BuycPanel Blog

BuycPanel Blog

Latest news and updates

Monitoring PCI Compliance and Software Versions

Posted by Allura on 27 09 2019.

Introduction
A definite software package version range is employed by most PCI compliance scanning systems and it contains a noted vulnerability. This piece of document acknowledges some of the well-defined software packages reported to have noted vulnerabilities. Not solely this, it also determines the developer’s usage of the backport process to patch a software package.Backporting
This method permits software system merchandisers to modify solely the software packages that are noted to own security vulnerability. Following this path, it avoids the use of certain software modules containing new features which are yet to be tested by the developers.Operating system developers often backport the updates to avoid the need to allow a new version of the software package. For example: operating system developer can combine OpenSSL 0.9.7c with a patch from OpenSSL 0.9.7.d to create OpenSSL 0.9.7c-2 . If it shows OpenSSL 0.9.7c-2 as vulnerable, then, one can inform the PCI compliance company and…

Introduction

A definite software package version range is employed by most PCI compliance scanning systems and it contains a noted vulnerability. This piece of document acknowledges some of the well-defined software packages reported to have noted vulnerabilities. Not solely this, it also determines the developer’s usage of the backport process to patch a software package.

Backporting

This method permits software system merchandisers to modify solely the software packages that are noted to own security vulnerability. Following this path, it avoids the use of certain software modules containing new features which are yet to be tested by the developers.

Operating system developers often backport the updates to avoid the need to allow a new version of the software package. For example: operating system developer can combine OpenSSL 0.9.7c with a patch from OpenSSL 0.9.7.d to create OpenSSL 0.9.7c-2 . If it shows OpenSSL 0.9.7c-2 as vulnerable, then, one can inform the PCI compliance company and use the backport version. It can record one’s software version and mark a false positive in the scan results.

OpenSSL

One has to follow these steps so as to see their OpenSSL installation.

Steps:

  1. Run the command to understand the prevailing OpenSSL package on one’s system:

rpm -qa | grep openssl

  1. Run the command in order to check the RPM changelog for vulnerability fixes included in the version:

rpm –changelog -q openssl-0.9.8b-10.el5|less

  1. Fixes for the CVE’s may be there in the RPM changelog that the PCI compliance scanning company will require. One must inform about the patched version and which CVE it includes in case the fixes appears so that they can mark it as a false positive.

One must configure the SSLCipherSuite directive’s value in the Global Configuration Section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration) to adjust the server for PCI compliance.

SSLCipherSuite

One can perform these steps if a problem occurs where PCI compliance scans of part 443 do not pass and other SSLCipherSuite entries exist in the /etc/apache2/conf/httpd.conf file:

Steps:

  1. Run the command to check additional SSLCipherSuite entries in /etc/apache2/conf/httpd.conf file:

grep -i sslciphersuite/etc/apache2/conf/httpdconf

  1. Run the following command to check VirtualHosts:

grep sslciphersuite/var/cpanel/userdata/*/*_SSL

  1. Run the command if this step return any results and remove the already existing SSLCipherSuite entries:

perl -pi -e ‘s{sslciphersuite:.*}{}ms;’ path/to/file/from/step/2

  1. After removing the entries, run the command to rebuild conf file:

/usr/local/cpanel/scripts/rebuildhttpdconf

  1. Run the command to confirm existence of only one global SSLCipherSuite entry:

grep -i sslciphersuite/etc/apache2-conf/httpd.conf

  1. Run the command to restart the Apache once confirming the existence of just one internationall entry:

/scripts/restartrsv_httpd

  1. Lastly, rescan part 443 for PCI compliance.

OpenSSH

Command rpm -qa | grep openssh helps in knowing the existing OpenSSH package in the system. Output may resemble:

openssh-clients-5.3p1-94.el6.i686

openssh-server-5.3p1-94.el6.i686

openssh-5.3p1-94.el6.i686

Output will resemble if OpenSSH package 6.6.1p1-35.el7_3 already exists in the server:

openssh-6.6.1p1-35.el7_3.x86_64

openssh-server6.6.1p1-35.el7_3.x86_64

openssh-clients6.6.1p1-35.el7_3.x86_64

Conclusion

PCI compliance and Software versions have processes and steps that lead to the technical working of the existing package in the system that is reviewed in this article.