pci compliance
hi all... i'm about to submit a freebsd system to be scanned for pci compliance... is there any particular gotchas with bsd systems that can be detected at the time of pci compliance scanning? i know they use something like nmap if not nmap itself and i did myself on that machine and didn't find anything interesting. but one of the consultants that was 'advising' the company i work for said we use similar (as in nmap) approach but it's (much) more intrusive. anybody knows what does that mean? thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pci compliance
On Mon, Jul 28, 2008 at 7:51 PM, kalin m [EMAIL PROTECTED] wrote: hi all... i'm about to submit a freebsd system to be scanned for pci compliance... is there any particular gotchas with bsd systems that can be detected at the time of pci compliance scanning? i know they use something like nmap if not nmap itself and i did myself on that machine and didn't find anything interesting. but one of the consultants that was 'advising' the company i work for said we use similar (as in nmap) approach but it's (much) more intrusive. anybody knows what does that mean? thanks... The PCI auditing process is a full penetration test. It's very thorough and not at all easy to pass. Get hold of a copy of The penetration tester's handbook and make sure u pass all the tests in the book and u should be ok ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pci compliance
cool. thanks. i couldn't find anything on google under that name but i've been looking and reading on a lot of documentation on line and print. so i was just asking if there are any things that pertain in particular to the freebsd os that need to be addressed before the scanning. how full of a penetration can you have if (almost) all incoming ports are blocked? thanks Ross Cameron wrote: On Mon, Jul 28, 2008 at 7:51 PM, kalin m [EMAIL PROTECTED] wrote: hi all... i'm about to submit a freebsd system to be scanned for pci compliance... is there any particular gotchas with bsd systems that can be detected at the time of pci compliance scanning? i know they use something like nmap if not nmap itself and i did myself on that machine and didn't find anything interesting. but one of the consultants that was 'advising' the company i work for said we use similar (as in nmap) approach but it's (much) more intrusive. anybody knows what does that mean? thanks... The PCI auditing process is a full penetration test. It's very thorough and not at all easy to pass. Get hold of a copy of The penetration tester's handbook and make sure u pass all the tests in the book and u should be ok ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pci compliance
On Behalf Of Ross Cameron On Mon, Jul 28, 2008 at 7:51 PM, kalin m [EMAIL PROTECTED] wrote: i'm about to submit a freebsd system to be scanned for pci compliance... is there any particular gotchas with bsd systems that can be detected at the time of pci compliance scanning? i know they use something like nmap if not nmap itself and i did myself on that machine and didn't find anything interesting. but one of the consultants that was 'advising' the company i work for said we use similar (as in nmap) approach but it's (much) more intrusive. anybody knows what does that mean? The PCI auditing process is a full penetration test. It's very thorough and not at all easy to pass. Get hold of a copy of The penetration tester's handbook and make sure u pass all the tests in the book and u should be ok How intense depends on which PCI level you are aiming for and which services you will have running on that server. We have completed level 3 for our hosted web servers and firewalls, and are shooting for level 1 by the end of the calendar year. However, I am not yet involved in any of those projects. Bob McConnell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pci compliance
On Mon, Jul 28, 2008 at 8:24 PM, kalin m [EMAIL PROTECTED] wrote: cool. thanks. i couldn't find anything on google under that name but i've been looking and reading on a lot of documentation on line and print. so i was just asking if there are any things that pertain in particular to the freebsd os that need to be addressed before the scanning. how full of a penetration can you have if (almost) all incoming ports are blocked? thanks Depends on the PCI level you are being audited for. But there are any number of attacks you can throw at a box thats fully closed up, and the aim is not to get it but rather to chew up all the ram and cpu and kill the box off. I suggest you read the PCI compliance document for the relevant level and make sure you test the system to comply with the documented requirements. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]