On 2010 Mar 02, at 18:16, Tracy Reed wrote: > On Mon, Mar 01, 2010 at 05:09:06PM -0600, Justin Ellison spake thusly: >> We were recently informed that even though it's borderline impossible for >> our Solaris and Linux servers to become infected with a virus (trojan maybe, >> but not many "virus" scanners look for those anyway), in order to satisfy >> PCI-DSS we have to do it. > > Nonononono..... PCI-DSS > > https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf > > says: > > 5.1 Deploy anti-virus software on all systems commonly affected by > malicious software (particularly personal computers and servers). > > "commonly affected". As you point out, Linux/Solaris isn't. Check with > your QSA but we aren't required to run antivirus on Linux/Solaris.
Per the PCI security council rep we had for many years, as of 1.2, Unix servers were explicitly required to comply with 5.1 per VISA, despite the fact that they are not commonly affected by viruses. This is not an option of the QSA, and a QSA who simply ignores the requirement for Unix can get in trouble. The key is "malicious software" as opposed to "viruses". Clearly, there are rootkits and other malicious software programs for Unix systems. What do you use to ensure that such malicious software is not present on the PCI impacted Unix servers? When in doubt on PCI, err on the side of trying to comply, ready with compensating controls (formal and informal). The penalties for willful non-compliance are designed to be large enough that even very big companies hesitate to simply swallow them. When reading the PCI-DSS, one must look not just at the requirement, but also the testing method column, as it provides a great deal of insight on what a QSA is required to do to ascertain compliance, and thus interpretation on the requirement. 5.1.1's test procedure explicitly mentions rootkits as another item that needs to be checked for by such software, which is supportive of this reading. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
