On Mar 2, 2010, at 5:20 PM, Tracy Reed wrote:
On Tue, Mar 02, 2010 at 06:41:02PM -0600, Mark McCullough spake thusly:Per the PCI security council rep we had for many years, as of 1.2, Unix servers were explicitly required to comply with 5.1 per VISA, despite the fact that they are not commonly affected by viruses. This is not an option of the QSA, and a QSA who simply ignores the requirement for Unix can get in trouble.As of 1.2? What wording changed in 1.2 that explicitly addresses Solaris/Linux? I've got it open here in front of me and I don't see it. They do conspicuously leave you an out with "commonly affected".The key is "malicious software" as opposed to "viruses". Clearly, there are rootkits and other malicious software programs for Unix systems. What do you use to ensure that such malicious software is not present on the PCI impacted Unix servers?Right, it is possible. But not common. And there is no software that can effectively scan for them even when present (much in the same way that the Windows antivirus vendors are way behind the curve). They load a kernel module or install a hypervisor and it's all over.
To the contrary, it is quite common. I've seen a number of compromised unix machines, and a significant portion of them ended up with rootkits. Further, there are a number of packages that can perform regular effective rootkit scans. And we can't simply dismiss a security measure because it isn't perfect. Firewalls aren't perfect. Anti-virus isn't perfect. Secure coding isn't perfect. But we take all of these measures to campaign as secure and reasonable a defense as we possibly can. The point of PCI compliance isn't to make your security impenetrable, just better.
When in doubt on PCI, err on the side of trying to comply, ready with compensating controls (formal and informal). The penalties for willful non-compliance are designed to be large enough that even very big companies hesitate to simply swallow them.The QSA is who has to sign us off. And for Linux servers we have been told it isn't necessary. Plus, I have here in front of me my already well worn (despite being barely two months old) copy of "PCI Compliance" by Chuvakin and Williams. Excellent book. And even they say in their discussion of 5.1: PCI creators wisely chose to avoid the trap of saying "antivirus must be on all systems," but instead chose to state that one needs to "Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers)." This ends up causing a ton of confusion, and in many cases, comapanies fight deploying antivirus, even when the operating system manufacturer recommends it (for example, Apple's OS X). A good rule of thumb is to deploy it on all Microsoft Windows machines and any desktop machine with users regularly accessing untrusted networks (like the Internet) that have an antimalware solution.
This is only one professional's opinion, but I would never buy the argument that anti-virus and rootkit checks are only for Windows and that Unix is somehow immune such that it doesn't require them. My QSA certainly wouldn't buy that either. You can make the "commonly affected" argument, and any security team can tell you about a dozen different compromised unix machines that had rootkits and other assorted malware installed on them. The truth is that unix platforms are commonly affected, and the myth that unix is somehow not commonly affected by these kinds of malware is simply that; a myth.
Your QSA has to sign off, but so does the entity that is requiring you become compliant. But it's not just them. VISA has the power to come in and fine your company if there are problems. And if you do manage to lose credit cards, there's legal liability to deal with. I have to wonder if it's really worth fighting this one, especially when it's so simple and low-cost to implement it. Are you really saving anything by fighting a once daily (or maybe even less frequent) virus and rootkit scan? Is it really so bad that your servers have a little more integrity?
On top of all of this, this only applies to in-scope machines. So your two (for example) in-scope Linux servers which run apache to take payment info from the customer and pass it on to the payment gateway are not Windows and not a desktop machine regularly accessing untrusted networks. I'm from the last one to try to skirt the intent and spirit of the rules. But from what I've read in the spec itself, what the QSA says, what these guys say, and what my own common sense tells me, it doesn't make sense to run anti-malware software on your in-scope Linux servers.
How is it common sense to not perform integrity checks on your servers? You want to trust your servers *more*, and the only way to do that is to verify. The only way to verify that the server has no rootkits is to scan for them. The only way to verify that the server has no malware is to scan for it. That is the real common sense.
What sort of machine DOES need to run anti-malware software? Generally speaking this is targeted at in-scope desktop Windows and potentially Mac machines. What sort of situation might cause such machines to exist? Customer service where they need Windows desktops because that's what they know how to operate but also need access to payment info to take orders over the phone or otherwise support the customers who call in, verifying payment info, etc.
When reading the PCI-DSS, one must look not just at the requirement, but also the testing method column, as it provides a great deal ofRight. The testing method column says: 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. Again they say "all operating system types commonly affected by malicious software". Also they say "if applicable anti-virus technology exists". What sort of virus scanner is going to catch the sort of rootkit that I am likely to get on a Linux/Solaris box? Clamav won't cut it here. It would have to be very intimate with the kernel.
I don't mean to be a jerk, but the first two links in a google search for "linux rootkit scanner" are the homepages of the top two free scanners for Linux, and one of them also runs on Solaris. They're both popular and effective. There are a great many rootkits out there, and they do get used quite frequently. The spirit of PCI should lead us to take all reasonable precautions to prevent breaches and data loss, and that certainly includes common and simple rootkit and anti-virus checks on unix platforms.
Benjamin Krueger [email protected]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
