Struggling to implement PCI compliance

Posted by lloyd on Fri 14 Mar 2008 at 11:00

I'm striving to comply with PCI standards, but I'm running into a wall - due mostly to confusing, out-of-date, contradictory, and-or incomplete documentation. Or maybe just my own dense mentality. Does anybody have any guidance help me walk through the security thickets of setting up my Debian-based web store?

BACKGROUND

I'm setting up a small web store on a remote VPS to supplement my Social Security. The software stack is:

• Debian etch kernel 2.6.18
• Apache2.0.54
• MySQL 4.1.11
• PHP 4.4.6-0a
• Viart Enterprise (latest version) web store

Credit cards are run through SSL; orders are confirmed via e-mail. I use SSH for remote administration. I've disabled (I hope) all unnecessary services and moved the SSH port to a high address. I've scanned the system with a commercial vulnerability scan service (ScanAlert) -- turns up old version of PHP as only vulnerability (which, presumably Debian security patches address.)

PCI Compliance

PCI compliance requires, among other things:

• server firewall
• rigorous password policy
• intrusion detection

I've spent several weeks now studying netfilter/iptables, PAM, Snort, and Tripwire documentation. In each case I run into "gotchas" that bring me up short.

For instances, one authoritative doc says:

"CONFIG_NETFILTER - This option is required if you're going to use your computer as a firewall or gateway to the Internet. In other words, this is most definitely required for anything in this tutorial to work at all."

QUESTION: But how do I determine if the CONFIG_NETFILTER option is set? If not, how do I set it? Do I really have to recompile the kernel to set it? If necessary, how do I recompile the kernel on a remote VPS without risking everything configured so far?

Further on I'm told that I need to install a script to make sure that my firewall rules survive a reboot. I can find examples of firewall scripts, more of less understand what they're doing, but with less confidence that I can morph them to my needs.

QUESTION: But where do I install my firewall script? How do I test it?

I think I almost grasp the PAM docs. Just not sure which modules I need to satisfy PCI.

QUESTION: So many choice, so little guidance on which to choose when. Which PAM modules do I need?

Snort seems fairly straight forward until I need to interpret the output. Haven't delved too far into this yet. But looks scary.

QUESTION: What do I need to know to decode the arcana?

And Tripwire-- Looks terrific except... Should have installed it very first thing upon bringing my VPS on-line. It's been on-line for awhile now.

QUESTION: Is it too late now to install Tripwire? If so, what can I do short of tearing everything down and reinstalling?

In short, I've read the docs and will continue to do so. But I'm stuck.

Where can I turn; who can help me cut through the documentation cruft to an understanding of what I need to know to implement these basic security provisions?

Many thanks,
Lloyd

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

• http://www.debian-administration.org/article/Struggling_to_implement_PCI_compliance

This article is copyright 2008 lloyd - please ask for permission to republish or translate.