Hi Jonathan. My company just got PCI certified (we're on our way to CISP). From what I've discovered through the process of getting PCI-certified, most of the work has to do with creating policies, and doing a lot of social engineering to enforce and maintain those policies. ` Beaurocracy aside, most of our servers are Ubuntu-based (a debian variant, if you probably already know). Here's a run-down of the projects that I've implemented to achieve our PCI compliance...
----------------- Central SysLog Server (SysLog-NG, syslogd, Snare): I've using SysLog-NG (http://www.balabit.com/network-security/syslog-ng/opensource-logging-system) as a central syslog server. I have a rule set up that deposits SysLogs from all of my servers, filers, network equiment, etc. into separate directories, based on the dns name associated with the originating ip address of the incoming messages. I did not install SysLog-NG across the board, mostly because I didn't need the bells and whistles associated with it for all of my machines. What I did instead was make the default syslogd on each machine point to my central SysLog-NG server. Additionally, on my Windoze machines, I'm using Snare (http://www.intersectalliance.com/projects/SnareWindows/index.html) to ship Event Log messages over SysLog as well. ----------------- Host Intrusion Detection, File Integrity Monitor (OSSEC): I'm using OSSEC (http://www.ossec.net) to monitor the individual SysLog files for perceived security issues. OSSEC understands Snort, Cisco PIX, IPTables, and a host of others. Additionally, I have OSSEC agents running on each of my servers (including Windoze), which report back to a central OSSEC Server. The agents are primarily in charge of monitoring important files for changes (nice view during upgrades), and secondarily in charge of scanning for RootKits. OSSEC can also interface with IPTables and other host-based firewalls, as a means of implementing Real-time greylisting. Last time I checked, I couldn't find a .deb package for OSSEC. I created my own, but the implementation is a bit nasty. ----------------- Network Intrusion Detection (Snort): If you are going to use Snort, I highly recommend that you use the latest version You'll probably have to compile it from source, but it's worth it. Snort is sending alerts to my central SysLog server, which provides a nice and easy central logging repository for Snort alerts. I'm then using OSSEC to monitor the SysLogs for Snort messages, and generate alert emails. ----------------- Rootkit detection and scanning (RKHunter and CHKRootKit [and OSSEC]): Never trust a single Rootkit scanner. Both RKHunter and CHKRootKit are excellent tools, but one could have more/different signatures at different times. Additionally, one might miss a Rootkit, while the other might catch it. Both of these tools are pollers that are run from Cron, so performance isn't much of an issue if the run times are staggered. Installation of RKHunter and ChkRootKit is a snap for most distros, so you might as well put the packages in your server configuration policy. ----------------- Network Penetration testing (Nessus 3.x): I can't stress this enough. If you're going to use Nessus (http://www.nessus.org), do yourself a favor and install the latest version. The 3.x versions update their plugins automatically, which is a great thing because you don't have to think about it too hard. I would also recommend purchasing a "Direct Feed" subscription from Tenable, which enables your Nessus installations to update their plugins as they become available, instead of waiting 2 weeks. ----------------- Layer-7 Firewall (ModSecurity / Apache Proxy): If you're really serious about CISP, spend the $5000 to purchase a 1-year support contract for ModSecurity (Breach Security http://www.breach.com). In addition to an immense amount of help with writing custom rules, you also get a really fast ruleset that's specifically geared towards PCI Compliance. One caveat, however, is that you should know a good deal about Perl Regular expressions if you're going to implement ModSecurity. If this is an issue for you, you may need to look into other (closed-source, bleck!) alternatives like F5. Another Firewall solution that I've been playing around with lately is Untangle (http://www.untangle.com). Unfortunately, I require ethernet bonding and 802.1q support, so it's not yet a feasable solution for me yet. That being said, their Snort front-end can't be beat. And I talked with a couple of the guys at their Linux World booth recently, who said that they were going to start bundling Untangle with Ubuntu and other distros (most of which provide the tools and kernel modules for 802.1q and bonding). ----------------- Per machine firewall (IPTables with Shorewall front-end): Shorewall is extremely powerful, if not a bit difficult to use. I wouldn't use it for a gateway machine (although I use it as a router-firewall between networks on my Corporate network), but it makes a very good Host-based firewall. The idea here is to only leave the ports that need to be open, open, and only allow access from the machines/networks that need access to them. You will need other separate physical firewalls between you and the rest of the world, as well as between your servers and your database servers, but you can limit who and what has access to a specific machine. Personally, I have it set up that nobody can access any machine via SSH, except from one of my Corporate subnets (not feasable for everyone). Even then, I am using SSH authorized_keys tuned to IP address to restrict access further (I have a user policy for SSH key rotation. Their private keys must also be secured with a passphrase). ----------------- Secure Central Backups and Archving (Bacula): I really love Bacula. It's a bit of a learning curve, but it's GPL'ed, and it runs on multiple platforms. The features of Bacula rival NetBackup and Legato, although the interface can be cumbersome to use. The most important feature is Archival encryption. This indemnifies you against having to report a lost or stolen tape to all of your customers (which you shouldn't need to worry too much about if you have a good backup policy). Of course, you need to have a solid policy for handling tapes that your employees must adhere to, that a PCI/CISP auditor must sign off on. Don't be too wordy. All they need to know is: that machines are backed up on a regular basis, that certain backup sets are retained for XXX days/years, that you have a compliant offsite archival policy. ----------------- One more thing, if you can, try to physically separate your Production networks from your Corporate networks. This will ensure that only your Production networks need to be audited. Otherwise, if you mix them, -ALL- of your machines will need to be audited, including user desktops/laptops. Just keep them separate. Management is much easier. Monitoring is much easier. The audit headaches are much lighter. Also, if you've never gone through CISP/PCI before, be prepared for a lot of long nights, headaches, etc. Try not to get discouraged. It will be worth it in the end. I can honestly say that I am a much better engineer for having gone through the process. ----- Jeremy Melanson Senior Linux Network Engineer On Mon, 2007-08-20 at 18:14 -0500, Jonathan Wilson wrote: > Sorry if this is the wrong place for this, but: > > Does anyone know of a place I can get information on setting up CISP (VISA > credit card) compliant Debian systems - or Linux in general, if there's no > Debian-specific info. I've been searching the web for a couple hours and I > don't know if I'm searching for the wrong phrases or what, but I'm not > finding anything at all. > > What I'm looking for is, essentially, what software needs to be installed to > make a system storing and processing CC info CISP compliant, and what > settings need to be configured to match. > > I'm just sure there's folks out there who's secured Debian systems and > installed & configured the necessary software for logging, auditing, > monitoring, etc. I just can't find anything about it - maybe I'm blind today. > > Thanks, > > JW > > -- > > ---------------------- > System Administrator - Cedar Creek Software http://www.cedarcreeksoftware.com > http://jwadmin.blogspot.com > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
