no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | pci_compliance [2015/06/01 23:11] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== PCI Compliance ====== | ||
+ | |||
+ | * [[Apache]] | ||
+ | * [[OpenSSL]] | ||
+ | * [[Postfix]] | ||
+ | |||
+ | ==== Firewall ==== | ||
+ | |||
+ | === Drop ICMP timestamp requests === | ||
+ | |||
+ | < | ||
+ | # add to rc.firewall | ||
+ | iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP | ||
+ | iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP | ||
+ | # save iptables ruleset | ||
+ | # gentoo | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ==== Postfix ==== | ||
+ | |||
+ | Disable SSLv2, SSLv3 and VRFY protocols. | ||
+ | |||
+ | < | ||
+ | disable_vrfy_command = yes | ||
+ | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 | ||
+ | smtpd_tls_mandatory_ciphers = medium, high | ||
+ | </ | ||
+ | |||
+ | and reload: | ||
+ | |||
+ | < | ||
+ | postfix reload | ||
+ | </ | ||
+ | |||
+ | ==== Apache ==== | ||
+ | |||
+ | === SSL === | ||
+ | |||
+ | The SSL configuration will need to be changed from it's default to support this configuration. | ||
+ | |||
+ | Change the protocols to use only SSLv3 and TLSv1. | ||
+ | |||
+ | Change the CipherSuite to use RC4+RSA, HIGH, then MEDIUM ciphers, and enforce the order by server, not client. | ||
+ | |||
+ | < | ||
+ | SSLProtocol all -SSLv2 -SSLv3 | ||
+ | SSLHonorCipherOrder on | ||
+ | SSLCipherSuite " | ||
+ | |||
+ | </ | ||
+ | |||
+ | === Etag === | ||
+ | |||
+ | Disable Etag support completely: | ||
+ | |||
+ | < | ||
+ | FileEtag None | ||
+ | </ | ||
+ | |||
+ | === HTTP Authorization === | ||
+ | |||
+ | Disable '' | ||
+ | |||
+ | **Ubuntu**: | ||
+ | |||
+ | < | ||
+ | a2dismod auth_basic | ||
+ | a2enmod auth_digest | ||
+ | </ | ||