PCI DSS Compliance : Point-of-Sale (POS) Software

2018-03-19T00:00:00
ID PCI_POS_SOFTWARE.NASL
Type nessus
Reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2018-03-19T00:00:00

Description

Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Consult your ASV if you have questions about this Special Note.

                                        
                                            #TRUSTED 3134382bed7135d18bb3bd50b4935ab2e46b6faf71e723551ba0b6ae27679ab6ddc8c9870cdeeb3d7ae2740cc7c7224046d9c0804eb962586a51b998110648a538da34103ac24457dc324ecb6c59ca6b6e962607da796cfa5bc16a90573f5a178c2e76a298373b8e644581842a3953eddcb0c7dc127413cc0a28b319bace34ea4363c4281e10d2ac71ba117f0fde3424d6d50726ffd5a4283c27db42dcb178461fddf79c2a97d27e00278ec9d1728a71bc1a48387567cb15c47716c00592f757d39ea13c93054fe3cd00d2f562b5a4c390cb6fcbf73c2f3a446e55c08ba2c098705bcfa04b0e43f7b12550c98fa8526271edde93a532ccaedac8aca416a9b59ca6a86312ec90af5ec67e349b11a0c79ae9efe9c9ce4778b0f45ec56e64d7336ea136f3ecf14e7c8b99e628c0925f3ab77d4b2caf73c80e38b67e1d88ff897972b697f87a6fa592f737cdf9e55b0c00eb6f582483f423d55a62e3c4bcdb46e7e39f32467183d37910542b309d2447f9f01f29af534d1271cbdb132619991d8e219172710c33098c0f394814195b16639edda3d8504f83aa265e2e381d63a733cab14911261398f4846add7bc0e24fb97ae4a39a433e476b43f5fab9bf153538e5b945b3400befe79971a1bf6ad79bc6c28b15b93202099552f1dc56cb2887ea413f1873f4024c2f96b8295f4ac16206a2a97ddbe7df177ec9152c7f71253477ff
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108410);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2019/04/04");

  script_name(english:"PCI DSS Compliance : Point-of-Sale (POS) Software");
  script_summary(english:"Check for Point-of-Sale software for PCI DSS compliance.");

  script_set_attribute(attribute:"synopsis", value:
"Point-of-Sale software has been detected running on the remote host.");
  script_set_attribute(attribute:"description", value:
"Due to increased risk to the cardholder data environment when a
point-of-sale system is visible on the Internet, 1) confirm that this
system needs to be visible on the Internet, that the system is
implemented securely, and that original default passwords have been
changed to complex passwords, or 2) confirm that the system has been
reconfigured and is no longer visible to the Internet. Consult your
ASV if you have questions about this Special Note.");
  script_set_attribute(attribute:"solution", value:"n/a");

  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/19");

  script_set_attribute(attribute:"plugin_type", value:"summary");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_end_attributes();

  script_category(ACT_END);

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Policy Compliance");

  script_require_keys("Settings/PCI_DSS");
  script_exclude_keys("Settings/PCI_DSS_local_checks");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

if (!get_kb_item("Settings/PCI_DSS")) audit(AUDIT_PCI);
if (get_kb_item("Settings/PCI_DSS_local_checks"))
  exit(1, "This plugin only runs for PCI External scans.");
##
# Returns any URLS found for the specified POS product
#
# @param  string  app  POS software
# @param  int     port 
#
# @return list    list of URLs from get_installs()
##
function get_urls(app, port)
{
  local_var installs, install, url, urls;

  if (isnull(app) || isnull(port)) return NULL;
  if (!get_kb_item('www/' + port + '/webapp_installed')) return NULL;

  installs = get_installs(app_name:app, port:port);
  if (installs[0] != IF_OK) return NULL;

  urls = make_list();
  foreach install (installs[1])
  {
    url = build_url2(qs:install['path'], port:port);
    if (!empty_or_null(url))
      urls = make_list(urls, url);
  }
  return urls;
}


port_kbs = get_kb_list("PCI/POS/*");
if (empty_or_null(port_kbs)) audit(AUDIT_HOST_NONE, "Point-of-Sale (POS) software");

report = NULL;

foreach port_kb (keys(port_kbs))
{
  port = int(port_kb - "PCI/POS/");
  app = port_kbs[port_kb];

  report += '\n' + app + ' is running on the remote host on port ' + port;  

  urls = get_urls(app:app, port:port);
  if (!empty_or_null(urls))
  {
    locations = "URL";
    if (max_index(urls) > 1) locations += "s";

    report += ' at the following ' + locations + ' :\n  ' + join(urls, sep:'\n  ');
  }
  else
    report += '.\n';
}

if (empty_or_null(report)) audit(AUDIT_HOST_NONE, "Point-of-Sale (POS) software"); # This shouldn't happen

security_report_v4(port:0, extra:report, severity:SECURITY_NOTE);