PCI Compliance questions

Is there anything else to be done first (perhaps further up in the thread)? Or is this the full account of what needs to be done?

Any reason why these settings shouldn't be standard?

Jeff
 
jlasman said:
Is there anything else to be done first (perhaps further up in the thread)? Or is this the full account of what needs to be done?

Any reason why these settings shouldn't be standard?

Jeff
Click to expand...

That would be an excellent idea to have new deployments of DA be PCI compliant right out of the box IMHO.

One thing I noticed that was when I update apache like I did the other night, my server went out of PCI compliance once again. I edited /etc/httpd/conf/httpd.conf (in bold italics) and had to add this piece of code back in at the bottom of the file;
Code: 
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
[I][B]SSLOptions +StrictRequire
SSLProtocol ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM[/B][/I]
</IfModule>

This time around after editing I made a backup copy of /etc/http/conf/httpd.conf with this command:
Code: 
[root@cp ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.pci

Anyhow is there a means to keep all of that LOCKED in after updates and ./build rewrite_confs so that way I don't have to keep going back to this????
 
nealdxmhost said:
Anyhow is there a means to keep all of that LOCKED in after updates and ./build rewrite_confs so that way I don't have to keep going back to this????
Click to expand...

You could use chattr +i but on the other hand there may be some important updates in the config file. I would just get in the habit of editing the config file to make it PCI compliant until DA makes it standard.
 
Hello,

I'm not opposed at all to making these changes, but just want to confirm a few things:
1) We already have the SSLProtocol option in /etc/httpd/conf/extra/httpd-ssl.conf, except it looks like:
Code: 
SSLProtocol -ALL +SSLv3 +TLSv1
with "-ALL" as compared to yours which just has "ALL"... If I'm reading that correctly, yours would be enabling SSLv2? Perhaps I'm not clear on the functionality of this option (else maybe it's just a typo on the forum?).. (We don't want to allow SSLv2)

The SSLCipherSuite we use, again in the httpd-ssl.conf is
Code: 
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
I'm not opposed to changing this either.

I guess my main point is that I'd like this stuff to live in the http-ssl.conf if possible vs the main httpd.conf, so if any is better than the other and where to put it.. whatever conclusion we come to, I can add it in.

John
 
For what reason is the httpd.conf automatically modified, because my timestamp for it is May something on one server (Debians), when it was deployed.
 
I just checked over the build code, and could only find it for the cases where "./build rewrite_confs" is called.. or "doApache" for apache 1.3 is called.

The "doApache2" function uses the action=rewrite&value=httpd to the task.queue which does rewrite all User httpd.conf files, but won't touch the main httpd configs in /etc/httpd/conf. (except perhaps the directadmin-vhosts.conf)

Note that "./build all" will call either doApache or doApache2, depending on the options.conf apache_ver setting. Same with "./build apache"

John
 
floyd said:
You could use chattr +i but on the other hand there may be some important updates in the config file. I would just get in the habit of editing the config file to make it PCI compliant until DA makes it standard.
Click to expand...

Hey Floyd, if I was to run that command you mentioned, what file would I run it on?
 
Hello,

We don't make changes to the httpd.conf files too often, so the chattr method is probably going to be your best bet.

There is another way of doing it with custombuild, but it requires that you manage all conf files:
http://help.directadmin.com/item.php?id=351

The chattr is good because it allows you to lock just one file, but still have the other's be updated if required.

John
 
Today I went into /usr/local/directadmin/templates/httpd.conf and added;

Code: 
SSLEngine on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:!MEDIUM

The I executed
Code: 
 chattr +i /usr/local/directadmin/data/templates/httpd.conf

And hopefully this time it locks everything in so I don't have to keep monkeying with things for one client in particular.
 
Don't chattr anything in the templates directory. Instead make a copy in the templaes/custom directory and make changes there. Updates won't overwrite the custom directory.

Does this change need to be made for everyone for PCI compliance? If so, then we should ask DirectAdmin staff to make the change permanently.

