PCI compliance is largely related to what PCI level your client is at. That level is related to how much money they move each year.
Selinux (or Apparmor) is good. Some sort of MDAC on your machines that handle PIF is a good thing, but as you noted, it won't protect you from social hacks, just from the chaff spewed on the internet by C2 servers and their botnets. If you don't find it too onerous, encrypt the swap and the filesystem. Be aware of the dangers of this before you start and plan for them. Have safe-houses your client plans and pays for that store the relevant information. Use M-Disks to store it? And encrypted drives. You'll know what to do once you explore the dangers of encrypted filesystems, and your client will produce locations. As far as AV... hmmm... I would go with 3 engines of your choice, one of which should be ClamAV. I would go with Frisk/F-Prot as the next (they're not expensive). And then maybe sophos if your clients have the cash to spend. What you're largely looking at from the AV scanners is that they protect the people visiting your site. Unless you're doing something with the DoD and then you will have different requirements. The next place to look (or the first even) will be an active daily scanner for your external reporting. If you're dealing with a Merchant Bank / Acquiring Bank, use theirs as that will be least expensive. Otherwise... Hackersafe/MCafee is a reasonable choice as it is automated and you don't have to deal with people very often; they're owned by Intel so they're not going to dry up and blow away, which is a plus. You should be doing their job beforehand using nessus/something else. Your external scanner will give you a badge to display. Basically, the scanning company will run a port and vulnerability scan and then offer you remediation recommendations and requirements. If you don't solve your problems, you lose their seal on your site. Every year you will need to forward PDF reports from the company you contract to scan you to your merchant bank and any other parties that require PCI compliance. It's not a big thing, but something that must be done, and you will need to find the contact information for the people involved and make your client aware that they need to pay attention to it and keep track of any change in contacts after your contract expires. Remember to charge for the time you spend on this. Contractors often forget to charge for doing small things, and so they don't get done. Make a point to charge your client and provide the information they need to keep doing business. This is likely more than you wanted. On Tue, Jan 21, 2014 at 12:39 AM, ToddAndMargo <toddandma...@zoho.com>wrote: > Hi All, > > I am in the thinking phase of a new server for > a customer. The server needs to be PCI Compliant > (credit card security). PCI is really a huge > paper chase and although it adds a lot of good > practices, it doesn't really address the human > factor like it should, which is where most of the > breaches come these days. > > I was going to suffer with SE Linux left on. > Samba with SE Linux: I will say a few blue > words before it is over. :'( > > I have the File Integrity Software picked out > (CimTrak) as I has used it in the Windows Arena > and like how it works. And the sales and tech support > is astounding. > > What I have yet to pick out is an Anti Virus (AV). > It is part of the paper chase. Looking over at > > http://chart.av-comparatives.org/chart1.php > > I am not seeing Clam AV. I know Kaspersky has one, > but the last time I tried it, it was a mess. > Any thoughts on an AV? > > If you look at the chart, no one did worse than > M$ Security Essentials in December. Chuckle. > > Many thanks, > -T > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >
