SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Page last updated:

PCF Compliance

PCF is compliant with this requirement.

The File Integrity Monitoring add-on for PCF monitors file integrity for all BOSH-deployed VMs.

By default, all BOSH-deployed VMs run the Linux audit daemon. Operators can edit their BOSH runtime config to customize the audit daemon and other native Linux auditing tools.

PCF supports third-party security scanning, either through remote access, or through local installation of a third-party agent on the stemcell as a BOSH add-on.

Pivotal Network provides checksums for all software releases, enabling deployers to check file integrity before deployment. In the future, Pivotal plans to add digital signatures to releases on Pivotal Network.

PCF deployers requiring assistance configuring integrity verification can contact the Pivotal Security team at security@pivotal.io.


Control Description

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Supplemental Guidance

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.