GDPR Compliance: Technical Requirements for Linux Systems

GDPR for Linux systems What is GDPR? GDPR or General Data Protection Regulation is a regulation to protect personal data from citizens of the European Union (EU). When speaking about stored data, it includes the handling of data at any given time, from the initial creation of the data, until the final deletion of it. One of the important parts is the right to ‘know’. That means that individuals can ask what data is stored about them. Another request they may make is […]

Read more

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

If you work for a company which accepts, processes, or stores credit card details, you might be familiar with the PCI Data Security Standard (DSS). The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit. It is important to […]

Read more

SOx compliance and Enron: The Smartest Guys in the Room

Enron: The Smartest Guys in the Room If you are involved with Linux security, you might already have come across SOx compliance. Usually from a sysadmins point of view, work doesn’t get easier due to these compliance requirements. Still there are some lessons we can learn, followed by a great documentary to watch about Enron. The Sabanes-Oxley Act, SOx for short, now applies to all companies who like to have their stock exchanged at the New York stock exchange (NYSE). The […]

Read more

PCI DSS (v3) Linux: Creation and deletion of system-level objects (10.2.7)

PCI DSS (v3) Linux: Creation and deletion of system-level objects (10.2.7) Some areas are within the PCI standard are definitely not directly clear when reading the description. Section 10.2.7 is one of them. It talks about the creation and deletion of system-level objects and specifically the ability to log them. System-level objects? The guidance in 10.2.7 speaks about malware and mentions database related items. That does not make auditing very obvious, as malware usually targets binaries. Therefore we have to […]

Read more

PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4) PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins. To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat […]

Read more

PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

PCI DSS: Logging of administrative actions with root privileges Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user, or similar administrative privileges. 10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged. The Linux kernel allows to monitor commands. By configuring the Linux audit framework, we can monitor the right system calls and create an audit trail. Configure logging To capture executed […]

Read more

PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

No write access to shared system binaries A.1.2.c Verify that an entity’s users do not have write access to shared system binaries Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible. Paths for system binaries Depending on the distribution used there are several directories which […]

Read more

PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

PCI DSS (v3) Linux: Auditing application processes (A.1.2.a) A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin). For Unix and Linux based systems, processes should run as a non-privileged user where possible. However to be able to start, a process is usually started with root permissions (uid 0). This is required to open the required sockets (e.g. bind to port 80). After the initial start, the process drops its privileges by switching to another […]

Read more

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Restrict log file viewing A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which […]

Read more

Linux server security: Three steps to secure each system

Linux server security: Three steps to secure each system Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the […]

Read more