vrealize Operations Compliance Pack for PCI vrealize Operations Manager This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-002604-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright 2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents vrealize Operations Compliance Pack for PCI 5 1 Introduction 7 2 Install the vrealize Compliance Pack for PCI 9 3 Configure the vrealize Compliance Pack for PCI 11 4 Reports 13 Index 15 VMware, Inc. 3
4 VMware, Inc.
The documentation for vrealize Operations Compliance Pack for PCI includes information about the installation and usage of vrealize Operations Compliance Pack for PCI. Intended Audience The information in this guide is intended for users who want to install and use vrealize Operations Compliance Pack for PCI. VMware Technical Publications Glossary VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions of terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs. VMware, Inc. 5
6 VMware, Inc.
Introduction 1 The PCI ( Payment Card Industry Security Standards) hardening guide addresses growing threat to consumer payment information. The companies that accept, process, or receive payments should adopt it as soon as possible to prevent, detect and respond to the cyber attacks that can lead to breaches. The vrealize Operations Compliance Pack for PCI provides Alerts, Policies, and Reports to validate the vsphere resources against the PCI 3.2 hardening guide. The following resources are being validated using this content: 1 vcenter 2 ESXi Host 3 Virtual Machine 4 Distributed Port Group 5 Distributed Virtual Switch Note The product is represented only as assisting customers in their PCI compliance efforts and is not represented as the customer's solution for being PCI-compliant. VMware, Inc. 7
8 VMware, Inc.
Install the vrealize Compliance Pack 2 for PCI Prerequisites This content pack requires vrealize Operations Manager 6.6 and above. Procedure 1 Log in to the vrealize Operations Manager with administrator privileges. 2 In the top pane of vrealize Operations Manager, click the Administrator icon. Click Solutions. 3 On the Solutions tab, click the plus sign. 4 Browse to locate the temporary folder and select the PAK file. 5 Click Upload. It might take a few minutes to upload. 6 Read and accept the EULA, and click Next. 7 When the vrealize Operations Compliance Pack for HIPAA is installed, click Finish. VMware, Inc. 9
10 VMware, Inc.
Configure the vrealize Compliance 3 Pack for PCI Prerequisites Procedure 1 Verify that you have installed vrealize Operations Compliance Pack for PCI. 2 Verify that vcenter Adapter is configured to collect properties from vcenter whose resources have to be validated against the PCI hardening guide. 1 At the top of the vrealize Operations Manager page, click the Administration icon and click Policies. 2 Click the Policy Library tab. 3 There are two ways in which a user can enable the PCI 3.2 hardening guide for vsphere policy. Set the PCI 3.2 hardening guide for vsphere policy as the default policy. 1 Select the PCI 3.2 hardening Guide for vsphere policy from the list of policies. 2 If you wish to set this policy as the default policy, click the Set Default Policy icon in the top menu. Note The above action will override the default policy applicable on the vrops instance to the PCI 3.2 hardening guide for vsphere policy. Edit the active default policy as follows: 1 Click the active default policy. 2 Click the edit button on the top panel to edit the policy. 3 Navigate to the Alerts/Symptom Definitions section in the left panel. 4 Filter the alerts on the PCI keyword. 5 Select the alerts that you want to enable. 6 From the Actions menu in the top pane, set the state as enabled. 7 Once you have enabled the required alerts, click Save. 4 Once the PCI-based compliance alert is enabled through the policy, the alerts for the resources that fail the hardening guide validation can be seen in some time. VMware, Inc. 11
12 VMware, Inc.
Reports 4 The non-compliance report for the PCI 3.2 Hardening guide provides a report of all the active alerts based on the PCI hardening guide against the vsphere objects in the environment. 1 At the top of the vrealize Operations Manager page, click the Dashboards icon. Click reports. 2 Filter the existing reports using the keyword PCI to fetch the PCI report template. 3 Run the report against the object you intend to generate the PCI report. This report contains the list of the active PCI alerts against the selected resource. 4 Alternatively, you can generate the report against a particular object by navigating to the compliance dashboard for the object under the Analysis tab. VMware, Inc. 13
14 VMware, Inc.
Index G glossary 5 I intended audience 5 VMware, Inc. 15
16 VMware, Inc.