Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-19-2010, 11:01 AM   #1
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Rep: Reputation: 44
mod_security and PCI-DSS compliance with Breach Security's Enhanced Rule Set


Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the
"Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these)

They also offer the Enhanced Rule Set for mod_security in a commercial package
(info: )

The main point there in their info link is the first point
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard
However acc. to this wiki article ( ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either.

So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.

Any info is greatly appreciated, thanks
Old 07-21-2010, 12:22 AM   #2
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Blog Entries: 2

Rep: Reputation: 33
ERS specifically is not required for any PCI compliance, however, they do incorporate multiple PCI requirements into the ERS product.

The specific requirement that you address is a bit misleading (and not properly worded on the website). It is not a requirement for PCI-DSS compliance, however, I believe that they include it because it IS a requirement of the PA-DSS, which governs applications that process card payments. The specific PA-DSS requirement is to log payment application activity, which ERS does do; it will audit attempted card usage, logging date/time, source IP, complete request (minus card number), etc..

Since this is a product that is designed for web-servers and compliance, it is reasonable to assume that the destination server would accept card payments in some form; hence the inclusion of this functionality.

Hope this helps clear things up.
1 members found this post helpful.
Old 07-21-2010, 05:18 AM   #3
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Original Poster
Rep: Reputation: 44
Brilliant, thanks a lot!

Will mark thread as solved, as that pretty much clears it up.
Also, received the cert for compliance yesterday w/o the ERS stuff.
Might still get it though, acc. to Boss "additional security can never be bad"


modsecurity, pci

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to set processor frequency through intels Enhanced speedstep technology the_kernel_dood Linux - Kernel 2 01-25-2010 09:35 AM
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl sowell Linux - Server 2 12-09-2009 10:26 AM
LXer: Breach Security's ModSecurity Open Source Web Application Firewall LXer Syndicated Linux News 0 12-06-2007 09:20 PM
Logging file access - PCI DSS koobi Linux - Security 6 09-21-2007 05:08 AM
Help with my snort rule set PixelCloud Linux - Security 1 07-17-2004 02:35 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:45 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration