[BlueOnyx:04501] Re: PCI scans -trying again without the report

Michael Stauber mstauber at blueonyx.it
Sat May 15 16:43:22 -05 2010 

Hi webmaster,

> The moderator held the post with the report.

Hey, there is no moderation. The list software is simply configured not to 
allow any attachments. For security reasons.

I see Jeff has already helped you out, but I also got to say a few things here 
about the issue:

PCI compliance checks are not entirely useless, but the report you got from 
your audtitor indicates that the auditor is an entirely clueless bunch that 
shouldn't be allowed to practice their voodoo-shamanism near IT related gear. 
And with that statement I'm trying to my best to be overly polite. :o)

RPM based distributions like CentOS, RedHat, or SuSE have - as long as they've 
been around - had the habbit of freezing version numbers of programs and 
daemons after a major release of their OS.

Since CentOS5 came out it's version of Apache has been 2.2.3. BUT: This is not 
the "stock" and unpatched Apache-2.2.3. If you check the RPM database, then 
you'll see that it's now the 43th release:

[root at cbx web]# rpm -q httpd
httpd-2.2.3-43.el5.centos

Means: It has been patched 43 times already and tons of known vulnerabilities 
have been fixed in between.

Run this command ...

rpm -q --changelog httpd

... to see what was fixed and when. 

Of course your especially capable (in other fields) PCI complicance auditor 
just "talks" to Apache to query the version number, sees that it reports 2.2.3 
and spits out a lengthy list of vulnerabilities that his own database 
attributes to Apache 2.2.3. Without looking further.

Likewise he makes wild claims which are entirely rubbish:

"Port:	snpp (tcp/444) "

That's the Admin interface of the server, NOT the service "snpp". 

I just went through the entire report and it contains so much garbage that I 
can't even be bothered to refute them one by one. 

The only question mark (as far as CentOS or BlueOnyx is concerned!) is that 
our Sendmail allows VERIFY, but even *that* is not such a big deal as there 
are other (still supported and possible!) ways to determine if a user exists 
on a system - even if VERIFY is disabled. Hence disabling VERIFY doesn't give 
you one inch of extra security.

The other thing - as far as you are concerned - is: What do you run on port 
10000? Because a "stock" CentOS + BlueOnyx doesn't use this port for any 
service.

Other than that: ANYONE is well advised to NOT store credit card details on a 
server that's used for shared hosting, that is NOT behind a firewall and NOT 
in housed in a physically well secured location. These are three DO NOT's. 
Otherwise you're not doing yourself or your customers a favour there and it 
may be best to offload the credit card processing to a company that does it 
for a living.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list