Overview#
The PCI DSS Toolkit is a collection of read-only scripts that help sysadmins export configuration evidence from network devices, cloud environments, and operating systems for PCI DSS assessor review. Scripts connect to devices or APIs, export configuration data, and save it locally. No changes are made to any system.
View on GitHubThe Problem#
PCI DSS assessments are evidence-heavy. Assessors need configuration exports from firewalls, cloud platforms, and servers—and gathering that data consistently across different environments is tedious and error-prone. Common pain points:
- Inconsistent exports collected differently every cycle make year-over-year comparison difficult
- Manual steps that vary in format depending on who ran them and what they remembered to pull
- No chain-of-custody documentation for exported configurations
- Admin-level access granted unnecessarily just to pull read-only data
- Time lost on back-and-forth between sysadmins and assessors mid-assessment
How It Works#
Each script is designed to be run by a sysadmin on behalf of an assessor:
- Sysadmin receives the appropriate script for their environment
- Updates the configuration block at the top (IP address, API credentials, output folder)
- Runs the script from a workstation with network access to the target
- Script saves all output to a timestamped local folder
- That folder is handed to the assessor for review
Each script category includes a README with step-by-step instructions written for a sysadmin audience—how to generate credentials, what permissions are needed, and what to expect in the output.
Available Tools#
Firewalls#
FortiGate#
Bash PowerShell
Exports the complete FortiGate running configuration for assessor review. Captures everything needed for a PCI DSS network security control review:
- Full running configuration (all sections, complete)
- Firewall rulebase (IPv4 and IPv6 policies)
- Network interfaces and zone assignments
- Static, BGP, and OSPF routing tables
- Address objects and address groups
- Service objects and service groups
- Administrator accounts and access profiles
- Logging and syslog destination settings
- NTP configuration
Output includes both a complete plain-text configuration file and individual structured JSON files per table—making it easy to search the full config or jump directly to a specific section.
Palo Alto Networks#
Python PowerShell
Exports the complete PAN-OS running configuration and security policy rulebase for assessor review:
- Full running configuration exported as XML (all device settings)
- Security policy rulebase with full rule details
- Address objects and groups (resolved to actual IPs/subnets)
- Service objects and groups (resolved to protocol/port)
- Each firewall rule flattened to source IP, destination IP, protocol, port, and action—ready for direct assessor review without cross-referencing object definitions
Output formats include XML (full config), JSON, CSV, and Excel—flexibility depending on assessor preference.
Cisco#
PowerShellConnects over SSH using the Posh-SSH module and exports the running configuration and key show command outputs. Supports three device types selected at runtime:
IOS / IOS-XE (routers and switches):
- Full running configuration
- IP Access Control Lists (ACLs) with hit counts
- IP routing table
- Interfaces (full detail and summary)
- VLAN database and spanning tree configuration
- Logging settings and NTP status
ASA (firewall):
- Full running configuration
- Access lists with hit counts
- Routing table
- Interfaces with names and security levels
- Network objects, object-groups, and NAT rules
- Logging settings and NTP configuration
All device types also export device version and model info, currently logged-in users, and a MANIFEST for chain-of-custody documentation.
Cloud Network Security#
Microsoft Azure#
PowerShellConnects to an Azure subscription using the Az PowerShell module and exports network security configuration across all resource groups and regions. Supports both interactive browser login and Service Principal (non-interactive) authentication.
- Network Security Group rules—inbound and outbound, custom and Azure default, sorted by direction then priority (the order Azure evaluates them), with source, destination, protocol, port range, and allow/deny action
- NSG-to-subnet and NSG-to-NIC associations embedded in each NSG entry
- Virtual Network topology—VNet address spaces, subnets with CIDR blocks, and per-subnet NSG and route table associations
- VNet peering connections
- Route tables with full route entries and next-hop details
- VPN and ExpressRoute gateways and connections
- Application Security Groups
- Azure Firewall instances, policies, and policy rule collection groups (application, network, and DNAT rules)
Amazon Web Services#
PowerShellConnects to an AWS account using AWS Tools for PowerShell and exports network security configuration for a specified region. Supports access key authentication, named AWS profiles, and the default credential chain.
