1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

pci compliance help

Discussion in 'General Discussion' started by EWD, Mar 28, 2008.

  1. EWD

    EWD Member

    Joined:
    Aug 19, 2003
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Hi Guys.

    For PCI compliance I need to disable TRACK and TRACE.
    I used to be able to to do this by adding the following to httpd.conf
    Code:
    RewriteEngine On 
    RewriteCond %{REQUEST_METHOD} ^TRACE 
    RewriteRule .* - [F] 
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
    Anyone have been able to get these disabled lately?

    Thanks in advance for any help.
     
  2. rpmws

    rpmws Active Member

    Joined:
    Aug 14, 2001
    Messages:
    1,838
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    how about in a .htaccess file in the root of one of the sites? just for the hell of it??
     
  3. EWD

    EWD Member

    Joined:
    Aug 19, 2003
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Hi,

    Yes, that would help for one site. We need it to be server-wide.

    I have found that the code above does not work for trace anymore for whatever reason.
    Instead you need to add TraceEnable Off to httpd.conf

    So what I did was edit /usr/local/apache/conf/includes/pre_main_global.conf and added:
    Code:
    <Directory "/">
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    </Directory>
    Also added TraceEnable Off to httpd.conf and that seems to have done the trick.

    Thanks for the help and I hope this info helps someone else looking for the same. ;)
     
  4. robb3369

    robb3369 Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    mod_security

    This can also be addressed via mod_security (installed via Easy Apache) with the default configuration:

    Code:
    # allowed request methods
    SecRule REQUEST_METHOD "!^(?:GET|POST|OPTIONS|HEAD)$" \
        "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
     
  5. MaraBlue

    MaraBlue Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    They (the PCI Compliance scanners) will ding you for having an .htaccess.
     

Share This Page