Achieving PCI Compliance (SecurityMetrics.com)

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
michaels23's picture
Posted by michaels23 on November 6, 2011 at 10:04pm

Does anyone in the group have any experience achieving PCI Compliance with, e.g. SecurityMetrics.com? In my case, I could save client a ton of money by solving this.

The SecurityMetrics.com test is complaining about the Apache ETag. Can we somehow use .htaccess to change the ETag values?

Is there a best practice for this kind of thing?

Categories: , ,

Comments

As always, best is flexible

Posted by Steve Hanson on November 6, 2011 at 10:46pm
Steve Hanson's picture

Sort of depends on your situation. All I can surmise (since "complaining about the Apache ETag isn't a lot to go on) is that you're running an older version of Apache, which constructs ETag headers from (among other things) the inode of a file. This allows some slightly hairy exploits, though I don't think they're really very likely in most environments. If you dont' want ETag headers, which may well be the case if you're on a single server, just put

  FileETag none

in your Apache config, and it will stop putting in Etag headers altogether.

Steve Hanson
Cruiskeen Consulting LLC - http://www.cruiskeenconsulting.com

Remove ETag headers with .htaccess

Posted by michaels23 on November 6, 2011 at 10:56pm
michaels23's picture

For sites on shared servers (which won't allow access to httpd.conf), is it sufficient to place
FileETag none
in the .htaccess file?

Mike Steigerwald

Probably

Posted by Steve Hanson on November 6, 2011 at 11:18pm
Steve Hanson's picture

Depends on how your server is set up -- though frankly I don't see HOW you can be PCI compliant on a shared server.

Steve Hanson
Cruiskeen Consulting LLC - http://www.cruiskeenconsulting.com

I was just about to type what

Posted by bryan kennedy on November 6, 2011 at 11:39pm
bryan kennedy's picture

I was just about to type what Steve said, but he beat me to the punch. You might technically meet a checklist of a shared server but unless it's your own shared box, I think you're pushing it. I'm not sure what level of PCI compliance you are going for (txn/yr), but I would be nervous about trying to meet the requirements on a shared box, although I sure people must do it.

Does your webhost advertise this shared hosting environment as a PCI compliant environment? If you aren't able to even modify the apache config, I'm curious how you are able to do system the level logging required for PCI audits. Caveat, I am no PCI expert. If any other Drupal folks have experience with this I'd love to hear contradicting experiences.