Jeff
 
Thanks for the heads up on that one Jeff! Anyhow I hope I finally got that stuff nailed down cold because there are times when DA (I think) does a rewrite of certain files, one client ends up having PCI compliance issues afterwards and I end up with a dramatic email from the guy.
 
Revision on this item:

cp /usr/local/directadmin/data/templates/httpd.conf custom/
cd custom
edit httpd.conf and insert

Code: 
SSLEngine on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:!MEDIUM

a little ways below the :443> entry you will find this;
Code: 
#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL

[CODE]SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
this second line is what needs to be put in and the other commented out or removed.
[/CODE]

nealdxmhost said:
Today I went into /usr/local/directadmin/templates/httpd.conf and added;

Code: 
SSLEngine on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:!MEDIUM

The I executed
Code: 
 chattr +i /usr/local/directadmin/data/templates/httpd.conf

And hopefully this time it locks everything in so I don't have to keep monkeying with things for one client in particular.
Click to expand...
 
Last edited:
Hello,

To clarify, the file:
/usr/local/directadmin/data/templates/httpd.conf

is only ever used at install time when you're using customapache and apache 1.3. If you've got custombuild, it won't ever be touched.

Also, if you're using customapache and 1.3, it's only ever used at install time. It's never touched past that.


If you've got custombuild and apache 2.2, the main config is rewritten sometimes, and it's stored in:
/usr/local/directadmin/custombuild/configure/ap2/conf/httpd.conf

and the copy/custom method would be to copy:
/usr/local/directadmin/custombuild/configure/ap2/conf

to:
/usr/local/directadmin/custombuild/custom/ap2/conf

But the ciphers in 2.2 are actually in extra/httpd-ssl.conf, and not the httpd.conf.
The default cipher is:
Code: 
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
John
 
I will grab a look at that John and see if I have what you recommended.

For the record I am running custombuild with Apache 2.2

DirectAdmin Support said:
Hello,

To clarify, the file:
/usr/local/directadmin/data/templates/httpd.conf

is only ever used at install time when you're using customapache and apache 1.3. If you've got custombuild, it won't ever be touched.

Also, if you're using customapache and 1.3, it's only ever used at install time. It's never touched past that.


If you've got custombuild and apache 2.2, the main config is rewritten sometimes, and it's stored in:
/usr/local/directadmin/custombuild/configure/ap2/conf/httpd.conf

and the copy/custom method would be to copy:
/usr/local/directadmin/custombuild/configure/ap2/conf

to:
/usr/local/directadmin/custombuild/custom/ap2/conf

But the ciphers in 2.2 are actually in extra/httpd-ssl.conf, and not the httpd.conf.
The default cipher is:
Code: 
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
John
Click to expand...
 
Hi John,

In regards to what you suggested, upon further examination I already have that stuff done but I have still run into that problem periodically, hopefully with inserting the the SSLCipherSuite code into the individual user's httpd.conf file and chattr afterwards will leave it locked in.

Inserting the SSLCipherSuite code into the individual user's httpd.conf file is what was recommended to me by McAfee for the client a few months back and as a safeguard I made a backup copy of it in the event the file gets rewritten. Someone else had suggested the chattr command to lock it down and I presumed it would be practical to use it in the template as well.....
 
nealdxmhost said:
hopefully with inserting the the SSLCipherSuite code into the individual user's httpd.conf file and chattr afterwards will leave it locked in.
Click to expand...
I assume you mean in the DA's templates? If not, DA will overwrite users httpd.conf's, or if you chattr them, it will break creations/removals of sudomains, etc.

Am I wrong?
 
In just building out a site on a new machine, I continued to have the problem with SSLv2 being accepted, until I fixed an error in Neal's post #22 to this thread, where he adds code to /etc/httpd/conf/httpd.conf.

Note the boldface I added, which appears to make it work for the main site. I won't know if it works for the site I'm building on the server until I've set that up and added the Certificate. I'll post back then if additional changes are needed.
Code: 
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLOptions +StrictRequire
SSLProtocol ALL +SSLv3 [b]-SSLv2[/b] +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>
Jeff
 
You must log in or register to reply here.
Back
Top