LISTSERV - SCIENTIFIC-LINUX-USERS Archives

You'll need an application firewall. If you're using Apache, mod_sec will
work. Put up a proxy and filter connections. Don't run the proxy on the
same machine (VM or HM) as your app and/or its storage if you can manage.

Likely this means running a separate VM/HM in front of your web app and
that acts as a scanning proxy running mod_sec.

You should also run a HID on all machines and an NID on your border
firewalls. Pick people from your client's execs to send the warnings &
reports to (not the same person)  as you will need to list them in your PCI
docs, along with a _responsible_ tech who actually pays attention at 4AM.

As far as HID's: Tripwire is venerable, AIDE is current from my
understanding. You might also check into Beltaine/Lucifer.

And NID: SNORT or Suricata. And if you feel brave / if you need it: feed
the output of your NID into iptables for an active firewall. If anyone
trips you're HID, it's kind of baby vs bath-water time anyway once you have
it tuned: they're in... what do you do. Always leave some trips around that
let people know even if it is a rarely occurring legitimate changes.
Testing the alarms regularly is a part of the alarm system.

Unless you're _providing_ PCI compliance to your client as a documented
service, you should ask them for their requirements. In other words, don't
eat more liability than you need to. Unless you're a lawyer, then you will
have separate ethical requirements.

This is vague (certainly not legal) advice, give more on your requirements
and/or seek a lawyer.


On Wed, Jan 22, 2014 at 5:10 AM, James Rogers <[log in to unmask]>wrote:

> PCI compliance is largely related to what PCI level your client is at.
> That level is related to how much money they move each year.
>
> Selinux (or Apparmor) is good. Some sort of MDAC on your machines that
> handle PIF is a good thing, but as you noted, it won't protect you from
> social hacks, just from the chaff spewed on the internet by C2 servers and
> their botnets.
>
> If you don't find it too onerous, encrypt the swap and the filesystem. Be
> aware of the dangers of this before you start and plan for them. Have
> safe-houses your client plans and pays for that store the relevant
> information. Use M-Disks to store it? And encrypted drives.  You'll know
> what to do once you explore the dangers of encrypted filesystems, and your
> client will produce locations.
>
> As far as AV... hmmm... I would go with 3 engines of your choice, one of
> which should be ClamAV. I would go with Frisk/F-Prot as the next (they're
> not expensive). And then maybe sophos if your clients have the cash to
> spend. What you're largely looking at from the AV scanners is that they
> protect the people visiting your site. Unless you're doing something with
> the DoD and then you will have different requirements.
>
> The next place to look (or the first even) will be an active daily scanner
> for your external reporting. If you're dealing with a Merchant Bank /
> Acquiring Bank, use theirs as that will be least expensive. Otherwise...
> Hackersafe/MCafee is a reasonable choice as it is automated and you don't
> have to deal with people very often; they're owned by Intel so they're not
> going to dry up and blow away, which is a plus. You should be doing their
> job beforehand using nessus/something else. Your external scanner will give
> you a badge to display. Basically, the scanning company will run a port and
> vulnerability scan and then offer you remediation recommendations and
> requirements. If you don't solve your problems, you lose their seal on your
> site.
>
> Every year you will need to forward PDF reports from the company you
> contract to scan you to your merchant bank and any other parties that
> require PCI compliance. It's not a big thing, but something that must be
> done, and you will need to find the contact information for the people
> involved and make your client aware that they need to pay attention to it
> and keep track of any change in contacts after your contract expires.
> Remember to charge for the time you spend on this. Contractors often forget
> to charge for doing small things, and so they don't get done. Make a point
> to charge your client and provide the information they need to keep doing
> business.
>
> This is likely more than you wanted.
>
>
>
>
>
> On Tue, Jan 21, 2014 at 12:39 AM, ToddAndMargo <[log in to unmask]>wrote:
>
>> Hi All,
>>
>>    I am in the thinking phase of a new server for
>> a customer.  The server needs to be PCI Compliant
>> (credit card security).  PCI is really a huge
>> paper chase and although it adds a lot of good
>> practices, it doesn't really address the human
>> factor like it should, which is where most of the
>> breaches come these days.
>>
>>    I was going to suffer with SE Linux left on.
>> Samba with SE Linux: I will say a few blue
>> words before it is over.  :'(
>>
>>    I have the File Integrity Software picked out
>> (CimTrak) as I has used it in the Windows Arena
>> and like how it works.  And the sales and tech support
>> is astounding.
>>
>>    What I have yet to pick out is an Anti Virus (AV).
>> It is part of the paper chase.  Looking over at
>>
>>    http://chart.av-comparatives.org/chart1.php
>>
>> I am not seeing Clam AV.  I know Kaspersky has one,
>> but the last time I tried it, it was a mess.
>> Any thoughts on an AV?
>>
>>   If you look at the chart, no one did worse than
>> M$ Security Essentials in December.  Chuckle.
>>
>> Many thanks,
>> -T
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Computers are like air conditioners.
>> They malfunction when you open windows
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>
>