LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-19-2010, 10:01 AM   #1
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Rep: Reputation: 44
mod_security and PCI-DSS compliance with Breach Security's Enhanced Rule Set


Ahoi,

Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the
"Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these)

They also offer the Enhanced Rule Set for mod_security in a commercial package
(info: http://www.breach.com/products/modsecurity.html )

The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard
However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either.

So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.

Any info is greatly appreciated, thanks
 
Old 07-20-2010, 11:22 PM   #2
camh
Member
 
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Blog Entries: 2

Rep: Reputation: 33
ERS specifically is not required for any PCI compliance, however, they do incorporate multiple PCI requirements into the ERS product.

The specific requirement that you address is a bit misleading (and not properly worded on the website). It is not a requirement for PCI-DSS compliance, however, I believe that they include it because it IS a requirement of the PA-DSS, which governs applications that process card payments. The specific PA-DSS requirement is to log payment application activity, which ERS does do; it will audit attempted card usage, logging date/time, source IP, complete request (minus card number), etc..

Since this is a product that is designed for web-servers and compliance, it is reasonable to assume that the destination server would accept card payments in some form; hence the inclusion of this functionality.

Hope this helps clear things up.
 
1 members found this post helpful.
Old 07-21-2010, 04:18 AM   #3
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Original Poster
Rep: Reputation: 44
Brilliant, thanks a lot!

Will mark thread as solved, as that pretty much clears it up.
Also, received the cert for compliance yesterday w/o the ERS stuff.
Might still get it though, acc. to Boss "additional security can never be bad"
 
  


Reply

Tags
modsecurity, pci


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to set processor frequency through intels Enhanced speedstep technology the_kernel_dood Linux - Kernel 2 01-25-2010 08:35 AM
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl sowell Linux - Server 2 12-09-2009 09:26 AM
LXer: Breach Security's ModSecurity Open Source Web Application Firewall LXer Syndicated Linux News 0 12-06-2007 08:20 PM
Logging file access - PCI DSS koobi Linux - Security 6 09-21-2007 04:08 AM
Help with my snort rule set PixelCloud Linux - Security 1 07-17-2004 01:35 PM


All times are GMT -5. The time now is 12:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration