To be compliant with PCI standards (Payment Card Industry), a merchant is supposed to have at least Apache 2.2.8, and at least PHP 5.2.5.
I think this is the lamest thing ever.
Anyway, I might as well figure out how to upgrade the two packages. I currently have Apache 2.2.3 and PHP 5.1.6.
Am I limited to upgrades given via the auto upgrade feature of Virtualmin, or can I perform upgrades on my own? I’m very savvy about how to go about it, perhaps if there was a URL someone could point me to I’d be set.
Lastly, are there any gotchas I need to be aware of?
So, the PCI standards do not take into account fully patched versions of these packages from the OS vendors? So…RHEL 5 is not PCI compliant, despite being one of the most secure systems available (likewise Debian 4)? I think this shows a pretty striking lack of awareness on the part of the folks drafting the guidelines.
BTW-We have a solution coming soon for the PHP update issue for our most popular platforms–we will provide PHP 5.2.6 for CentOS 5, at least. We will never bump rev on Apache beyond what is provided by the vendor…so you’ll need to build your own (which will probably end up less secure in the end since managing upgrades is so much harder on a built-from-source installation).
BTW2-Note I said PHP 5.2.6. 5.2.5 has security vulnerabilities, unless patched.
I guess I’ll have to file an exception, as it’s the most fully patched version of apache. Thanks for pointing that out. I look forward to getting the PHP 5.2.6, though! When do you think that’ll come?
But ya, I think it’s more or less just a joke.
I mean seriously, HACKER SAFE has softer requirements than PCI, and you see all those HACKER SAFE decals all over the place, where in truth its all BS. I am actually HACKER SAFE compliant, just not PCI. Odd… And to get that HACKER SAFE decal you have to pay about 2.5 times more money. What a joke!
The other reason I’m not PCI compliant is because I have “excessive” open ports, which means 10 or more. I mean seriously, who came up with 10? I should get an exception, though, for that because it’s “by design”. Whatever!
The other reason I'm not PCI compliant is because I have "excessive" open ports, which means 10 or more. I mean seriously, who came up with 10?
They count the number of open ports? Seriously? Wow. I think from now on, if I see some sort of PCI logo on a site I will be more suspicious of their security than if I don’t.
If you absolutely, positively must have these updates, you might look into using Jason Litka’s excellent repository, which includes patched PHP 5.2.5, httpd 2.8 and MySQL 5.0.58
Not supported or recommended by the folks here, of course, but very useful if you must have a very up-to-date CentOS.
You’ll need to do a bit of research to figure out how to enable and use his repos, and your following yum update will be scary as it’ll replace a load of packages and modules. Caveat Emptor… but I’ve had very good luck with it and he does seem serious about changes and updates.
Time Will Tell… hopefully he continues his good work, it is much appreciated by those who use his repos and builds.
But, as you say, we can’t possibly support packages that we don’t provide or aren’t from the standard OS sources. We have our hands full supporting our own packages plus the ones from CentOS, Debian, Ubuntu, Fedora, etc.
well, they took off the excessive ports issue, and the apache version issue. I might as well just ask for them to remove the PHP version issue then, huh? If it was that easy
Then I can be "compliant". Yay! As if it means a whole hell of a lot.
I am just going thro the PCI at the moment. an out of the box install only showed 4 medium priority items that i need to change to get compliant!
restrict recursive queries to the hosts that should use this name server??? i asume in the ACL i add the ip addresses of the systems i want to connect to it??
disable SSL 2.0 and use SSL 3.0 or TLS 1.0 - I cannot see anywhere i can change this with in the settings??
make sure all forms are sent and received over SSL - html issue!
Reconfigure services to avoid the use of weak ciphers - hay what???
If you’re using something like CentOS 5 or RHEL 5, which are currently offering PHP 5.1.6 – they backport security fixes and such into that version of PHP. You should be in good shape, security-wise.
In dealing with any of the PCI Compliance testers, they’re pretty understanding about the backporting, you should just be able to mark older versions they detect as a “False Positive” and simply mention what distro you’re running, and that you’re up to date with patches.
I’m sure there’s some features in 5.2.6 that folks may want, and Joe will certainly get around to that. But in the meantime, as far as security is concerned running PHP 5.1.6 on RHEL/CentOS5 is up to date.
-Eric
