andfunction - Security Log Restrict Guest Access
2PCI 7.2.2/10.5.1 Assignment of privileges to individuals based on job classification andfunction - Application Log Restrict Guest Access
1 PCI 7.1.1/7.2.3 Restrict access rights / default deny '!cron.deny'
1 PCI 7.1.1/7.2.3 Restrict access rights / default deny '!at.deny'
1 PCI 7.1.1/7.2.2 Restrict access rights / assign as needed 'root securetty'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 8.0
Tenable Network Security 32
PCI 8.0
This section lists each system with compliant and non-compliant settings that pertain to section 8.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 8.0
Tenable Network Security 33
PCI 8.0 - Systems per Setting
IP Address DNS Name Score Info High
172.20.10.47 hpuxrisc.lab.tenablesecurity.com 160 11 16
192.168.1.14 godzilla.home 20 0 2
192.168.1.16 gigan.lab 20 0 2
172.26.22.100 10 1 1
192.168.1.11 win7-pc.home 10 1 1
PCI 8.0 - Failing Settings
Total Plugin Name
2PCI 8.5.11 Use passwords containing both numeric and alphabetic characters'requiresNumeric>=1'
2PCI 8.5.11 Use passwords containing both numeric and alphabetic characters'requiresMixedCase>=1'
2PCI 8.5.15 Re-authenticate to re-activate the terminal or session if idle for 15 or moreminutes (MaxIdleTime)
1PCI 8.4 Render all passwords unreadable during transmission and storage on all systemcomponents using strong cryptography '/etc/passwd'
1PCI 8.4 Render all passwords unreadable during transmission and storage on all systemcomponents using strong cryptography 'shadowing'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'www'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'sys'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'smbnull'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'uucp'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'nuucp'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'adm'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'daemon'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'bin'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'lp'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'nobody'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 8.0
Tenable Network Security 34
Total Plugin Name
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'hpdb'
1 PCI 8.5.11 Use passwords containing both numeric and alphabetic characters 'digit=<1'
1PCI 8.5.12 Do not allow an individual to submit a new password that is the same as anyof the last four passwords
1PCI 8.5.13 Limit repeated access attempts by locking out the user ID after not more thansix attempts
PCI 8.0 - Passing Settings
Total Plugin Name
2PCI 8.5.15 Re-authenticate to re-activate the terminal or session if idle for 15 or moreminutes
1PCI 8.1 Assign all users a unique ID before allowing them to access system componentsor cardholder data 'UID 0'
1PCI 8.1 Assign all users a unique ID before allowing them to access system componentsor cardholder data 'UID duplicates'
1PCI 8.1 Assign all users a unique ID before allowing them to access system componentsor cardholder data 'username duplicates'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'iwww'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'owww'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'sshd'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'hpsmh'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'named'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'noaccess'
1 PCI 8.5.8.a Generic user IDs and accounts are disabled or removed 'useradm'
1PCI 8.5.11 Use passwords containing both numeric and alphabetic characters'alpha=<1'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 9.0
Tenable Network Security 35
PCI 9.0
This section lists each system with compliant and non-compliant settings that pertain to section 9.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 9.0 - Systems per Setting
IP Address DNS Name Score Total Info Med. High
172.26.22.100 10 3 2 0 1
192.168.1.11 win7-pc.home 10 1 0 0 1
PCI 9.0 - Failing Settings
Total Plugin Name
2PCI 9.7 Maintain strict control over the internal or external distribution of any kind ofmedia - 'UsbStor\Start'
PCI 9.0 - Passing Settings
Total Plugin Name
1PCI 9.7 Maintain strict control over the internal or external distribution of any kind ofmedia - 'Floppies'
1PCI 9.7 Maintain strict control over the internal or external distribution of any kind ofmedia - 'CD-ROM'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 10.0
Tenable Network Security 36
PCI 10.0
This section lists each system with compliant and non-compliant settings that pertain to section 10.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 10.0
Tenable Network Security 37
PCI 10.0 - Systems per Setting
IP Address DNS Name Score Info High
172.20.10.47 hpuxrisc.lab.tenablesecurity.com 130 6 13
192.168.1.16 gigan.lab 50 1 5
172.20.101.83 Lap24112.local 40 2 4
192.168.1.14 godzilla.home 40 2 4
172.26.22.100 30 6 3
192.168.1.11 win7-pc.home 30 6 3
PCI 10.0 - Failing Settings
Total Plugin Name
3 PCI 10.7 Retain audit trail history for at least one year '/var/log/secure.log'
3 PCI 10.7 Retain audit trail history for at least one year '/var/log/system.log'
3PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'server 1'
2PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'TIMESYNC'
2 PCI 10.7 Retain audit trail history for at least one year - Retain system log
2 PCI 10.7 Retain audit trail history for at least one year - Retain security log
2 PCI 10.7 Retain audit trail history for at least one year - Retain application log
1PCI 10.1 Establish a process for linking all access to system components to eachindividual user
1 PCI 10.2 Implement automated audit trails for all system components 'audsys running'
1 PCI 10.2 Implement automated audit trails for all system components 'AUDITING=1'
1PCI 10.2 Implement automated audit trails for all system components'AUDEVENT_ARGS1=-P -F -r basic'
1PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times
1 PCI 10.4.2 Time data is protected
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 10.0
Tenable Network Security 38
Total Plugin Name
1PCI 10.4/10.4.3 Using time-synchronization technology / Time settings are received fromindustry-accepted time sources 'ntp primary'
1PCI 10.4/10.4.3 Using time-synchronization technology / Time settings are received fromindustry-accepted time sources 'ntp secondary'
1PCI 10.4/10.4.3 Using time-synchronization technology / Time settings are received fromindustry-accepted time sources 'ntp tertiary'
1PCI 10.5.3 Promptly back up audit trail files to a centralized log server '/etc/rsyslog.confperms'
1 PCI 10.5.3 Promptly back up audit trail files to a centralized log server 'server IP'
1 PCI 10.7 Retain audit trail history for at least one year 'rotation schedule'
1 PCI 10.7 Retain audit trail history for at least one year 'rotation in months'
1PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'process'
1PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'server 2'
PCI 10.0 - Passing Settings
Total Plugin Name
2PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'process'
2PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'server 2'
2 PCI 10.4.3 Time settings are received from industry-accepted time sources
2 PCI 10.4.1 Critical systems have the correct and consistent time - 'Type'
2 PCI 10.4.1 Critical systems have the correct and consistent time - 'InputProvider'
2 PCI 10.4.1 Critical systems have the correct and consistent time - 'FrequencyCorrectRate'
2 PCI 10.4.1 Critical systems have the correct and consistent time - 'Enabled'
2 PCI 10.4.1 Critical systems have the correct and consistent time - 'CrossSiteSyncFlags'
1PCI 10.5/10.5.1/10.5.2 Secure audit trails so they cannot be altered '/var/adm/syslog/syslog.log perms'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 10.0
Tenable Network Security 39
Total Plugin Name
1PCI 10.5/10.5.1/10.5.2 Secure audit trails so they cannot be altered '/var/adm/syslog/mail.log perms'
1PCI 10.5/10.5.1/10.5.2 Secure audit trails so they cannot be altered '/var/adm/sulogperms'
1PCI 10.5/10.5.1/10.5.2 Secure audit trails so they cannot be altered '/var/adm/sambaperms'
1PCI 10.5/10.5.1/10.5.2 Secure audit trails so they cannot be altered '/var/adm/squidperms'
1PCI 10.5/10.5.1/10.5.2 Secure audit trails so they cannot be altered '/var/adm/wtmpperms'
1PCI 10.4 Using time-synchronization technology, synchronize all critical system clocksand times 'TIMESYNC'
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 11.0
Tenable Network Security 40
PCI 11.0
This section lists each system with compliant and non-compliant settings that pertain to section 12.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 11.0 - Systems per Setting
PCI 11.0 - Failing Settings
PCI 11.0 - Passing Settings
PCI Configuration Settings SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2013
PCI 12.0
Tenable Network Security 41
PCI 12.0
This section lists each system with compliant and non-compliant settings that pertain to section 12.0 of the PCI DSS specification. For each compliant and non-compliant setting, the list of corresponding systems and settings is enumerated. Passing settings have a value of 'Info' and failing settings have a value of 'High'.An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested,configuration settings may or may not be available that are relevant to PCI.
PCI 12.0 - Systems per Setting
PCI 12.0 - Failing Settings
PCI 12.0 - Passing Settings
