Achieve PCI DSS compliance with FreeBSD

I - Introduction

This HOWTO provides solutions and ideas on how to achieve PCI DSS compliance on a FreeBSD system towards PCI DSS Standard 3.0.

Please note that this HOWTO is NOT COMPLETE and probably never will. Nevertheless it might be helpful for you anyway as we update this HOWTO on a regular basis.

II - PCI DSS Requirements

Numbers correspond to the PCI DSS standard mentioned above.

2.2.1) One function per server

Have only one function per server. For example if your the is a webserver, only install webserver software, not any databases or FTP servers.

4.4) Centralized Logging

To have centralized logging, activate remote syslogging in /etc/syslogd.conf:
.    @remoteloghost

5.1) Anti-Malware / Anti-Virus

Install one or more malware detection tools from the FreeBSD Ports:
Port nameDirectory
Clam Antivirus/usr/ports/security/clamav
Rootkit Hunter/usr/ports/security/rkhunter
Spybye/usr/ports/security/spybye

6.1) Time window for security updates

You must install vendor critical security patches within 30 days.
  • Subscribe to the FreeBSD advisories and security mailing lists listed at the FreeBSD Security Information website.
  • Install /usr/ports/ports-mgmt/portaudit and take care of the produced logs if your ports need an update.

8.5.15) Automatic logouts

You must logout idle users after 15 minutes. You do so by adding the following line to your /etc/csh.cshrc:
set -r autologout=15

11.4) Intrusion detection

Install an intrusion detection/prevention system from the FreeBSD Ports:

Port nameDirectory
bsmtrace/usr/ports/security/bsmtrace
Snort/usr/ports/security/snort

III - Feedback

Your feedback on this HOWTO is highly encouraged. What did you like and what not? Any additions we can put in our list? Thank you for helping.

About the author

Felix EhlersFelix Ehlers works for over 10 years in IT-Security. He began as a Software and SQL developer, then came quickly to Linux/FreeBSD host administration and lastly to IT-Security. He loves to work with FreeBSD systems and open so urce software where feasible.