Do you have the requirement to be PCI DSS compliant at work? We do! We’ve just started to undertake the compliance programme and my goodness is it a headache! The bit I’m going to talk about here is the network scan.

I thought our systems were secure and protected from any script kiddies trying to brute force their way into our systems but there are so many more vulnerabilities out there than I knew. For example buffer overflow errors in apache, html insertion in MySQL, vulnerabilities in strrpad in PHP. The list is remarkably long!

After the initial scan we were notified of a staggering 50 potential and confirmed vulnerabilities in our system. My last week has revolved around fixing these and confirming that some were in face false positives. This got me. Many linux distributions utilise back porting to fix their applications rather than installing updated versions. For example the apache httpd server will have security vulnerabilities patched from upstream versions in to down stream ones. This allows users to remain on a fixed feature set but with all the vulnerabilities fixed. I see the benefit of this but network scanners are only able to determine the version number installed and not the back ported patches that are installed. Several of the vulnerabilities in our installation were in fact false positives and had been fixed in the release we are running.

The way of verifying this is to obtain the CVE number and then hit google. I was searching for things such as “centos <CVE NUMBER>”. This often found a bug report from redhat (CentOS’s big brother lol). In this report would be a link to the package number that the bug was fixed in. You can then verify that the version that you have installed is greater than or equal to the version listed. I’ve had to do this for multiple packages.

As a general rule of thumb… if you run “yum update” and install all the packages listed for upgrade you will be covered.

Later I’ll cover in a little more detail some of the more specific changes I’ve had to make.