On Tue, Mar 02, 2010 at 06:41:02PM -0600, Mark McCullough spake thusly: > Per the PCI security council rep we had for many years, as of 1.2, > Unix servers were explicitly required to comply with 5.1 per VISA, > despite the fact that they are not commonly affected by viruses. > This is not an option of the QSA, and a QSA who simply ignores the > requirement for Unix can get in trouble.
As of 1.2? What wording changed in 1.2 that explicitly addresses
Solaris/Linux? I've got it open here in front of me and I don't see
it. They do conspicuously leave you an out with "commonly affected".
> The key is "malicious software" as opposed to "viruses". Clearly,
> there are rootkits and other malicious software programs for Unix
> systems. What do you use to ensure that such malicious software is
> not present on the PCI impacted Unix servers?
Right, it is possible. But not common. And there is no software that
can effectively scan for them even when present (much in the same way
that the Windows antivirus vendors are way behind the curve). They
load a kernel module or install a hypervisor and it's all over.
> When in doubt on PCI, err on the side of trying to comply, ready
> with compensating controls (formal and informal). The penalties for
> willful non-compliance are designed to be large enough that even
> very big companies hesitate to simply swallow them.
The QSA is who has to sign us off. And for Linux servers we have been
told it isn't necessary. Plus, I have here in front of me my already
well worn (despite being barely two months old) copy of "PCI
Compliance" by Chuvakin and Williams. Excellent book. And even they
say in their discussion of 5.1:
PCI creators wisely chose to avoid the trap of saying "antivirus
must be on all systems," but instead chose to state that one needs
to "Deploy antivirus software on all systems commonly affected by
malicious software (particularly personal computers and servers)."
This ends up causing a ton of confusion, and in many cases,
comapanies fight deploying antivirus, even when the operating
system manufacturer recommends it (for example, Apple's OS X). A
good rule of thumb is to deploy it on all Microsoft Windows
machines and any desktop machine with users regularly accessing
untrusted networks (like the Internet) that have an antimalware
solution.
On top of all of this, this only applies to in-scope machines. So your
two (for example) in-scope Linux servers which run apache to take
payment info from the customer and pass it on to the payment gateway
are not Windows and not a desktop machine regularly accessing
untrusted networks. I'm from the last one to try to skirt the intent
and spirit of the rules. But from what I've read in the spec itself,
what the QSA says, what these guys say, and what my own common sense
tells me, it doesn't make sense to run anti-malware software on your
in-scope Linux servers.
What sort of machine DOES need to run anti-malware software? Generally
speaking this is targeted at in-scope desktop Windows and potentially
Mac machines. What sort of situation might cause such machines to
exist? Customer service where they need Windows desktops because
that's what they know how to operate but also need access to payment
info to take orders over the phone or otherwise support the customers
who call in, verifying payment info, etc.
> When reading the PCI-DSS, one must look not just at the requirement,
> but also the testing method column, as it provides a great deal of
Right. The testing method column says:
5.1 For a sample of system components including all operating
system types commonly affected by malicious software, verify
that anti-virus software is deployed if applicable anti-virus
technology exists.
Again they say "all operating system types commonly affected by
malicious software". Also they say "if applicable anti-virus
technology exists". What sort of virus scanner is going to catch the
sort of rootkit that I am likely to get on a Linux/Solaris box? Clamav
won't cut it here. It would have to be very intimate with the kernel.
--
Tracy Reed
http://tracyreed.org
pgp2zGoWGdQ2j.pgp
Description: PGP signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
