Question

PCI DSS Compliance

  • 5 November 2020
  • 2 replies
  • 585 views

we had 4 finding for pci dss compliance on AOS node :

1. 57608 - SMB Signing not required
Signing is not required on the remote SMB server.
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
tcp port 445

2. 84502 - HSTS Missing From HTTPS Server
The remote web server is not enforcing HSTS.
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
tcp port 5989

3. 51192 - SSL Certificate Cannot Be Trusted
The SSL certificate for this service cannot be trusted.
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
tcp port 5989

4. 57582 - SSL Self-Signed Certificate
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
tcp port 5989

may i know how to solve it ?


This topic has been closed for comments

2 replies

Userlevel 6
Badge +5

Hi estint,

 

I believe there is a support case raised for this now. I will post the answer here for the benefit of other members.

To help with compliance use of Flow Security Central is recommended.

  • Visibility into Security Compliance: FSC provides businesses with a security heat map and complete visibility into the security posture of their environment. FSC also identifies any security vulnerabilities using more than 800 automated audit checks based on the industry's best practices.
  • Optimization of Security Compliance: FSC provides cloud operators with a one-click feature to easily fix their security issues. FSC also provides out-of-the-box security policies to automate the checks for common regulatory compliance policies, such as HIPAA, PCI-DSS, CIS, and so on.
  • Control over Security Compliance: FSC helps you to set policies that continuously detect security vulnerabilities in real-time and automate the actions needed to fix them. You can also create your custom audit checks in FSC to meet your business-specific security compliance needs.

Upgrade to the recent AOS version is another good idea.

 

Our scan’s also show “SMB Signing not required” vulnerability on CVM/Prism.

Is there an update to this question?

thanks