Find the answer to your Linux question:
Results 1 to 8 of 8
All, I am working for a startup that is about to start working towards PCI (that's Payment Card Industry) compliance. It's all about the security... Being a small company with ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    6

    PCI (Payment Card Industry) Compliance


    All,

    I am working for a startup that is about to start working towards PCI (that's Payment Card Industry) compliance. It's all about the security... Being a small company with an operations team of TWO people, trying to become PCI certified is going to be pure hell on earth.

    We are currently using CentOS 5.4 on our servers, but there is a bit of a dilemma in that we may need to make frequent updates to packages.

    Given that the public RPM repositories are known to lag somewhat behind the most current version of various software, and the official CentOS repositories even more so, and the fact that we may need to update certain software to a version not currently available via an already built RPM, it would seem like we may be in for some tough times when it comes to meeting PCI software requirements.

    If we can obtain the source to packages, we can in theory build our own RPM's, but that should always be a last resort. It's time consuming and error prone since you have to understand how the software works, what it's dependancies are, what it is doing etc. Actually, if you wanted to be completely anal about it, you could say that unless we got the RPM from CentOS itself, or built it ourselves from source, that the package should not be trusted or used at all.

    So, I really don't know what the solution is here. Switch Linux distros? Pretty heavy handed approach. A source based distribution like Gentoo would be very up-to-date, but possibly less stable. It's also a complete bugger to install, since it's all done by hand, and everything is compiled on the system itself, not good for a production server. Given our resources, we can't afford to spend hours installing servers. Once again, if you wanted to be anal about it, you could say that we should be using a commercially supported Linux distribution like RHEL, since the RPM's come from a known authoritative source. I remember one of the PCI consultants we are using talking about checking the GPG signatures of the RPM's we install to verify their authenticity.

    Ideas????

    Doug.

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,578
    Since I don't know what is required (or forbidden) for PCI compliance, I really cannot say what's what in this regard. CentOS is highly regarded and if SELinux is enabled, it can (when properly configured) achieve federal government trusted system status. As for switching distros, I can only suggest that you won't be any better off doing that. So, what is it about updates and RPM's that is relevant to PCI compliance?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Oct 2009
    Posts
    6
    Thanks for the reply, but the question wasn't really about the security aspects of CentOS. It was about CentOS's ability to keep up-to-date with the latest software. For example, the latest version of openssh available is 5.5, while the latest version of openssh available via CentOS is 4.3 (which doesn't even support sftp chroot). I wasn't able to find a more recent version in the EPEL or DAG repositories either.

    Doug.

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,578
    Quote Originally Posted by dougster View Post
    Thanks for the reply, but the question wasn't really about the security aspects of CentOS. It was about CentOS's ability to keep up-to-date with the latest software. For example, the latest version of openssh available is 5.5, while the latest version of openssh available via CentOS is 4.3 (which doesn't even support sftp chroot). I wasn't able to find a more recent version in the EPEL or DAG repositories either.
    So, plese be more specific about what your concerns are in this regard. Reading between the lines, it seems to me that you are concerned about keeping packages that you install/build manually up-to-date? Or are there other issues with regard to PCI requirements?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  5. #5
    Just Joined!
    Join Date
    Oct 2009
    Posts
    6
    My specific concern is that CentOS built RPM's are not as up to date as PCI requires, and are in fact quite old in general. My concern is with not wanting to have to build a whole lot of RPM's myself, which is time consuming and error prone.

  6. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,578
    Actually, you don't need to build the RPM's. You would get the latest stable source code from the package maintainers, usually by running svn or git against their source code repositories, or by downloading a zip'd tarball with the sources that you expand and then build/install on your system. Building an RPM is preparing it for installation as pre-built binaries on other systems. However, if you are going to be installing the binaries on a bunch of systems that you might not have direct access to, then you would do the following steps.

    1. Download source
    2. Build source, resolving any library dependencies you find.
    3. Configure and build an RPM file with the binaries you built.

    As you have already realized, resolving these dependencies can cause other packages to break if you install shared libraries of the dependencies that are incompatible with other applications on the systems. To avoid that, you can build static versions of any libraries that you are dependent upon, and then build the applications themselves and link ONLY statically, so you don't have to deliver any shared libraries to the target systems, just the executable binaries. Naturally you will also have to do some serious testing in case kernel changes have affected the system calls being made. This brings into mind the thought that some of the newer versions may require newer kernels... So, now we are in the Linux version of DLL-Hell.

    So, what about going to a server version of a more up-to-date system, such as Ubuntu or Fedora?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  7. #7
    Just Joined!
    Join Date
    Oct 2009
    Posts
    6
    Rubberman, these are production servers and installing any software directly from source is simply not an option.

    From my reading I was under the impression that Ubuntu and/or Fedora are no more up-to-date than CentOS.

    Doug.

  8. #8
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,578
    The current versions of Ubuntu and Fedora are as up-to-date as you can get in a mainstream distribution. Personally, I prefer Ubuntu over Fedora since Fedora is basically Red Hat's "test bed" for the latest in bleeding-edge stuff. Ubuntu is almost as current as Fedora, but it is intended to be used in real-world systems so I think that Canonical (the company that maintains Ubuntu) spends more resources on making sure that everything that their package manager provides is solid. For whatever it's worth (FWIW), I use both CentOS 5.4 (on my 8-core development workstation/server) and Ubuntu 9.04 (on my 3 laptops), so I can definitely say that Ubuntu is much more current with regard to the kernel and associated packages. So, the latest kernel on CentOS is 2.6.18, Ubuntu 9.04 is at 2.6.28 (the latest 10.04 is probably at 2.6.32 or thereabouts), and 9.04's ssh is at version 5.1, which while not the latest, is certainly stable.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •