PCI DSS and Red Hat Enterprise Linux (Part #4)

Requirement 4. Encrypt transmission of cardholder data across open, public networks


In this chapter, data encryption requirements, which have no CIS analogs, are given. The key ideas are: application of tools for VPN channel creation, support of web traffic encryption, and application of certificates.

4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are:
The Internet,
Wireless technologies,
Global System for Mobile communications (GSM), and
General Packet Radio Service (GPRS).

The requirements given in this item can be divided into two groups. The fist group includes encryption of traffic transferred between a client and a server, e.g. in the mode of user access to the bank site or when a plastic card is used for service payment through the Internet. The second group includes VPN connections established between system components in the course of their remote interaction: it can be a communication session between the head department and a branch office of the same bank, between a branch bank and a payment terminal, between different processing centers of the same organization, etc. Let us briefly consider the both groups.

To provide client remote access to a banking system through the Internet, HTTPS is usually applied; information about basic configuration of this protocol for Apache is given in [1]. Correct processing of certificates and traffic encryption often are critical for data security; this problem is thoroughly considered in the Apache documentation, which is beyond the scope of this article.

To establish VPN channels in large organizations, solutions based on network equipment are usually applied; at that, presence of an encrypted tunnel remains unapparent for servers and workstations. When it is necessary to create a VPN tunnel on the basis of a Linux server, the tools [2] and [3] are usually used.


Requirement 5: Use and regularly update anti-virus software or programs


Almost all known anti-virus software vendors release products for Linux, both for workstations and servers (file servers, mail servers, and anti-virus gateways for proxy servers). The only open-source anti-virus software for Linux (and not only for it) is ClamAV. Its settings are considered below in this chapter.

A CIS analogue for this requirement is item 12.

5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.

Since Linux systems are rather wide-spread, auditors may classify them as operating systems commonly affected by malicious software. In this case, it is advised to install ClamAV, though this product is objectively worth using only to fulfill formal standard requirements, because it considerably yields to commercial products in performance, heuristic detection functionality (which is missing), and usability.
An advantage of ClamAV consists in its universality, because the package usually includes not only a file system scanner, but also a scanning server, which is used in mail and proxy servers.
The fastest way to install ClamAV is to execute the following command:

yum -y install clamav clamav-update

5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware.

AdWare protection is urgent for workstations and browsers; the threat presented by such programs for servers is not obvious. A more important requirement is to protect the system against spyware (including rootkits); in this case, it is necessary to install Rootkit Hunter:
yum install rkhunter

5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled.

Right after installation, the package clamav-update adds a database update job to cron by default using the job /etc/cron.d/clamav-update, which checks updates for anti-virus bases every 3 hours. The package rkhunter adds another job (daily scanning) to /etc/cron.daily/rkhunter, but regular update of bases is not implemented in it.

To fulfill the requirement, it is necessary to create a cron job for clamscan so that the file systems are periodically checked for malicious software.

5.2.d For a sample of system components, verify that antivirus software log generation is enabled and that such logs are retained в соответствии с требованием 10.7 PCI DSS.

The file system scanner clamscan sends the results to the console; one can specify the path to a report file located in the directory /var/log using the option “-l” or input the scanner console report to the logger utility, which will write these messages using syslog for the purpose of subsequently sending the log files to a remote server.

By default, Rootkit Hunter stores the event logs in the directory /var/log/rkhunter.

Requirement 6: Develop and maintain secure systems and applications

6.1.a Ensure that all system components and software have the latest vendor-supplied security patches installed.

RedHat distribution kits include a daemon yum-updatesd that periodically checks for updates and installs them if configured so. The daemon’s behavior is defined in the configuration file /etc/yum/yum-updatesd.conf, the startup script is in /etc/init.d/yum-updatesd.
To launch this daemon at OS startup, execute the following command:

chkconfig yum-updatesd on

4 thoughts on “PCI DSS and Red Hat Enterprise Linux (Part #4)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.