From owner-freebsd-questions@FreeBSD.ORG Mon Jul 28 18:27:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86AE0106564A for ; Mon, 28 Jul 2008 18:27:01 +0000 (UTC) (envelope-from rvm@CBORD.com) Received: from smssmtp.cbord.com (mx1.cbord.com [24.39.174.11]) by mx1.freebsd.org (Postfix) with ESMTP id 14B078FC18 for ; Mon, 28 Jul 2008 18:27:00 +0000 (UTC) (envelope-from rvm@CBORD.com) X-AuditID: ac1f0165-0000075000000114-28-488e0f792bd0 Received: from Email.cbord.com ([10.1.1.100]) by smssmtp.cbord.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Jul 2008 14:27:04 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Jul 2008 14:22:46 -0400 Message-ID: In-Reply-To: <35f70db10807281102q5a0b73c3h554338292e3b751a@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pci compliance Thread-Index: Acjw2/vXuvyTsVhgT1Gy0MNQ4g513wAAhTdg References: <488E0708.2060207@godfur.com> <35f70db10807281102q5a0b73c3h554338292e3b751a@mail.gmail.com> From: "Bob McConnell" To: X-Brightmail-Tracker: AAAAAA== Subject: RE: pci compliance X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2008 18:27:01 -0000 On Behalf Of Ross Cameron > On Mon, Jul 28, 2008 at 7:51 PM, kalin m wrote: >>=20 >> i'm about to submit a freebsd system to be scanned for pci compliance... >> >> is there any particular gotchas with bsd systems that can be detected at >> the time of pci compliance scanning? >> i know they use something like nmap if not nmap itself and i did myself on >> that machine and didn't find anything interesting. >> but one of the consultants that was 'advising' the company i work for said >> "we use similar (as in nmap) approach but it's (much) more intrusive". >> anybody knows what does that mean? >=20 > The PCI auditing process is a full penetration test. > It's very thorough and not at all easy to pass. >=20 > Get hold of a copy of "The penetration tester's handbook" and make sure u > pass all the tests in the book and u should be ok How intense depends on which PCI level you are aiming for and which services you will have running on that server. We have completed level 3 for our hosted web servers and firewalls, and are shooting for level 1 by the end of the calendar year. However, I am not yet involved in any of those projects. Bob McConnell