PCI DSS* - where Open Source should have an advantage.

PCI DSS = Payment Card Industry Data Security System.

Over the past few weeks and months I've been helping to develop a PCI DSS System for a client. It's been quite a feat as there are quite a few integrity checks, tripwire monitors to set up and automate - as well as having the services that are running audited for secure protocols - and policies in place to make sure that any holes are patched and recorded properly. It's been quite a big learning experience for me - not only in the technological challenges, but the managerial "nuances" of passing an audit.

Standards

The first thing is that the PCI requirements are the same across all companies that handle/store credit card data. There are 12 main requirements, each of them having sub-requirements which go into more specific detail. Things like password policies and log retention periods are stated. It's hardly environmentally friendly either - as at least two (if not three) different physical servers are needed to fulfil the requirements - and for backup purposes that doubles if you're going to have failover redundancy.

Security by Obscurity

One of the biggest pains I had with the PCI DSS implementation was that there wasn't much guidance or howtos on how other people had secured their PCI systems. Well it's not too surprising really - if your securing a system you're hardly going to want to publish details about how you've done it. However, security by obscurity is as good as none when someone finally breaks the obscurity.

Together we prevail, divided we fall.

I would argue that this should be a motto of every open source group functioning. It would save so much time and money if, for example, Red Hat were to provide a "PCI compliant" authentication server and webserver cluster. Imagine setting up two servers and running:

rpm -ivh dbserver

rpm -ivh wwwserver

It'd save a whole lot of time and effort on the part of an individual systems administrator.

However, it doesn't need a behemoth like Red Hat or someone to do this - it needs a few people working together to set up their own repository - and have some incentive for doing it. It doesn't have to even be the packages - it could just be documentation for now. An anonymous library of PCI documentation could save administrators alot of time.

I've posted some of my howtos on the blog for the last couple of months related to OpenLDAP. This is an integral part of any GNU/Linux PCI system, in my opinion, as monitoring user activity/authentication is central to passing the audit. No shared passwords and well managed users must be stored in a single directory. OpenLDAP is made for this purpose.

I'll hopefully be releasing more documentation as time progresses. If you have been through a PCI audit recently - and would also like to help out your fellow Open Source Administrators - don't hesitate to post me some of your documentation. I'll set up a wiki if I start getting lots of it through.