Struggling to implement PCI compliance

Posted by lloyd on Fri 14 Mar 2008 at 11:00

I'm striving to comply with PCI standards, but I'm running into a wall - due mostly to confusing, out-of-date, contradictory, and-or incomplete documentation. Or maybe just my own dense mentality. Does anybody have any guidance help me walk through the security thickets of setting up my Debian-based web store?

BACKGROUND

I'm setting up a small web store on a remote VPS to supplement my Social Security. The software stack is:

• Debian etch kernel 2.6.18
• Apache2.0.54
• MySQL 4.1.11
• PHP 4.4.6-0a
• Viart Enterprise (latest version) web store

Credit cards are run through SSL; orders are confirmed via e-mail. I use SSH for remote administration. I've disabled (I hope) all unnecessary services and moved the SSH port to a high address. I've scanned the system with a commercial vulnerability scan service (ScanAlert) -- turns up old version of PHP as only vulnerability (which, presumably Debian security patches address.)

PCI Compliance

PCI compliance requires, among other things:

• server firewall
• rigorous password policy
• intrusion detection

I've spent several weeks now studying netfilter/iptables, PAM, Snort, and Tripwire documentation. In each case I run into "gotchas" that bring me up short.

For instances, one authoritative doc says:

"CONFIG_NETFILTER - This option is required if you're going to use your computer as a firewall or gateway to the Internet. In other words, this is most definitely required for anything in this tutorial to work at all."

QUESTION: But how do I determine if the CONFIG_NETFILTER option is set? If not, how do I set it? Do I really have to recompile the kernel to set it? If necessary, how do I recompile the kernel on a remote VPS without risking everything configured so far?

Further on I'm told that I need to install a script to make sure that my firewall rules survive a reboot. I can find examples of firewall scripts, more of less understand what they're doing, but with less confidence that I can morph them to my needs.

QUESTION: But where do I install my firewall script? How do I test it?

I think I almost grasp the PAM docs. Just not sure which modules I need to satisfy PCI.

QUESTION: So many choice, so little guidance on which to choose when. Which PAM modules do I need?

Snort seems fairly straight forward until I need to interpret the output. Haven't delved too far into this yet. But looks scary.

QUESTION: What do I need to know to decode the arcana?

And Tripwire-- Looks terrific except... Should have installed it very first thing upon bringing my VPS on-line. It's been on-line for awhile now.

QUESTION: Is it too late now to install Tripwire? If so, what can I do short of tearing everything down and reinstalling?

In short, I've read the docs and will continue to do so. But I'm stuck.

Where can I turn; who can help me cut through the documentation cruft to an understanding of what I need to know to implement these basic security provisions?

Many thanks,
Lloyd

This article can be found online at the Debian Administration website at the following bookmarkable URL:

• http://www.debian-administration.org/articles/584

This article is copyright 2008 lloyd - please ask for permission to republish or translate.