pci compliance help
Hi Guys.
For PCI compliance I need to disable TRACK and TRACE.
I used to be able to to do this by adding the following to httpd.conf
Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.Code:RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] RewriteCond %{REQUEST_METHOD} ^TRACK RewriteRule .* - [F]
Anyone have been able to get these disabled lately?
Thanks in advance for any help.
Emerson
how about in a .htaccess file in the root of one of the sites? just for the hell of it??Originally Posted by EWD
Just keeping my "eye" on things....
R. Paul Mathews
RPMWS - diehard cPanel Nutcase
Hi,
Yes, that would help for one site. We need it to be server-wide.
I have found that the code above does not work for trace anymore for whatever reason.
Instead you need to add TraceEnable Off to httpd.conf
So what I did was edit /usr/local/apache/conf/includes/pre_main_global.conf and added:
Also added TraceEnable Off to httpd.conf and that seems to have done the trick.Code:<Directory "/"> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACK RewriteRule .* - [F] </Directory>
Thanks for the help and I hope this info helps someone else looking for the same.
Emerson
mod_security
This can also be addressed via mod_security (installed via Easy Apache) with the default configuration:
Code:# allowed request methods SecRule REQUEST_METHOD "!^(?:GET|POST|OPTIONS|HEAD)$" \ "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
Rob
They (the PCI Compliance scanners) will ding you for having an .htaccess.
cPanel: Latest Release Version [11.36.1.6]
PHP 5.3.23, Apache 2.2.24, MySQL 5.1.68, Perl 5.10.1, CentOS 6.4 64-bit
LinkBack URL
About LinkBacks
Reply With Quote