Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI Compliance Automation

Discussion in 'Security' started by WebJIVE, Jun 22, 2018.

  1. WebJIVE

    WebJIVE Well-Known Member

    Joined:
    Sep 30, 2007
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    I started this feature request (its still being reviewed) for automating PCI compliance settings. PCI compliance is starting to become a real issue with cPanel servers, especially those which have been upgraded over several releases. I had to get (and still open) support involved (paid ticket) because this is a serious complex issue to take up.

    https://features.cpanel.net/topic/add-pci-compliant-settings-in-tweak-settings-for-pci-compliance

    My suggestion:
    Every few months we have to maintain our PCI compliance to be able to process credit cards, just like cPanel itself. After the upgrade to v70, Trustwave ran a PCI scan and found we were out of compliance with Ciphers and SSH.

    The Ciphers it seems don't get automatically updated between releases and have to manually be updated, which for the cryto-un-aware, is a big challenge.
    cPanel needs to add an easy way to touch areas of the system with updated Ciphers which helps bring a server up to PCI compliance.

    Another area that we need desperately is somewhere in WHM information on SSH backports thats in a an acceptable format for Trustwave and others. We were given backport info to pass along to Trustwave and they didn't accept it. This doc (downloadable or copy/pasteable) from WHM needs be readily available.

    This is a pretty serious issue and it seems that PCI compliance is getting harder and cPanel has a responsibility to help its customers maintain PCI compliant servers or we'd have to find other solutions.

    Another option would be to work with all the PCI compliance companies that do scans and automatically send them backport and compliance info so that all we would have to do is put a check in a checkbox so that vendors like Trustwave know what system we're using.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,781
    Likes Received:
    123
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I don't know if I necessarily agree that cPanel has a responsibility here with this. But it definitely would be nice to have access to a PCI security vulnerability scanner that can be run on demand to find vulnerable ports or ciphers that don't meet PCI standards. This would allow administrators to routinely check their servers and make sure that the servers are following the ever changing PCI standards.

    I don't know if this necessarily has to be a cPanel provided tool.

    The scope of complete PCI compliance probably extends out of cPanel's reach. They can't answer the questionnaire for you or determine if all of the scripts/applications/plugins/components/extensions/themes are up-to-date and not vulnerable.
     
    cPanelLauren likes this.
  3. WebJIVE

    WebJIVE Well-Known Member

    Joined:
    Sep 30, 2007
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    PCI Compliance is required by merchant account holders with websites that accept credit cards so, PCI compliance is often dictated and paid for by the merchants account supplier. The reason cPanel needs involvement here is PCI compliance includes complex topics like Ciphers and SSH versions with backport information. Without that, it would be very difficult to have a PCI compliant server so yes, they need to be involved in this process since their system is used by 10,000 of servers running various ecommerce software.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,781
    Likes Received:
    123
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    The issue with PCI compliance is that each individual business/company has to get their own PCI compliance certificate.

    So if you have 1 server with 50 ecommerce sites, that's 50 separate PCI scans that would have to be done.

    Allowing server administrators to easily run a PCI service vulnerability scan would allow those administrators to routinely run those scans and know ahead of time what needs to be fixed on their servers to make that portion of the PCI check compliant.

    There would still have to be 50 separate PCI scans, but those 50 scans would come up clean as it relates to port and cipher usage. RPM changelogs of backported fixes would still be required to be noted for each of those 50 ecommerce sites.
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,551
    Likes Received:
    253
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @WebJIVE

    First of all, I want to thank you for opening the feature request and sharing it with us, we do like hearing about what our clients want to see in cPanel and we definitely do try and work towards those goals pending they are able to be accomplished.

    On the subject of PCI compliance, as was touched on by @sparek-3 some of the PCI scanning compliance items do go beyond what we are able to provide as a provider of the control panel software. For example the PCI scan itself must be done by a PCI Approved Scanning Vendor which is why in most cases you'll need to go to a vendor that specializes in this as well as potentially why we haven't offered scanning. Though you may be able to find free trials/ish sort of items that might work for you.

    We have worked to make PCI compliance easier to achieve for cPanel users and we've created some great documentation explaining it. Please see the following:

    PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation
    How to Troubleshoot PCI Compliance Scans - cPanel Knowledge Base - cPanel Documentation

    We've also begun listing the PCI compliant cipher lists used with services for releases. For example:

    cPanel Web Disk Configuration - Version 70 Documentation - cPanel Documentation
    Global Configuration - Version 70 Documentation - cPanel Documentation

    But because PCI compliance is not for everyone changing someone's cipher list throughout updates is not something that we're keen on implementing, though I do see some value in the ability to set globally PCI safe standards to make the product easier to use for those that need it, I'm interested to see where the conversation goes in the feature request you opened.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,781
    Likes Received:
    123
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Just to clarify. I suppose what I'm looking for is an unofficial scanner. Something that would ideally be free to use and would ideally be on-demand capable.

    I mean, what those official scanners look for is open for everyone to know, correct?

    But I do understand that it wouldn't necessarily be official. To make it official, it would have to be scanned with - as you say - an Approved Scanning Vendor.

    Basically what I'd like, is some way for us (root owners of a server) to scan all our servers so we can know if they meet PCI standards (unofficially).

    Then when would-be clients ask us "Are your servers PCI compliant?" We can say yes, but they will have to get their own PCI Approved Scanning Vendor to perform a scan.

    But we won't be taken by surprise in regards to anything those ASV find. A side from disclosing SSH and other package fixes in backport changelogs.

    This isn't necessarily something cPanel would need to provide. I just think there would be a use for a service like this, if one existed some where. For the time being, I've been using Qualys SSL Labs and Comodo's SSL Analyzer, but this doesn't necessarily tell the whole PCI story.
     
    cPanelLauren likes this.
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    911
    Likes Received:
    351
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This is a personal opinion, and is not intended to be a criticism of any individual.

    I don't think cPanel should get involved with this type of compliance testing nor implementation . Apart from the obvious potential liability, where should one stop ?

    Perhaps cPanel should be held accountable for Defence grade and Bank grade security, and HIPAA and EMV compliance as well, and maybe police the clients deployed website software so the web site will stop functioning if the software is out-of-date or contains a known security vulnerability. Perhaps some sort of monitoring algorithm should be built in to ensure that no offensive, illegal or immoral content was stored, served or passed through the server. You could conjecture these scenarios to ridiculous conclusions.

    I am all for cPanel documenting and publishing how-to guides, and even arranging courses and events to train server administrators how to make their servers compliant with whatever regulative scheme they are trying to comply with BUT, I believe that server administrators should accept the responsibility for their servers, and make the effort to learn how to manage their servers and software if they want to offer specialist commercial solutions like PCI or HIPAA compliance etc - not rely on cPanel nor any other third party to do the work for them. (If you can't be bothered to learn how to do it, pay someone that can !!)

    Perhaps all this needs is better documentation, and maybe an option to get user selected notifications displayed in WHM (you know - in the same area that annoying notification about operating systems expiring over 2 years ahead) for PCI or HIPAA changes or whatever you select to see. That way those that don't need it wont see anything, nor will compliance configuration changes be forced down the throats of servers that don't need/want it.

    Seems to me that everyone thinks they deserve and have the right to have everything handed to them on a silver plate these days, and all without making any more effort than just asking. o_O Ah well, i guess I'm just getting old ...................... [/end rant]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and sparek-3 like this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice