PCI Compliance

[dstana]

We're having an issue with PCI Compliance on our server.

We've got 3 packages that need to be updated:

-EXIM
-BIND
-OPENSSH

I've got specific versions for minimum requirements that I've verified we don't meet. Our WHM version is current and I don't have any packages marked for update. So I guess the latest versions of these aren't available from cPanel?

Is there a way around this to install the updated versions so I can put this PCI stuff to bed?

 

[cPanelMichael]

Hello,

It's possible the required security fixes are backported to the versions of those packages installed on your system. We document this at:

PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation

Let me know if this document helps.

Thank you.

 

[dstana]

Hey Michael,

That might help, I'll have to dig through those a bit more closely. However, this is another issue that was mentioned that was configuration related instead of by package version.

SSH: Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

 

[dstana]

Ok, so I went through all of them. Everything is backported except CVE-2017-15906 because Centos hasn't released the patch yet. But this was mentioned elsewhere that it only affects read-only SFTP configurations.

I removed the 1024 bit moduli from /etc/ssh/moduli and restarted SSHD. Looks like everything should be good.

 

[cPanelMichael]

Hello,

I'm glad to see it's now sorted. Thank you for sharing the outcome.