PCI Compliance Automation

[WebJIVE]

I started this feature request (its still being reviewed) for automating PCI compliance settings. PCI compliance is starting to become a real issue with cPanel servers, especially those which have been upgraded over several releases. I had to get (and still open) support involved (paid ticket) because this is a serious complex issue to take up.

https://features.cpanel.net/topic/add-pci-compliant-settings-in-tweak-settings-for-pci-compliance

My suggestion:
Every few months we have to maintain our PCI compliance to be able to process credit cards, just like cPanel itself. After the upgrade to v70, Trustwave ran a PCI scan and found we were out of compliance with Ciphers and SSH.

The Ciphers it seems don't get automatically updated between releases and have to manually be updated, which for the cryto-un-aware, is a big challenge.
cPanel needs to add an easy way to touch areas of the system with updated Ciphers which helps bring a server up to PCI compliance.

Another area that we need desperately is somewhere in WHM information on SSH backports thats in a an acceptable format for Trustwave and others. We were given backport info to pass along to Trustwave and they didn't accept it. This doc (downloadable or copy/pasteable) from WHM needs be readily available.

This is a pretty serious issue and it seems that PCI compliance is getting harder and cPanel has a responsibility to help its customers maintain PCI compliant servers or we'd have to find other solutions.

Another option would be to work with all the PCI compliance companies that do scans and automatically send them backport and compliance info so that all we would have to do is put a check in a checkbox so that vendors like Trustwave know what system we're using.

 

[sparek-3]

I don't know if I necessarily agree that cPanel has a responsibility here with this. But it definitely would be nice to have access to a PCI security vulnerability scanner that can be run on demand to find vulnerable ports or ciphers that don't meet PCI standards. This would allow administrators to routinely check their servers and make sure that the servers are following the ever changing PCI standards.

I don't know if this necessarily has to be a cPanel provided tool.

The scope of complete PCI compliance probably extends out of cPanel's reach. They can't answer the questionnaire for you or determine if all of the scripts/applications/plugins/components/extensions/themes are up-to-date and not vulnerable.

 

[WebJIVE]

PCI Compliance is required by merchant account holders with websites that accept credit cards so, PCI compliance is often dictated and paid for by the merchants account supplier. The reason cPanel needs involvement here is PCI compliance includes complex topics like Ciphers and SSH versions with backport information. Without that, it would be very difficult to have a PCI compliant server so yes, they need to be involved in this process since their system is used by 10,000 of servers running various ecommerce software.

 

[sparek-3]

The issue with PCI compliance is that each individual business/company has to get their own PCI compliance certificate.

So if you have 1 server with 50 ecommerce sites, that's 50 separate PCI scans that would have to be done.

Allowing server administrators to easily run a PCI service vulnerability scan would allow those administrators to routinely run those scans and know ahead of time what needs to be fixed on their servers to make that portion of the PCI check compliant.

There would still have to be 50 separate PCI scans, but those 50 scans would come up clean as it relates to port and cipher usage. RPM changelogs of backported fixes would still be required to be noted for each of those 50 ecommerce sites.

 

[cPanelLauren]

Hi @WebJIVE

First of all, I want to thank you for opening the feature request and sharing it with us, we do like hearing about what our clients want to see in cPanel and we definitely do try and work towards those goals pending they are able to be accomplished.

On the subject of PCI compliance, as was touched on by @sparek-3 some of the PCI scanning compliance items do go beyond what we are able to provide as a provider of the control panel software. For example the PCI scan itself must be done by a PCI Approved Scanning Vendor which is why in most cases you'll need to go to a vendor that specializes in this as well as potentially why we haven't offered scanning. Though you may be able to find free trials/ish sort of items that might work for you.

We have worked to make PCI compliance easier to achieve for cPanel users and we've created some great documentation explaining it. Please see the following:

PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation
How to Troubleshoot PCI Compliance Scans - cPanel Knowledge Base - cPanel Documentation

We've also begun listing the PCI compliant cipher lists used with services for releases. For example:

cPanel Web Disk Configuration - Version 70 Documentation - cPanel Documentation
Global Configuration - Version 70 Documentation - cPanel Documentation

But because PCI compliance is not for everyone changing someone's cipher list throughout updates is not something that we're keen on implementing, though I do see some value in the ability to set globally PCI safe standards to make the product easier to use for those that need it, I'm interested to see where the conversation goes in the feature request you opened.

Thanks!

 

[sparek-3]

For example the PCI scan itself must be done by a PCI Approved Scanning Vendor which is why in most cases you'll need to go to a vendor that specializes in this as well as potentially why we haven't offered scanning.

Just to clarify. I suppose what I'm looking for is an unofficial scanner. Something that would ideally be free to use and would ideally be on-demand capable.

I mean, what those official scanners look for is open for everyone to know, correct?

