PCI-DSS Auditing Linux, Apache, PHP,

8/13/2019 PCI-DSS Auditing Linux, Apache, PHP,

1/12

Like (http s://ww w.facebook.com/sharer/sharer.php?u=http://tenable .com/blog/pci-dss-auditing -linux-apache-php-mysql-with-nessus-4)

Tweet (https://twitter.com/inte nt/tw eet?text=http://tenable.com/blog/p ci-dss-auditing-linux-apache-php-mysql-with-nessus-4)

(/)

PCI-DSS Auditing Linux, Apache, PHP, & MySQL WithNessus 4

by Paul Asadoorian

April 16, 2009

PCI-DSS Scanning

The e ffectiveness of the Payment Card Industry (PCI) standards to secure systems responsible for credi t card

transaction processing is a question of debate among information security professionals. Regardless of the hype o r

neg ativity surrounding PCI, it remains a requ iremen t for many organizations to follo w. Nessus has bu ilt-in PCI-DSS

compliance checks that compare scan results with the PCI standards and produce a report on your compliance

posture. It is very important to note that a successful compliance scan does no t guarantee comp liance or a secure

infrastructure. Compliance scanning is just one too l to be used as part of a comprehensive program that includes theappropriate policies and procedures to ensure that assets are appropriately protected.

I recently tested the Nessus PCI-DSS auditing functionality to de termine how some o f my scans compared to PCI-DSS

standards. I started by acquiring a system that would most likely be governed by the PCI standard. I located a free

virtual appliance configured with osCommerce (http://www.vmware.com/appliances/directory/570), an open source

online merchant site and shopping cart system. After I got the system running, I noticed the pre-installed software

was already out-of-date. For example, the version o f osCommerce included in the virtual appliance I used was two

versions behind according to the osCommerce web site (http://www.oscomme rce.com/about/news,130 ). This is a

perfect testing ground fo r Nessus and PCI because there will most like ly be areas where the PCI compliance fails,

and other areas that pass.

Configuring a PCI-DSS Nessus Scan

The PCI standards council p ubl ishes a g uide titled "Payment Card Industry (PCI) Data Security Standard Security

Scanning Procedures (https://www.pcisecuritystandards.org/pd fs/pci_scanning_p rocedu res_v1-1.pdf)" which ou tlines

how to cond uct a scan when pe rforming a PCI-DSS audit and states:

"The ASV scanning solution must include an exhaustive fingerprinting scan on all transmission controlprotocol (TCP) and user datagram protocol (UDP) ports."

The above requ irement leads us to the fo llowing steps to configure o ur scan policy:

Step 1- Configure your scan po licy to scan all of the UDP and TCP ports on the remo te host. This can be done in one

two ways. If you are not scann ing w ith credentials (this is the case fo r most QSVs, or Qualified Scanning Vendors),

-DSS Auditing Linux, Apache, PHP, & MySQL With Nessus 4 | Tenable Network Security

12


2/12

then configu re the network-based portscanners:

If you have credentials on the target host(s), then only select the local portscanners:


12


3/12

The ne tstat portscanners will invoke the netstat program on the target host and collect open port information rather

than testing via the network. The local scanners are more efficient; issuing a local command is much faster than

probing all ports and waiting for a response.

In both cases the "Port scanner range " is set to "1-65535 ", which is applied to any of the selected po rtscanne rs. The

UDP scanner is not new to Nessus, but versions prior to Nessus 4.0 were only available for ProfessionalFeed

customers and required that you download a separate plugin from the Tenable web site . It is now include d in Nessus

4.0 and has been updated with various improvemen ts.

Step 2 (Optional)- If you have credentials on the targe t host(s), enter them for your targe t system on the Credentialstab. Our target system is Linux, so we w ill use SSH to authe nticate. For production use, gene rate a public/p rivate

keypair for your Nessus server, and then cop y the public key to you r production systems. See the Tenable b log post

"Configuring Nessus To Scan Through Firewalls" (http://blog.tenablesecurity.com/2009/04/configuring-nessus-

to-scan-through-firewalls.html?__utma=96148739.1939241340.1390227349.1390227349.13902273 49.1&

__u tmb=96148739.1.10.1390 2273 49 &__utmc=96148 739&__utmx=-&

__u tmz=96148 739.1390 227349.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided )&

__u tmv=-&__utmk=20 33 46 32 9) for an example o f th is. The Tenable portscanne rs an d p lugins that perfo rm local

scanning activity require that you scan with credentials. In our test case, the osCommerce virtual appliance was built

using Fedo ra Core release 5, so we will use local security checks from Nessus.

