Re: CISP Compliance
My company just got PCI certified (we're on our way to CISP). From what
I've discovered through the process of getting PCI-certified, most of
the work has to do with creating policies, and doing a lot of social
engineering to enforce and maintain those policies.
Beaurocracy aside, most of our servers are Ubuntu-based (a debian
variant, if you probably already know). Here's a run-down of the
projects that I've implemented to achieve our PCI compliance...
Central SysLog Server (SysLog-NG, syslogd, Snare):
I've using SysLog-NG
(http://www.balabit.com/network-security/syslog-ng/opensource-logging-system) as a central syslog server. I have a rule set up that deposits SysLogs from all of my servers, filers, network equiment, etc. into separate directories, based on the dns name associated with the originating ip address of the incoming messages. I did not install SysLog-NG across the board, mostly because I didn't need the bells and whistles associated with it for all of my machines. What I did instead was make the default syslogd on each machine point to my central SysLog-NG server. Additionally, on my Windoze machines, I'm using Snare (http://www.intersectalliance.com/projects/SnareWindows/index.html) to ship Event Log messages over SysLog as well.
Host Intrusion Detection, File Integrity Monitor (OSSEC):
I'm using OSSEC (http://www.ossec.net) to monitor the individual SysLog
files for perceived security issues. OSSEC understands Snort, Cisco PIX,
IPTables, and a host of others.
Additionally, I have OSSEC agents running on each of my servers
(including Windoze), which report back to a central OSSEC Server. The
agents are primarily in charge of monitoring important files for changes
(nice view during upgrades), and secondarily in charge of scanning for
OSSEC can also interface with IPTables and other host-based firewalls,
as a means of implementing Real-time greylisting.
Last time I checked, I couldn't find a .deb package for OSSEC. I created
my own, but the implementation is a bit nasty.
Network Intrusion Detection (Snort):
If you are going to use Snort, I highly recommend that you use the
latest version You'll probably have to compile it from source, but it's
worth it. Snort is sending alerts to my central SysLog server, which
provides a nice and easy central logging repository for Snort alerts.
I'm then using OSSEC to monitor the SysLogs for Snort messages, and
generate alert emails.
Rootkit detection and scanning (RKHunter and CHKRootKit [and OSSEC]):
Never trust a single Rootkit scanner. Both RKHunter and CHKRootKit are
excellent tools, but one could have more/different signatures at
different times. Additionally, one might miss a Rootkit, while the other
might catch it. Both of these tools are pollers that are run from Cron,
so performance isn't much of an issue if the run times are staggered.
Installation of RKHunter and ChkRootKit is a snap for most distros, so
you might as well put the packages in your server configuration policy.
Network Penetration testing (Nessus 3.x):
I can't stress this enough. If you're going to use Nessus
(http://www.nessus.org), do yourself a favor and install the latest
version. The 3.x versions update their plugins automatically, which is a
great thing because you don't have to think about it too hard. I would
also recommend purchasing a "Direct Feed" subscription from Tenable,
which enables your Nessus installations to update their plugins as they
become available, instead of waiting 2 weeks.
Layer-7 Firewall (ModSecurity / Apache Proxy):
If you're really serious about CISP, spend the $5000 to purchase a
1-year support contract for ModSecurity (Breach Security
http://www.breach.com). In addition to an immense amount of help with
writing custom rules, you also get a really fast ruleset that's
specifically geared towards PCI Compliance.
One caveat, however, is that you should know a good deal about Perl
Regular expressions if you're going to implement ModSecurity. If this is
an issue for you, you may need to look into other (closed-source,
bleck!) alternatives like F5.
Another Firewall solution that I've been playing around with lately is
Untangle (http://www.untangle.com). Unfortunately, I require ethernet
bonding and 802.1q support, so it's not yet a feasable solution for me
yet. That being said, their Snort front-end can't be beat. And I talked
with a couple of the guys at their Linux World booth recently, who said
that they were going to start bundling Untangle with Ubuntu and other
distros (most of which provide the tools and kernel modules for 802.1q
Per machine firewall (IPTables with Shorewall front-end):
Shorewall is extremely powerful, if not a bit difficult to use. I
wouldn't use it for a gateway machine (although I use it as a
router-firewall between networks on my Corporate network), but it makes
a very good Host-based firewall. The idea here is to only leave the
ports that need to be open, open, and only allow access from the
machines/networks that need access to them. You will need other separate
physical firewalls between you and the rest of the world, as well as
between your servers and your database servers, but you can limit who
and what has access to a specific machine. Personally, I have it set up
that nobody can access any machine via SSH, except from one of my
Corporate subnets (not feasable for everyone). Even then, I am using SSH
authorized_keys tuned to IP address to restrict access further (I have a
user policy for SSH key rotation. Their private keys must also be
secured with a passphrase).
Secure Central Backups and Archving (Bacula):
I really love Bacula. It's a bit of a learning curve, but it's GPL'ed,
and it runs on multiple platforms. The features of Bacula rival
NetBackup and Legato, although the interface can be cumbersome to use.
The most important feature is Archival encryption. This indemnifies you
against having to report a lost or stolen tape to all of your customers
(which you shouldn't need to worry too much about if you have a good
Of course, you need to have a solid policy for handling tapes that your
employees must adhere to, that a PCI/CISP auditor must sign off on.
Don't be too wordy. All they need to know is: that machines are backed
up on a regular basis, that certain backup sets are retained for XXX
days/years, that you have a compliant offsite archival policy.
One more thing, if you can, try to physically separate your Production
networks from your Corporate networks. This will ensure that only your
Production networks need to be audited. Otherwise, if you mix them,
-ALL- of your machines will need to be audited, including user
desktops/laptops. Just keep them separate. Management is much easier.
Monitoring is much easier. The audit headaches are much lighter.
Also, if you've never gone through CISP/PCI before, be prepared for a
lot of long nights, headaches, etc. Try not to get discouraged. It will
be worth it in the end. I can honestly say that I am a much better
engineer for having gone through the process.
Senior Linux Network Engineer
On Mon, 2007-08-20 at 18:14 -0500, Jonathan Wilson wrote:
> Sorry if this is the wrong place for this, but:
> Does anyone know of a place I can get information on setting up CISP (VISA
> credit card) compliant Debian systems - or Linux in general, if there's no
> Debian-specific info. I've been searching the web for a couple hours and I
> don't know if I'm searching for the wrong phrases or what, but I'm not
> finding anything at all.
> What I'm looking for is, essentially, what software needs to be installed to
> make a system storing and processing CC info CISP compliant, and what
> settings need to be configured to match.
> I'm just sure there's folks out there who's secured Debian systems and
> installed & configured the necessary software for logging, auditing,
> monitoring, etc. I just can't find anything about it - maybe I'm blind today.
> System Administrator - Cedar Creek Software http://www.cedarcreeksoftware.com