OOOOGA-BOOGA...

Post #368,389 by folkert 12/23/12 8:40:00 AM Reply	OOOOGA-BOOGA... An Apache DSO Module that has to be installed in the Apache Software directly. http://www.net-secur..._news.php?id=2364 Ummm, yeah, already we've been tagged to "ensure" no unknown "modules" are loaded... and proof with PNG/Configs/in-memory references... etc. These people can't even get it through their heads we haven't had a single unlogged intrusion attempt nor a single successful (and proven with our IDS that logs ALL traffic) intrusion. There is the pervasive: "But what if they did"... since its Windows based "what if" GAH, get over it. Well, if they did, our APIs wouldn't work properly, when dealing with Credit Cards... and I'd be able to see the module being loaded and the compiled module in a location that is wrong or the location its loading from is wrong. They "PCI auditors" just don't friggin get it. External Scanners are now dinging for it. Must!!!! get!!!! out!!!! of!!!! doing/dealing!!!! with!!!! PCI!!!! !1!!!!!1!!!!1!!!!!!!!!!!!!111!!!!!!!!1!!!!!!!!1!!!1!!1!1!11!!!!1!!1 -- greg@gregfolkert.net PGP key 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Post #368,398 by boxley 12/23/12 9:48:16 AM Reply	dumasses ever hear of tripwire? Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 57 years. meep
Post #368,410 by folkert 12/23/12 5:32:43 PM Reply	Uhh... That is the last piece. We use SAMHAIN as a FIM, of course Tripwire is there also as a secondary FIM. My Webservers are behind a Firewall, load balancers, a caching (squid) reverse proxy, a Web Application Firewall, another Apache Proxy server for Static content and then a modperl webserver. Then on anything that deals with CHD, our APIs won't even work with anything intercepting the info... as the data has to be "blessed properly and pure" and only over SSL. The APIs are behind three firewalls, behind two layers of NAT, three layers of ACL and have to prove they are whom they say they are every time. Auditors and external scanners jobs are to help us get through the scan remediation and to get things taken care of satisfactorily. Our current auditor is an idiot to the extreme, with no ability to communicate. He can help if he pays attention, but seriously... we are 6 months out of compliance with out AoC, but we have had a "pending" one for 6 months. Which while its good enough for temporary use, one bank in Canada is about ready to start fining us. I got the last, last, last, last, last, task of the ever moving task list done Friday. I only added about 400 IPTables rules and 17 chains related to them. GRAH! Our IPTables was only 300 rules to begin with and caused no problems. "Spirit of the regulations" are what is expected... not "Letter of the Regulations". Anyway, this is a serious OOOGA-BOOOOGA, since we don't even have install-able compilers available to the machines the web-servers live on. -- greg@gregfolkert.net PGP key 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Post #368,399 by crazy 12/23/12 10:52:18 AM Reply	Mwahahahahaha It took the last go around (thanks, you pulled the save) for me to realize I never want to deal with PCI again unless it is as an overpriced hired gun who is willing to follow directions and not care about the outcome, ie: run up billable hours one failed scan after another. Since you have too much ethics, and I simply don't have the skills, I don't think it's an option for either of us. I'm no longer actively involved in any of it, and my on-demand rate just went up high enough to discourage use. Let's see what happens.
Post #368,411 by folkert 12/23/12 5:35:24 PM Reply	FYI... I'm not chatting with him either. -- greg@gregfolkert.net PGP key 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C

Welcome to IWETHEY!