Step 3- Enable all plugins:


12


4/12

To perfo rm a successful PCI-DSS complian t scan, all plug ins must be enabled includ ing the policy compliance checks

shown above. For more in formation about the specifics of these p lugins, refer to the Tenable blog post, "PCI-DSS

Plugins For Nessus (http://blog.tenablesecurity.com/2008/10 /pci-dss-

plug ins.html?__utma=96148739.1939241340.1390227349.1390227349.1390227349.1&

__u tmb=96148739.1.10.1390 2273 49 &__utmc=96148 739&__utmx=-&


__u tmv=-&__utmk=20 33 46 32 9)").

Step 4- Mod ify your global variable settings:


12


5/12

In the configuration screen above, enable thorough testing and experimental scripts, both o f which are required for a

successful PCI compliant scan

Step 5- Enable PCI DSS comp liance checking :

Finally, we will need to enable the compliance checking in the Advanced tab. At

this poin t we are done configuring our scan policy and can click "Save".


12


6/12

Step 6- Disable the firewall on the target:

On the target host the local firewall must allow fu ll access to the IP address o f the scanner. PCI requ ires that no

firewall exist between the scanner and the server being tested. To do this within Fedora Core release 5, I've issued

the following command:

# service iptables stop

Disabling the firewall also helps the scan run faster, as scanning all UDP ports over the netwo rk through a firewall is a

very time consuming task. You cou ld just allow the IP address of the Nessus scanner through you r firewall, however it

may still keep track of sessions and their state, which could slow the scan down.


12


7/12

While removing the firewall from the equation can help speed up the scan and allow the scanner to enumerate all of

the vulnerabilities available from the ne twork, leaving it enabled can also have value. If the firewall is enabled then a

vulnerability scan is launched against it and the scan fails, this shows that your defenses are work ing prop erly

(provided the re was no DoS condition on the target host). The primary reason to d isable it he re is to allow the scan to

complete in a reasonable amount of time. However, its is good to test your firewalls with the vulnerability scanner to

ensure they are blocking the correct ports and functioning per your policy and procedures.

Scanning & Reporting

Now we are ready to in itiate the scan, which will take a bit longer than many Nessus scans you may have performed,

as we have enabled all plugins, thorough tests, and UDP scanning. When the scan is complete, we can see that our

system is not complian t with PCI-DSS specifications. Plugin 33929, "PCI DSS compl iance (http://www.nessus.org

/p lugins/inde x.php?view=sin gle&id=3392 9&__u tma=96148 739.193 92 4134 0.1390 227349.1390 22734 9.139 022 7349.1&

__u tmb=96148739.1.10.1390 2273 49 &__utmc=96148 739&__utmx=-&


__u tmv=-&__utmk=20 33 46 32 9)", has analyzed the results and determined that we are no t comp liant due to several

vulnerabilities identified d uring the scan.

The PCI compliance scan results are mixed in to the rep ort; some are in the "general/tcp" section and othe rs are

appended to the entries associated with a particular open port and service. The be st way to gather all of the scan

results is to use the filtering feature in conjunction with the report template feature introduced in Ne ssus 4. The first

step is to create a filter that will on ly display results from the PCI compl iance plug in:


12


8/12

Clicking "App ly Filter" will bring you back to the NessusClient where the filtered results will be d isplayed. You can

then choose a report temp late, such as "Sort By Vulnerab ility Detail" and click "View template...". Your web browser

will open and display your custom repo rt:

The new rep ort displays all of the alerts that caused the scan results to be not in compliance with PCI-DSS. This repo rt

can now be used to go back to the web server and remed iate the problems un til the scan passes the PCI compliance

checking.

Conclusion

The PCI-DSS standard is focused primarily on find ing vu lnerab le web servers. If your organization is a level 3 or 4

merchan t you also have PCI requ irements to demonstrate usage o f access control, anti-virus protection, system


12


9/12

logging, and many other types of security monitoring. NessusProfessional Feed users have access to a variety of

configuration aud iting po lices to help test for these PCI requ irements. Tenab le Security Center and Log Correlation

Engine users can also mon itor system logs and network activity in real time to monitor and repo rt on a many different

types of PCI audit requ irements. For more info rmation abo ut Tenab le's enterprise PCI mon itoring , please contact our

sales staff to request ou r Real Time PCI Monitoring whi te paper.

