Companies that conduct credit card transactions through their servers must comply with the Payment Card Industry's Data Security Standard (PCI DSS). This standard has many implications for system administrators; however, one of the most critical standards is the requirement to secure individual systems. More specifically systems must be hardened by turning off default configuration parameters and unneeded services, credit card data must be protected, and vulnerabilities must be removed from systems.
The PCI DSS is mandated by the major credit card companies including Visa and MasterCard. The PCI Security Standards Council was established to help unify a common approach to securing payment card information to ease implementation by companies by allowing them to meet one standard versus each card's own standards.
This article will provide some high level steps to carry out on Ubuntu systems. The specific examples are for Ubuntu 9.10.
Meeting the PCI DSS minimum services requirement on Ubuntu 9.10
Requirement 2.2.2 of the PCI DSS requires: "Disable all unnecessary and insecure services and protocols…"
This requirement covers part of the basic concept of hardening systems. By removing unneeded and insecure protocols, many vulnerable points that could go unnoticed if the system were hacked are removed.
With Ubuntu, meeting the minimum services requirement starts at installation time by ensuring only software necessary for the install is installed. (An "install it all" to make administration easy, will ensure never ending issues with PCI DSS and system patching.)
During the first install screen ensure that the Install Ubuntu Server option is chosen unless the particular system is part of a cloud computing cluster.
Later during the install you should also chose the bare minimum necessary for the system.
For example, if the server is going to function as DNS then only DNS should be chosen. This minimum approach meets the aforementioned 2.2.2 requirement and also helps ensure requirement 2.2.1 "Implement only one primary function per server."
This not only helps meet the PCI DSS requirements, it also means there are fewer subsystems on the system to patch. Using this minimal approach makes Ubuntu one of the easier distributions to make PCI compliant from a services approach.
For systems that were not deployed using a minimum approach or for systems that were multifunction but are being made single purpose to support PCI, you may need to disable service and keep them from starting at boot time.
To stop a service identify it's startup script in the appropriate rc runlevel directory. For this example, we will assume it's apache and it is located in rc3.d
To stop Apache execute:
Then to remove it from the system V startup process:
update-rc.d -f apache2 remove
Note: the -f will force the removal of the link to /etc/init.d/apache2. This ensures it can quickly be start up in an emergency -- ultimately the apache2 and the actual packages for Apache should be removed.
Identifying services on Ubuntu 9.10
On existing systems, a review can be carried out to determine what services are listening and on what port. This review can be carried out on the local system with:
And remotely on another system using nmap:
Encrypt the data
Encryption of cardholder information is critical for payment card systems, and most of the requirements of PCI DSS supper this theme. A common allowed method of protecting the data is to encrypt the data. Disk encryption is a viable option with some limitation specified in 3.4.1: "If disk encryption is used…logical access must be managed independently of native operating system access control (for example, by not using local user account databases.)"
Ubuntu supports disk encryption at the volume layer and avoids the use of using a local user account by requiring an independent pass phrase. Note: this pass phrase must be stored and safeguarded, because it is needed during boot up of the system.
To encrypt the volumes, chose the "Guided - use entire disk and set up encrypted LVM" during installation.
The installer will then prompt you to enter the pass phrase to be used during encryption.
Use at least eight characters, a special character, and a number to decrease the likelihood the pass phrase could be guessed. Store the pass phrase securely with other disaster recovery information.
By removing unneeded services, software packages, and using logical volume encryption, Ubuntu can be relatively easily provisioned to pass PCI DSS. Although a complete hardening of Ubuntu is normally carried out as part of a standard PCI DSS build, this article has provided the building blocks necessary to start down that path.
For additional information on the PCI DSS specification, check out the complete specification (free download).
ABOUT THE AUTHOR: Ronald McCarty is a freelance writer and consultant specializing in systems, network, and information security. He received his bachelor's degree in Computer and Information Systems at the University of Maryland's international campus at Schwaebisch Gmuend, Germany and his master's degree in Management with a specialization in information technology at Capella University. Ron's company, Your Net Guard offers IT consulting and integration services in the Dallas/Forth Worth area. He can be reached at firstname.lastname@example.org.