But I do understand that it wouldn't necessarily be official. To make it official, it would have to be scanned with - as you say - an Approved Scanning Vendor.

Basically what I'd like, is some way for us (root owners of a server) to scan all our servers so we can know if they meet PCI standards (unofficially).

Then when would-be clients ask us "Are your servers PCI compliant?" We can say yes, but they will have to get their own PCI Approved Scanning Vendor to perform a scan.

But we won't be taken by surprise in regards to anything those ASV find. A side from disclosing SSH and other package fixes in backport changelogs.

This isn't necessarily something cPanel would need to provide. I just think there would be a use for a service like this, if one existed some where. For the time being, I've been using Qualys SSL Labs and Comodo's SSL Analyzer, but this doesn't necessarily tell the whole PCI story.

 

[rpvw]

This is a personal opinion, and is not intended to be a criticism of any individual.

I don't think cPanel should get involved with this type of compliance testing nor implementation . Apart from the obvious potential liability, where should one stop ?

Perhaps cPanel should be held accountable for Defence grade and Bank grade security, and HIPAA and EMV compliance as well, and maybe police the clients deployed website software so the web site will stop functioning if the software is out-of-date or contains a known security vulnerability. Perhaps some sort of monitoring algorithm should be built in to ensure that no offensive, illegal or immoral content was stored, served or passed through the server. You could conjecture these scenarios to ridiculous conclusions.

I am all for cPanel documenting and publishing how-to guides, and even arranging courses and events to train server administrators how to make their servers compliant with whatever regulative scheme they are trying to comply with BUT, I believe that server administrators should accept the responsibility for their servers, and make the effort to learn how to manage their servers and software if they want to offer specialist commercial solutions like PCI or HIPAA compliance etc - not rely on cPanel nor any other third party to do the work for them. (If you can't be bothered to learn how to do it, pay someone that can !!)

Perhaps all this needs is better documentation, and maybe an option to get user selected notifications displayed in WHM (you know - in the same area that annoying notification about operating systems expiring over 2 years ahead) for PCI or HIPAA changes or whatever you select to see. That way those that don't need it wont see anything, nor will compliance configuration changes be forced down the throats of servers that don't need/want it.

Seems to me that everyone thinks they deserve and have the right to have everything handed to them on a silver plate these days, and all without making any more effort than just asking. Ah well, i guess I'm just getting old ...................... [/end rant]

 

[spaceman]

I'm a supporter of your original post @WebJIVE - thank you. I'm running with this challenge (of gaining PCI Compliance) at the moment for a client with a dedicated server with my company.

Rather than suggest that cPanel has a responsibility to help, my suggestion is that it would be very nice, helpful of cPanel to offer up more assistance. In other words, there's an opportunity for cPanel to make their software better in this area.

I know that the opinion of some is "you should become (or employ) a proper systems administrator, don't expect everything done for you on a plate!". My answer is that the tech world is increasingly and always trending towards giving more power/functionality to people with less and less skills. The friendlier and easier we can make systems and software, the more likely they are to be chosen by the widest possible audience, and over their less friendly competitor products. It's why UI/UX is a burgeoning profession. I've been an IT professional - less hands on these days! - since 1989, and I've watched this happen across the board. I've been an active cPanel/WHM user since 2000/1.

I recognise 100% that there's no one-size-fits-all when it comes to PCI Compliance. Nevertheless, it would be great if cPanel could do/offer more hints, tips, functions, features, etc. that chip away at this challenge over time.

If I were cPanel, and wanted to approach this systematically, I'd review a standard list of PCI Compliant requirements for a server, and create a list of ideas, per requirement, that should help to satisfy, partially or completely, this requirement.

One example (doubtless there are 100s more):

"Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers."

Out of the box, cPanel comes complete with a wide range of the above. So any extra assistance cPanel can give to:

1. Help to identify/detect unnecessary (i.e. not in active use) scripts, drivers, features, etc.
2. Help to easily and permanently disable them

... would be most welcome.

And here's the thing: many PCI compliant requirements are a good thing from a server/security perspective, not just from a PCI compliant perspective.

So running with my example (above): less is more, right? Less software means less things to go wrong, less software to keep patched, less potential security vulnerabilities.

My 2c!

Thanks,

Ross

 

[WebJIVE]

@spaceman After opening a ticket, I did get great help and support from cPanel on how to change the ciphers to be PCI compliant. What you learn is they do have the defaults listed in the settings that you can copy/paste, which I did. Good thing is waiting a bit allowed others to find the issues with Outlook which was fixed in a subsequent update so waiting paid off on that.

Thanks for the feedback. Ciphers is the big pain when it comes to PCI compliance because that's where things get tricky. The settings not so much and like you, I've been admin'ing systems since the 80's as well with past certs like good ol CNE, etc. LOL.