References

PCI-DSS Plugins For Nessus (http://blog .tenablesecurity.com/2008/10 /pci-dss-

plugins.html?__utma=96148739.1939241340.1390227349.1390 227349.1390227349.1&__u tmb=96 148739.1.10.1390 227349 &__utmc=96148 739&__u tmx=-&__u tmz=96148 739.1390 22734 9.1.1.utmcsr=goo gle|utmccn=(organic)|utmcmd =org anic|utmctr=(no t%20 provided )&

__u tmv=-&__utmk=20 33 46 32 9)

Enterprise PCI Aud iting Video (http://cgi.tenablesecurity.com/demos

/pci2 /pci2 .htm?__u tma=96148 739.193 92 4134 0.1390 227349.1390 227349.139 022 7349.1&__u tmb=96 148739.1.10.1390 227349 &__utmc=96148 739&__u tmx=-&

__u tmz=96148 739.1390 22734 9.1.1.utmcsr=goo gle|utmccn=(organic)|utmcmd =org anic|utmctr=(no t%20 provided )&__u tmv=-&__utmk=20 33 46 32 9) - This twelve minute video discusses how un ifying system and event analysis in to

one platform can address all 12 requirements o f PCI.

Maximizing ROI on Vulnerability Management (http://tenablesecurity.com/whitepapers

/Maximizing_ROI_Vulnerab il ity_Managemen t.pdf) - This paper describes the method ology for developing acomprehensive vulnerability management p rogram.

Comments

0 comm ents

Best

Follow Us

Blog RSS (http://feeds.feed burner.com/tenable/qaXL)

Podcast RSS (/TenablePodcast.xml)

Podcast in iTune s (https://itunes.apple.com/us/podcast/tenable-network-security-podcast/id361250 581?mt=2)

Newsletter Signup (/newsletter)

Twitter (http://twitter.com/tenablesecurity)

YouTube (http://youtube.com/tenablesecurity)

Google+ (https://google .com/+Tenab le)


12


10/12

Recent Podcast Episodes

Tenable Network Securit y Podcast Episode 194 - "Common Sense Secu rity..." (/blo g/tenable-network-security-podcast-episode-194-common-sense-security)

Tenab le Network Security Podcast Episode 193 - "Tenab le Year in Review" (/blog/tenable-ne twork-security-podcast-episode-193-tenable-year-in-review)

Tenab le Network Security Podcast Episode 192 - "Detecting Malware, Passive Scannin g" (/blog/tenable-network-security-podcast-episode -192-detecting-malware-passive-scanning)

Tenable Ne twork Security offers both live and p re-recorded webinars on a wid e variety of topics ranging from

industry best practices, to produ ct tours, to cyber th reats, and mo re. Review our webinar archive (/webcasts), and

check back often for upcoming live web inars.

More from the Blog

Blog Home (/blog)

Tenable Network Securit y Podcast Episode 194 - "Common Sense Secu rity..." (/blo g/tenable-network-security-podcast-episode-194-common-sense-security)

Nessus HTML5 UI 2.1 Provides Enhanced Usability (/blog/nessus-html5-ui-21-provides-enhanced-usability)

Tenab le Network Security Podcast Episode 193 - "Tenab le Year in Review" (/blog/tenable-ne twork-security-podcast-episode-193-tenable-year-in-review)

Tenab le Launche s Straight Talk About PCI D iscussion Forum (/blog /tenab le-launches-straight-talk-about-pci-discussion-forum)

Space Rogue from L0 pht and H acker News Network joins Tenable! (/blog/space-rogue -from-l0pht-and-hacker-news-network-joins-tenable)

Categories

Compliance Monitoring (/taxonomy/term/338)

Contro l Systems (/taxono my/term/339)

Curren t Affairs (/taxono my/term/340)

Data Visualization (/taxono my/term/341)

Editorials (/taxonomy/term/342)

Event Analysis Training (/taxono my/term/343)

Event Monitoring (/taxonomy/term/344)

Events (/taxonomy/te rm/345 )

Featured (/taxono my/term/485)

In the News (/taxonomy/term/346)

Log Analysis (/taxonomy/term/347)

Microsoft Patch Tuesday (/taxonomy/term/348)

Mob ile Security (/taxono my/term/707)

Nessus (/taxonomy/term/349)

Nessus Top Ten List (/taxonomy/term/350)

Partners (/taxonomy/te rm/351)

Passive Network Monitoring (/taxonomy/term/352)

Patch Auditing (/taxonomy/term/353)

PCI Compliance (/taxonomy/term/354)


f 12


11/12

Podcast (/taxono my/term/355)

Ranum's Rants (/taxono my/term/356)

Recruiting (/taxonomy/term/826)

SCADA (/taxonomy/term/357)

Security Interviews (/taxono my/term/358)

Security Metr ics (/taxonomy/term/359)

Security Strategy (/taxonomy/te rm/360 )

SecurityCenter (/taxonomy/term/361)Tenab le (/taxonomy/term/362)

Tenable Events (/taxonomy/term/363)

Tenable in the News (/taxonomy/term/364)

Tenab le Partnersh ips (/taxono my/term/365)

Tenab le Product Usage (/taxonomy/term/366)

Tenab le Research (/taxono my/term/367)

Tenab le Webinars (/taxonomy/term/368)

Travel (/taxonomy/term/369)

Uncategorized (/taxonomy/term/370)

Virus Aud iting (/taxono my/term/371)

Vulnerabilities (/taxonomy/term/372)

Web App Auditing (/taxonomy/term/373)

Web/Tech (/taxonomy/term/374)

Weblogs (/taxonomy/term/375)

Products (/products)

Nessus (/products/nessus)

Nessus Perimeter Service (/products/nessus-perimeter-service)

SecurityCenter (/products/securitycenter)SecurityCenter Continuous View (/products/securitycenter-continuous-view)

Passive Vulnerability Scanner (/produ cts/passive-vulnerability-scanner)

Log Correlation Engine (/products/log-correlation-engine)

Solutions (/solutions)

PCI (/solutions/pci-compliance)

FISMA (/solutions/fisma)

Vulnerability Management (/solutions/vulnerability-management)

Configuration Auditing (/solutions/configuration-auditing)

Partners (/partners)

Find a Nessus Partner (/partners/find -a-subscription-partne r)

Become a Nessus Partner (/partners/become-a-subscription-partner)

Find an Enterprise Partner (/partners/find-an-enterprise-partner)


f 12


12/12

Become an Enterprise Partner (/partners/become-an-enterprise-partner)

Find a Distribution Partner (/partners/find-a-distribution-partner)

Become a Distribution Partner (/partners/become-a-distribution-partner)

Resources

Podcast (/podcast)

Blog (/blog)

RSS Feed s (/expert-resource s/rss-feeds)

Newsletter Signup (/newsletter)

Video Tuto rials (/videos)

Webcasts (/webcasts)

Whitepapers (/whitepapers)

Case Studies (/case-studies)

Support

Support Portal (https://support.tenable.com/support-center/)

Nessus Do cumentation (/products/nessus/documentation)

Tenable Discussions Fo rum (http://discussions.nessus.org

/index.jspa?__utm a=96148 739 .1939 241340.139 0227349.139 0227349.139 022734 9.1&__u tmb=9 6148 739 .1.10.139 022734 9&__utmc=96148739 &__utmx=-&_ _utmz=96 148739 .139 0227349.1.1.utm csr=goo gle |utmc cn=(organic)|utm cm d=organic|utmctr=

(not%20provided)&__utmv=-&__utmk=203346329)

SecurityCenter Dashboards (/sc-dashboards)

SecurityCenter Report Templates (/sc-report-templates)

Training & Certification (/training-certification)

Become Certified (/training-certification/become-certified)

Courses (/training-certification/training-courses)

Schedule (/training-certification/training-schedule)

eLearning Portal (http://elearn.tenable.com/)

About

About the Company (/about-tenable/about-us)

Our Investors (/about-tenable/our-investors)

Contact Us (/about-tenable/contact-tenable)

Careers (/careers)

In the News (/in-the-news)

Press Releases (/press-releases)

Events/Conferences (/events)

Speaking Engagements (/speaking-engagements)

Awards & Certifications (/about-tenable/awards-certifications)

2014 Tenable Ne twork Security Al l Rights Reserv ed | Privacy Polic y (/privacy-po licy ) | Legal (/legal) | (http://twitter.com

/tenablese curity) (http://youtube.com/tenablesecurity) (https://www.facebook.com/pages/Tenable-Network-Security

/146 0734 62076 201) (https://google.com/+Tenable) (http://www.linkedin.com/company/tenable-network-security)


Documents

PCI-DSS Auditing Linux, Apache, PHP,