Article ID: 6228, created on Apr 8, 2009, last review on Jan 13, 2016

  • Applies to:
  • Odin Business Automation Standard 4.5

Resolution

The following changes should be performed in order to be able to pass the PCI scan test.

1. Apache update

If you are running OBAS on the old OSs (like Fedora 6, CentOS4) then you have to migrate OBAS to the one of new OSs (CentOS5 for example). On this OS you will have Apache 2.2.3 version.

You can find the instruction on the OBAS migration here: https://kb.odin.com/en/2126

2. SSL2 protocol should be disabled.

Disable all protocols except TLS1. Add the following into the file /etc/hspcd/conf/hspc_ssl.conf:

SSLProtocol -ALL +TLSv1

Restart frontend Apache server.

3. SSL Weak Encryption Algorithms

Change the SSLCipherSuite directive in the file /etc/hspcd/conf/hspc_ssl.conf to the following:

SSLCipherSuite ALL:-ADH:!kEDH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Restart frontend Apache server.

4. DNS issues

  • Close port 53 and leave this port open only for the hosts which should use it (slave DNS servers for example).
  • the option 'allow-recursion' should be set only for the hosts which can run recursion DNS calls.

5. PHP Info File

We do not create such file by default, so you need to find and delete the file.

6. SSH access

Close the SSH port on the firewall and allow SSH connections only from trusted hosts.

7. Web Application Cross Site Scripting

Download the attached files (see Attachments below) and put them in place of the following files in your default Online Store:

  • /var/opt/hspc-frontend/templates/domains.inc
  • /var/opt/hspc-frontend/sign_in.php

  • /var/opt/hspc-frontend/templates/customer_sign_in.inc

If you have customized Online Store do not forget to apply customization after files are replaced.

8. Disable Trace/Track methods

Add the following lines into the file /etc/hspcd/conf/hspc_rewrite.conf at the bottom of the file before the line 'Include "conf/hspc_proxy.conf"':

#PCI Compilance rule

RewriteCond %\{REQUEST\_METHOD\} ^(TRACE|TRACK)
RewriteRule .\* - [F]

See also

Is there a way to use PHP 5.6 with the OBAS store?

Search Words

PCI

PCI compliance

Attachments

400e18f6ede9f8be5575a475d2d6b0a6 caea8340e2d186a540518d08602aa065 624ca542e40215e6f1d39170d8e7ec75 70a5401e8b9354cd1d64d0346f2c4a3e

Email subscription for changes to this article
Save as PDF