Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
06-09-2012, 06:33 PM
|
#1
|
|
Member
Registered: Jan 2006
Location: USA
Posts: 460
Rep: 
|
Pci dss
i am dealing with some PCI DSS stuff. i dont see anywhere that says sending logs must be secured. if correct this seems to be an oversight from the PCI DSS folks.
is this correct, udp514 is good enough for PCI DSS ?
|
|
|
|
|
06-09-2012, 07:25 PM
|
#2
|
|
Moderator
Registered: May 2001
Posts: 24,805
|
Quote:
Originally Posted by Linux_Kidd
i dont see anywhere that says sending logs must be secured.
|
IIGC one of the PCI DSS requirements is to safeguard sensitive data in transit over public networks.
Quote:
Originally Posted by Linux_Kidd
good enough
|
Your QSA will tell you. |
|
|
|
|
06-09-2012, 08:09 PM
|
#3
|
|
Member
Registered: Jan 2006
Location: USA
Posts: 460
Original Poster
Rep:
|
hah, i am the QSA 
i am the security architect
i am the security engineer
etc
if i dont know the answer i have to find the answer, etc.
these logs are being sent over internal LAN to a log server. i believe the answer is " secure transport of logs is not explicitly defined in PCI DSS", but wanting confirmation, etc.
thnx |
|
|
|
|
06-10-2012, 02:00 AM
|
#4
|
|
Moderator
Registered: May 2001
Posts: 24,805
|
Quote:
Originally Posted by Linux_Kidd
i believe the answer is "secure transport of logs is not explicitly defined in PCI DSS"
|
No, there's no reason to believe and it's explicitly defined as well. See PCI DSS v2.0 Requirement 4 (page 35): " Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals". |
|
|
|
|
06-10-2012, 08:07 AM
|
#5
|
|
Member
Registered: Jan 2006
Location: USA
Posts: 460
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
No, there's no reason to believe and it's explicitly defined as well. See PCI DSS v2.0 Requirement 4 (page 35): "Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals".
|
yeah, thats still vague.
so if the public PCI data-flows traverses the same vlan from which my syslog originates from, does that mean syslog must be encrypted? as example, the linux webserver on the DMZ sends syslog via the same subnet that tcp-443 listener is in, or my Imperva WAF management iFace is in a subnet in which the same subnet carries PCI data.
or does "accessed" mean literally accessing network infrastructure, or being able to easily get attached to such network subnet (like plugging into a wall jack in the office, because after-all, my internal users also fall into the "malicious individuals" group to some extent).
i guess this is why i have steered clear of the PCI crud, its way to vague imho.
thnx for the info |
|
|
|
|
06-11-2012, 06:31 PM
|
#6
|
|
Moderator
Registered: May 2001
Posts: 24,805
|
Quote:
Originally Posted by Linux_Kidd
yeah, thats still vague.
|
Not at all. From Requirements and Security Assessment Procedures Version 2.0 read Requirement 4.1. It literally says "Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:
- The Internet
- Wireless technologies,
- Global System for Mobile communications (GSM)
- General Packet Radio Service (GPRS)." |
|
|
|
|
06-12-2012, 05:19 AM
|
#7
|
|
Member
Registered: Jan 2006
Location: USA
Posts: 460
Original Poster
Rep:
|
yeah, that doesnt talk about the logging audit trail. there is nothing in PCI DSS 2.0 that talks about the logging transport (verified with some PCI audit folks). udp514 is good enough for PCI DSS (as silly as that is).
he PCI DSS community (imho) dont know security too well. its ridiculous that PCI DSS allows the last 4 digits of a CC# to be revealed on a receipt.
|
|
|
|
|
06-14-2012, 09:06 AM
|
#8
|
|
LQ Newbie
Registered: Jun 2012
Posts: 1
Rep: 
|
last four digits of the CC does nothing for anybody other than the customer for identification.
You can transport logs however you want, so long as the logs do not contain sensitive information (full CC #, exp date, cardholder name, CVV). And really, the full CC# should never be placed in logs.
|
|
|
|
|
06-15-2012, 07:15 PM
|
#9
|
|
Member
Registered: Jan 2006
Location: USA
Posts: 460
Original Poster
Rep:
|
Quote:
Originally Posted by mrholzapfel
last four digits of the CC does nothing for anybody other than the customer for identification.
You can transport logs however you want, so long as the logs do not contain sensitive information (full CC #, exp date, cardholder name, CVV). And really, the full CC# should never be placed in logs.
|
ok, thats the PCI DSS thinking, and its dead wrong !!! let me explain.
the last 8 of your visa card are the account #
1st 4 is card type
5-8 is banking institution.
so, i am at a store standing behind jane doe (relatively close). she pulls out her visa card and i see the Chase and Visa logo but she has her hand over the numbers. she swipes her card and attendant gives her a receipt (which is pci compliant, only last 4 digits are printed). she walks out and ditches the receipt thinking the same way you are. i then retrieve that receipt. i already have the 1st 8 #'s, and the last 4 !!!! now i run what i have through my CC# validator to find the right #'s (9-12). voila, a real valid CC#, its that easy!! giving out the last 4 digits is stupid.
swipe POS's dont use CVV #, so thats as useless as a fly swatter during a bee swarm attack.
to your 2nd point, post #2 #4 #6 says DSS applies the rules to "public" networks, so where does DSS say transport of sensitive data that is internal only networking? please provide the sections/verbiage.
thnx.
Last edited by Linux_Kidd; 06-16-2012 at 12:15 PM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 04:26 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
