LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] mod_security and PCI-DSS compliance with Breach Security's Enhanced Rule Set
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-19-2010, 10:01 AM   #1
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Rep: Reputation: 44
mod_security and PCI-DSS compliance with Breach Security's Enhanced Rule Set

Ahoi,

Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the
"Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these)

They also offer the Enhanced Rule Set for mod_security in a commercial package
(info: http://www.breach.com/products/modsecurity.html )

The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard
However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either.

So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.

Any info is greatly appreciated, thanks
 
Old 07-20-2010, 11:22 PM   #2
camh
Member
 
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Blog Entries: 2

Rep: Reputation: 33
ERS specifically is not required for any PCI compliance, however, they do incorporate multiple PCI requirements into the ERS product.

The specific requirement that you address is a bit misleading (and not properly worded on the website). It is not a requirement for PCI-DSS compliance, however, I believe that they include it because it IS a requirement of the PA-DSS, which governs applications that process card payments. The specific PA-DSS requirement is to log payment application activity, which ERS does do; it will audit attempted card usage, logging date/time, source IP, complete request (minus card number), etc..

Since this is a product that is designed for web-servers and compliance, it is reasonable to assume that the destination server would accept card payments in some form; hence the inclusion of this functionality.

Hope this helps clear things up.
 
1 members found this post helpful.
Old 07-21-2010, 04:18 AM   #3
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Original Poster
Rep: Reputation: 44
Brilliant, thanks a lot!

Will mark thread as solved, as that pretty much clears it up.
Also, received the cert for compliance yesterday w/o the ERS stuff.
Might still get it though, acc. to Boss "additional security can never be bad"
 
  


Reply

Tags
modsecurity, pci



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to set processor frequency through intels Enhanced speedstep technology the_kernel_dood Linux - Kernel 2 01-25-2010 08:35 AM
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl sowell Linux - Server 2 12-09-2009 09:26 AM
LXer: Breach Security's ModSecurity Open Source Web Application Firewall LXer Syndicated Linux News 0 12-06-2007 08:20 PM
Logging file access - PCI DSS koobi Linux - Security 6 09-21-2007 04:08 AM
Help with my snort rule set PixelCloud Linux - Security 1 07-17-2004 01:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:16 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration