• Facebook
  • X
  • GitHub
  • RSS

your source for security, BSD, open source and programming.

Howto achieve PCI DSS compliance with FreeBSD

I - Introduction

This HOWTO provides solutions and ideas on how to achieve PCI DSS compliance on a FreeBSD system towards PCI DSS Standard 3.0.

Please note that this HOWTO is NOT COMPLETE and probably never will. Nevertheless it might be helpful for you anyway as we update this HOWTO on a regular basis.

II - PCI DSS Requirements

Numbers correspond to the PCI DSS standard mentioned above.

2.2.1) One function per server

Have only one function per server. For example if your the is a webserver, only install webserver software, not any databases or FTP servers.

4.4) Centralized Logging

To have centralized logging, activate remote syslogging in /etc/syslogd.conf:

*.*    @remoteloghost

5.1) Anti-Malware / Anti-Virus

Install one or more malware detection tools from the FreeBSD Ports: Port name Directory Clam Antivirus /usr/ports/security/clamav Rootkit Hunter /usr/ports/security/rkhunter Spybye /usr/ports/security/spybye

6.1) Time window for security updates

You must install vendor critical security patches within 30 days.

  • Subscribe to the FreeBSD advisories and security mailing lists listed at the FreeBSD Security Information website.
  • Install /usr/ports/ports-mgmt/portaudit and take care of the produced logs if your ports need an update.

8.5.15) Automatic logouts

You must logout idle users after 15 minutes. You do so by adding the following line to your /etc/csh.cshrc:

set -r autologout=15

11.4) Intrusion detection

Install an intrusion detection/prevention system from the FreeBSD Ports: Port name Directory bsmtrace /usr/ports/security/bsmtrace Snort /usr/ports/security/snort

III - Feedback

Your feedback on this HOWTO is highly encouraged. What did you like and what not? Any additions we can put in our list? Thank you for helping.