Join the community today
Become a Member

PCI Compliance & Centmin Mod

Discussion in 'Centmin Mod Insights' started by Vinayak, Jun 1, 2017.

  1. Vinayak

    Vinayak New Member

    3
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    7:12 AM
    Was wondering whether Centmin Mod is PCI DSS compliant or will need extra patching and steps to pass the PCI DSS compliance scan.

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Pretty sure Centmin Mod isn't PCI DSS compliant as I don't know the *exact* specifics for their requirements off the top of my head.

    Payment Card Industry Data Security Standard - Wikipedia
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    https://www.pcicomplianceguide.org/pci-faqs-2/

     
  4. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    and https://www.pcicomplianceguide.org/pci-myths/

    hmm eye opener
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    PCI DSS: Make PCI Compliance a Priority- PayPal Australia

     
  6. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    12 Step PCI DSS Requirements Checklist

     
  7. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For Centmin Mod
    Though installing isn't really enough, you need to understand CSF Firewall, fail2ban and maldet and auditd usage and logs etc.

    12 Step PCI DSS Requirements Checklist
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no idea of validity of the PCI DSS scan at http://checkpcidss.com/centminmod.com/

    upload_2017-6-1_14-21-33.png

    PCI Scanning FAQs | 1 Stop PCI Scan

    there's both internal and external scanning If I Get A Passing PCI Scan, Does That Mean I Am Compliant? | 1 Stop PCI Scan + penetration/intrusion testing

     
    Last edited: Jun 1, 2017
  9. Vinayak

    Vinayak New Member

    3
    2
    3
    May 27, 2014
    Ratings:
    +2
    Local Time:
    7:12 AM
    Love your passion & dedication towards your work.
     
  10. ljseals

    ljseals Member

    101
    24
    18
    Dec 20, 2016
    Ratings:
    +46
    Local Time:
    8:42 PM
    While I have not totally implemented it another provider has used https://github.com/wazuh/wazuh which is the (OSSEC) + ELK 5.3.0 STACK for PCI DSS compliance. It is an open source host and endpoint security....

    As I said I have not researched it yet as I am not at the point in my implementation but taking the script. Magento-Automated-Server-Configuration-from-MagenX/MASC-M-7-v2.sh at master · magenx/Magento-Automated-Server-Configuration-from-MagenX · GitHub This is there setup just taken the scripted part for there setup.