- Security Group rules—inbound and outbound for all groups, with protocol, port range, CIDR block, and cross-security-group references
- Network ACL rules—all NACLs with subnet associations, rules in evaluation priority order, with allow/deny action and direction
- VPC structure—VPC definitions, subnets with availability zone and CIDR, route tables with full entries and subnet associations
- Internet gateways, NAT gateways, and VPC peering connections
- AWS Network Firewall instances, policies, and stateless/stateful rule groups (5-tuple rules, Suricata IDS rules, domain lists)
Operating Systems#
Coming SoonWindows and Linux host hardening evidence exports are in development and will cover local accounts, password policies, firewall rules, installed software, running services, and audit/logging configuration.
Cloud Service Providers (IAM & Logging)#
Coming SoonAccount-level exports for AWS and Azure covering IAM users, roles, MFA enrollment, access key age, CloudTrail/Diagnostic Settings, and Defender/Security Hub compliance status.
Output Structure#
Each script generates a timestamped output folder:
pci-evidence/
└── fortigate_export_2026-02-26_143012/
├── MANIFEST # Chain-of-custody file listing all exports
├── running-config.txt # Complete device configuration
├── firewall-policies.json # Rulebase only
├── interfaces.json # Network interfaces
├── routing-table.json # Routes
├── admin-accounts.json # Administrator list
└── ...The MANIFEST file documents the export timestamp, target system, script version, and lists every file generated—providing a lightweight chain-of-custody record for audit documentation. Hand the entire folder to your assessor. Do not modify or remove files from it.
PCI DSS Requirements Coverage#
| Requirement | Scope | Tools |
|---|---|---|
| Req 1 — Network Security Controls | Firewall rulebases, interface configs, routing | FortiGate, PAN-OS, Cisco, Azure NSG, AWS Security Groups |
| Req 7 — Access Control | Admin accounts and roles on network devices | FortiGate, PAN-OS, Cisco |
| Req 10 — Logging and Monitoring | Syslog/logging configurations | FortiGate, PAN-OS, Cisco |
| Req 12.5.2 — Scope Validation | Network topology, segmentation evidence | All network tools |
Security Considerations#
What the toolkit does:
- Connects with read-only credentials only
- Reads and exports configuration data to a local folder
- Creates MANIFEST files for audit trail documentation
- Bypasses SSL certificate validation by default (network devices commonly use self-signed certs—this is expected)
What the toolkit does NOT do:
- Modify any system configuration
- Transmit data to external services
- Store credentials beyond the active session
- Replace a formal PCI DSS assessment by a QSA
Best practices:
- Create assessment-specific read-only credentials—disable or delete them when the assessment is complete
- Run from an authorized workstation and document where scripts were executed
- Treat output folders as sensitive—they contain full device configurations
- Delete or securely archive output folders after the assessment
- Share exports through an approved channel, not email attachments
Installation#
Requirements by Tool#
| Tool | Runtime | Dependencies |
|---|---|---|
| FortiGate | Bash | sshpass, standard Unix tools |
| FortiGate | PowerShell | PowerShell 5.1+, Posh-SSH module |
| Palo Alto | Python | Python 3.8+, requests, xmltodict |
| Palo Alto | PowerShell | PowerShell 5.1+ |
| Cisco | PowerShell | PowerShell 5.1+, Posh-SSH module |
| Azure | PowerShell | PowerShell 5.1+, Az module |
| AWS | PowerShell | PowerShell 5.1+, AWS.Tools module |
Quick Start#
# Clone the repository
git clone https://github.com/juancarlosmunera/pci-tools.git
cd pci-toolsEach subdirectory contains its own README with step-by-step setup instructions for that platform.
Contributing#
Contributions are welcome—especially support for additional platforms and device types.
Report Issues#
Found a bug or unexpected behavior? Open an issue on GitHub.
Submit Pull Requests#
- Fork the repository
- Create a feature branch (
git checkout -b feature/cisco-ios-xe) - Commit your changes
- Open a Pull Request
Suggest New Platform Support#
Have a device type or cloud platform that should be supported? Start a discussion or reach out directly.
License#
This project is licensed under the MIT License — see the LICENSE file for details.
Related Resources#
- Blog Post: Finding Hidden Cardholder Data: A Tool Every QSA Needs
- Blog Post: PCI-DSS Compliance Best Practices for 2026
- GitHub Repository: juancarlosmunera/pci-tools
Support#
- Email: jcmunera@cybersecpro.me
- LinkedIn: Connect with me
- Issues: GitHub Issues
Built by a former QSA and systems engineer to make compliance evidence collection faster, more consistent, and audit-ready.
