Provisioning and hardening Ubuntu 9.10 for PCI DSS

Learn how to secure your Ubuntu 9.10 Linux servers in compliance with the Payment Card Industry's Data Security Standard (PCI DSS). Start with how to meet the minimal services requirement on a new install and move on to identifying existing services and setting up data encryption.

This Content Component encountered an error

Companies that conduct credit card transactions through their servers must comply with the Payment Card Industry's Data Security Standard (PCI DSS). This standard has many implications for system administrators; however, one of the most critical standards is the requirement to secure individual systems. More specifically systems must be hardened by turning off default configuration parameters and unneeded services, credit card data...

must be protected, and vulnerabilities must be removed from systems.

The PCI DSS is mandated by the major credit card companies including Visa and MasterCard. The PCI Security Standards Council was established to help unify a common approach to securing payment card information to ease implementation by companies by allowing them to meet one standard versus each card's own standards.

This article will provide some high level steps to carry out on Ubuntu systems. The specific examples are for Ubuntu 9.10.

Meeting the PCI DSS minimum services requirement on Ubuntu 9.10
Requirement 2.2.2 of the PCI DSS requires: "Disable all unnecessary and insecure services and protocols…"

This requirement covers part of the basic concept of hardening systems. By removing unneeded and insecure protocols, many vulnerable points that could go unnoticed if the system were hacked are removed.

With Ubuntu, meeting the minimum services requirement starts at installation time by ensuring only software necessary for the install is installed. (An "install it all" to make administration easy, will ensure never ending issues with PCI DSS and system patching.)

During the first install screen ensure that the Install Ubuntu Server option is chosen unless the particular system is part of a cloud computing cluster.


Click on image for larger version

More on PCI DSS compliance for Linux

PCI DSS FAQ: The PCI standard and IT

PCI DSS compliance with open source tools

Linux PCI DSS compliance for dummies

Later during the install you should also chose the bare minimum necessary for the system.


Click on image for larger version

For example, if the server is going to function as DNS then only DNS should be chosen. This minimum approach meets the aforementioned 2.2.2 requirement and also helps ensure requirement 2.2.1 "Implement only one primary function per server."

This not only helps meet the PCI DSS requirements, it also means there are fewer subsystems on the system to patch. Using this minimal approach makes Ubuntu one of the easier distributions to make PCI compliant from a services approach.

For systems that were not deployed using a minimum approach or for systems that were multifunction but are being made single purpose to support PCI, you may need to disable service and keep them from starting at boot time.

To stop a service identify it's startup script in the appropriate rc runlevel directory. For this example, we will assume it's apache and it is located in rc3.d

To stop Apache execute:

#./S91apache2 stop

Then to remove it from the system V startup process:

update-rc.d -f apache2 remove

Note: the -f will force the removal of the link to /etc/init.d/apache2. This ensures it can quickly be start up in an emergency -- ultimately the apache2 and the actual packages for Apache should be removed.

Identifying services on Ubuntu 9.10
On existing systems, a review can be carried out to determine what services are listening and on what port. This review can be carried out on the local system with:

#netstat -l

And remotely on another system using nmap:

#nmap 192.168.1.1

Encrypt the data
Encryption of cardholder information is critical for payment card systems, and most of the requirements of PCI DSS supper this theme. A common allowed method of protecting the data is to encrypt the data. Disk encryption is a viable option with some limitation specified in 3.4.1: "If disk encryption is used…logical access must be managed independently of native operating system access control (for example, by not using local user account databases.)"

Ubuntu supports disk encryption at the volume layer and avoids the use of using a local user account by requiring an independent pass phrase. Note: this pass phrase must be stored and safeguarded, because it is needed during boot up of the system.

To encrypt the volumes, chose the "Guided - use entire disk and set up encrypted LVM" during installation.


Click on image for larger version

The installer will then prompt you to enter the pass phrase to be used during encryption.


Click on image for larger version

Use at least eight characters, a special character, and a number to decrease the likelihood the pass phrase could be guessed. Store the pass phrase securely with other disaster recovery information.

By removing unneeded services, software packages, and using logical volume encryption, Ubuntu can be relatively easily provisioned to pass PCI DSS. Although a complete hardening of Ubuntu is normally carried out as part of a standard PCI DSS build, this article has provided the building blocks necessary to start down that path.

For additional information on the PCI DSS specification, check out the complete specification (free download).

ABOUT THE AUTHOR: Ronald McCarty is a freelance writer and consultant specializing in systems, network, and information security. He received his bachelor's degree in Computer and Information Systems at the University of Maryland's international campus at Schwaebisch Gmuend, Germany and his master's degree in Management with a specialization in information technology at Capella University. Ron's company, Your Net Guard offers IT consulting and integration services in the Dallas/Forth Worth area. He can be reached at mccarty@mcwrite.net.

This was first published in May 2010

Dig deeper on Linux management and configuration

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close