On Wed, 6 Jan 2010 13:46:37 -0800, Jeremy Hansen <[email protected]> wrote: > I'm going through the purgatory which is PCI compliance right now and the > fact that PCI DSS point 11.4 is not mentioned in your PCI outline located > here: > > http://www.ossec.net/ossec-docs/ossec-PCI-Solution.pdf > > has led the powers to be to believe that 11.4 is not covered by OSSEC. > The requirement does not specifically mention NIDS vs HIDS. > > How is this interpreted? I assume to be fully covered, it would require a > combination of OSSEC and a NIDS, such as snort. > > Does this make sense?
Hello Jeremy, Let me start by saying that I am not a QSA (qualified security assessor), although I have deployed and used OSSEC in a PCI environment, as well as helped people meet the standard in other areas. I also hold security and auditor certifications, for what it's worth, (maybe not much :) ) so I can see both sides. When I first read this I thought for sure the DSS made a distinction between NIDs and HIDs. So I whipped out my copy of DSS 1.2 and did a search. Lo-and-behold, the DSS does not explicitly call for NIDs and HIDs. That being said, 11.4 does say this (emphasis mine): Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all *traffic* in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date. Although not specifically called out as NIDs, I think network-layer monitoring is implicit in this requirement. I can say that were I auditing a PCI environment and found out that they decided a NIDs were not necessary, they would have to have one heck of a compensating control to convince me that this was a good idea. I think NIDs and HIDs are both necessary for PCI compliance and I think the OSSEC PCI document is pretty clear that they only assist with certain areas of PCI. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com Information Security, Privacy and Personal Liberty
