PCI Configuration Report

by Josef Weiss
April 1, 2014

Report File: 

This report template leverages Nessus PCI system configuration results to track which PCI DSS requirements are compliant or non-compliant.

If you need to track which PCI requirements your group is compliant with and you are performing credentialed Nessus configuration audits of your systems, then this SecurityCenter report template can be used to track which requirements are currently being met or not.

This report is split into twelve sections, which correspond with PCI sections 1 through 12. For each section, the configuration settings relevant to that PCI section are considered. There are four parts to each section.

  • A list of hosts with passing, failing, and settings that require additional action, ranked by a non-compliance score.
  • A list of compliant settings and a count of each.
  • A list of non-compliant settings and a count of each.
  • A list of compliant settings that require additional actions to be taken.

Although the Nessus audit configuration settings map to most parts of the PCI DSS, there are many operating systems that do not have configuration settings for each setting. This means that some sections will be empty of compliant or non-compliant results.

Each chapter lists systems with compliant and non-compliant settings that pertain to the respective section of the PCI DSS specification. For each compliant and non-compliant setting, the number of corresponding systems is enumerated. A bar graph demonstrates the PCI results for the current and past 30 days.

Passing settings have a value of 'Info', settings that require additional action be taken are 'Medium', and failing settings have a value of 'High'. An empty report indicates that no corresponding PCI settings for that section were available for auditing. Depending on the type of operating system being tested, configuration settings that are relevant to PCI may or may not be available.

This report template can easily be extended to support lists of compliant or non-compliant assets. Also, if you have large numbers of IP addresses, the 'Vuln Summary - IP List' tool could be used to list each IP address that is affected by a non-compliant or compliant setting.

The report and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The report requirements are:

  • SecurityCenter 4.8.0
  • Nessus 5.2.5
  • PCI Audit File for Nessus