    Code:
    ###################################################################################
    #                          INSTALLING OSSEC ELK STACK                             #
    ###################################################################################
    "ossec")
    WHITETXT "============================================================================="
    echo
    GREENTXT "INSTALLATION OF WAZUH 2.0 (OSSEC) + ELK 5.3.0 STACK:"
    echo
    GREENTXT "INSTALLATION OF WAZUH MANAGER"
    cat > /etc/yum.repos.d/wazuh.repo <<END
    [wazuh_repo]
    name=CentOS-$releasever - Wazuh
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    gpgcheck=1
    baseurl=https://packages.wazuh.com/yum/el/7/x86_64
    protect=1
    END
    yum -y -q install wazuh-manager
    echo
    GREENTXT "INSTALLATION OF WAZUH API + NODEJS"
    curl --silent --location https://rpm.nodesource.com/setup_6.x | bash >/dev/null 2>&1
    yum -y -q install nodejs
    yum -y -q install wazuh-api
    echo
    GREENTXT "INSTALLATION OF JAVA 8 JDK RPM:"
    cd /usr/local/src
    wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.rpm"
    yum -y -q localinstall jdk-8u121-linux-x64.rpm
    export JAVA_HOME=/usr/java/jdk1.8.0_121/jre
    echo "export JAVA_HOME=/usr/java/jdk1.8.0_121/jre" > /etc/profile
    echo
    echo
    GREENTXT "INSTALLATION OF ELASTCSEARCH:"
    echo
    cat > /etc/yum.repos.d/elasticsearch.repo <<END
    [elastic-5.x]
    name=Elastic repository for 5.x packages
    baseurl=https://artifacts.elastic.co/packages/5.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    END
    echo
    yum -y -q install elasticsearch-5.3.0 >/dev/null 2>&1
    echo
    sed -i "s/.*cluster.name.*/cluster.name: wazuh/" /etc/elasticsearch/elasticsearch.yml
    sed -i "s/.*node.name.*/node.name: wazuh-node1/" /etc/elasticsearch/elasticsearch.yml
    sed -i "s/.*network.host.*/network.host: 127.0.0.1/" /etc/elasticsearch/elasticsearch.yml
    sed -i "s/.*http.port.*/http.port: 9200/" /etc/elasticsearch/elasticsearch.yml
    sed -i "s/-Xms2g/-Xms512m/" /etc/elasticsearch/jvm.options
    sed -i "s/-Xmx2g/-Xmx512m/" /etc/elasticsearch/jvm.options
    chown -R :elasticsearch /etc/elasticsearch/*
    systemctl daemon-reload
    systemctl enable elasticsearch.service
    systemctl restart elasticsearch.service
    echo
    echo
    sleep 15
    GREENTXT "INSTALLATION OF PACKETBEAT:"
    yum -y -q install packetbeat-5.3.0
    chkconfig --add packetbeat
    /etc/init.d/packetbeat restart
    /usr/share/packetbeat/scripts/import_dashboards
    echo
    echo
    GREENTXT "INSTALLATION OF LOGSTASH:"
    yum -y -q install logstash-5.3.0
    curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/logstash/01-wazuh.conf
    curl -so /etc/logstash/wazuh-elastic5-template.json https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/wazuh-elastic5-template.json
    usermod -a -G ossec logstash
    sed -i "1,11d" /etc/logstash/conf.d/01-wazuh.conf
    sed -i "/elastic2/d" /etc/logstash/conf.d/01-wazuh.conf
    sed -i "s/^#//g" /etc/logstash/conf.d/01-wazuh.conf
    systemctl daemon-reload
    systemctl enable logstash.service
    systemctl start logstash.service
    echo
    echo
    GREENTXT "INSTALLATION OF KIBANA:"
    yum -y -q install kibana-5.3.0
    /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip
    echo
    systemctl daemon-reload
    systemctl enable kibana.service
    systemctl restart kibana.service
    echo
    echo
    yum versionlock elasticsearch logstash kibana packetbeat wazuh-manager wazuh-api
    GREETXT "OSSEC WAZUH API SETTINGS"
    sed -i 's/.*config.host.*/config.host = "127.0.0.1";/' /var/ossec/api/configuration/config.js
    echo
    MAGE_DOMAIN=$(awk '/webshop/ { print $2 }' /root/mascm/.mascm_index)
    KIBANA_PORT=$(shuf -i 10322-10539 -n 1)
    USER_IP=${SSH_CLIENT%% *}
    KIBANA_PASSWD=$(head -c 500 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 6 | head -n 1)
    WAZUH_API_PASSWD=$(head -c 500 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 6 | head -n 1)
    htpasswd -b -c /etc/nginx/.wazuh wazuh-web ${KIBANA_PASSWD}  >/dev/null 2>&1
    cd /var/ossec/api/configuration/auth
    htpasswd -b -c user wazuh-api ${WAZUH_API_PASSWD}  >/dev/null 2>&1
    systemctl restart wazuh-api
    cat > /etc/nginx/sites-available/kibana.conf <<END
    server {
      listen ${KIBANA_PORT} ssl http2;
      server_name           ${MAGE_DOMAIN};
      access_log            /var/log/nginx/access.log;
     
      ## SSL CONFIGURATION
        #ssl_certificate     /etc/letsencrypt/live/${MAGE_DOMAIN}/fullchain.pem;
        #ssl_certificate_key /etc/letsencrypt/live/${MAGE_DOMAIN}/privkey.pem;
       
        satisfy all;
        allow ${USER_IP}/32;
        deny  all;
        auth_basic  "blackhole";
        auth_basic_user_file .ossec;
         
           location / {
                   proxy_pass http://127.0.0.1:5601;
           }
    }
    END
    echo
    cd /etc/nginx/sites-enabled/
    ln -s /etc/nginx/sites-available/kibana.conf kibana.conf
    service nginx reload
    echo
    YELLOWTXT "KIBANA WEB INTERFACE PORT: ${KIBANA_PORT}"
    YELLOWTXT "KIBANA HTTP AUTH: wazuh-web ${KIBANA_PASSWD}"
    echo
    YELLOWTXT "WAZUH API AUTH: wazuh-api ${WAZUH_API_PASSWD}"
    echo
    pause '---> Press [Enter] key to show menu'
    ;;
    "exit")
    REDTXT "------> EXIT"
    exit
    ;;
    However, I do not know if there is an easier way and exactly what this accomplishes and why it is needed. Prayfully, I will implement something soon. God bless you!
     
    Last edited: Jun 2, 2017
  11. ljseals

    ljseals Member

    101
    24
    18
    Dec 20, 2016
    Ratings:
    +46
    Local Time:
    8:42 PM
    Last edited: Jun 2, 2017
  12. eva2000

    eva2000 Administrator Staff Member

    53,531
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    11:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks @ljseals that info is useful to read up on :) I have played with OSSEC briefly though installing the software and fully understanding how to use it and what it's messages/logs and alerts mean are two entirely different matters :)

    https://wazuh.com/elastic-stack/ looks very interesting and has a docker container for it (CentOS 7+ needed) !

    https://documentation.wazuh.com/current/pci-dss/index.html





     
    Last edited: Jun 2, 2017