In the the article they suggest limiting the addresses from which the admin can be accessed. If you’re using Apache, here’s one way using the <Location> directive:

<Location /wp-admin>
   Order Deny,Allow
   Deny from all
   Allow from example.com 10.211.34.83
</Location>
<Location /wp-login.php>
   Order Deny,Allow
   Deny from all
   Allow from example.com 10.211.34.83
</Location>

That is, according to the PCI DSS. I read the PCI DSS Summary of Changes. It’s pretty much business as usual until you get to 5.1. That’s where you find this little gem:

Clarified requirement applies to all operating systems types commonly affected by malicious software, if applicable anti-virus technology exists.

Okay, sounds good.

Besides use of the term “anti-virus software,” changed the term “virus” to “malicious software.”

Good call, no doubt someone has tried to wriggle out of compliance using that excuse.

Deleted note stating “Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes.”

WTF?!?!?!? Is this some kind of twisted April Fool’s prank.
::Channelling Brian Regan::

“Hey, come here; look what I put for Section Five. Did you see? I just did it as a joke but it’s going out like that. It’s already on the website. I don’t know what to do.”
“Just let it go I guess. There’s nothing you can do now.”

Raise your hand if you’ve ever seen a Unix box infected with a virus. Yeah, me neither.

It doesn’t take much imagination to figure out where this comes from. There’s a lot of big money that doesn’t like Unix boxes getting a free pass for pretty much all of Section 5 of the DSS.

To unravel this “mystery” let’s start by figuring out who *loses* money by Unix not needing anti-malware… Yeah it’s Microsoft. You have to think they’ve been shoving money in the pocket’s of PCI over this. After all, if businesses realize that they can save money by switching to Linux, especially in the current economic climate, they’re gonna do it. And what business wouldn’t, switching to Linux saves you the outrageous anti-malware fees and the exorbitant Windows license fees.

Now, besides Microsoft, who stands to benefit from this? Of course the answer is the anti-malware venders: Symantec, McAfee, TrendMicro, Sophos, AVG (formerly Grisoft), Kaspersky (I’m not going to dignify them with links). If you want some good laughs go read what these guys have to say about Unix viruses.

McAfee, circa 2006:

Macintosh platform vulnerability discovery rates have increased by 228 percent in the past three years alone…

Translation: Your baby is dead!
To their credit, they did follow that up with:

…from 45 found in 2003 to 143 in 2005

Holy hell! Please McAfee, take my money, just protect me!

Sophos, February 13th, 2008, says of the Linux/Rst-B virus:

Analysis of malware in Sophos’s Linux honeypots have shown almost 70 percent of the infections are due to this six-year-old malicious program.

Translation: Your baby is dead!
Holy hell! Nooooo! Not the honeypots! Those things highly secure! It takes mad 733t skillz to pwn a honeypot! Lots of critical thinking going on there.
In that same press release, I liked this:

“…we hope that Linux users who aren’t running security will at least run this tool to find out if they are infected with this granny virus.”

Ha ha, “granny virus,” awesome. And are you “running security” on your Linux box? What exactly does that mean? No matter, I wrote my own Linux/Rst-B scanner, check it:

#!/usr/local/bin/bash
echo "Scanning for Linux/Rst-B virus..."
sleep(5)
echo "No virus detected!"

To Sophos’ credit the did put this in:

Hackers typically gain control via weak SSH password or some other vulnerability.

But that’s it. The rest of the time it’s “Linux viruses are taking over! Give us lots of money, and we’ll protect you!”

Here’s the only place where you can argue Unix anti-malware makes sense: email and file servers. Let those servers be good Samaritans and catch the Windows viruses before they are spread around. It’s a waste anywhere else.

That being said, one could argue running anti-malware on a Unix box does more harm than good. It’s more than the obvious sucking up resources. My biggest problem is running anti-malware on a box adds one more attack vector an attacker has. Historically, there have been many instances where anti-malware software has made people more vulnerable, my favorite being this one.

Finally, I want to add that viruses are already becoming passe. Okay maybe not for Windows, but certainly Unix. Just look at the pwn2own contest. Yeah, the Mac fell in like two minutes, but it had *nothing* to do with a virus, or any kind of malware that’s going to be detected. And that’s the point. Linux, OS X, and other Unix OSes are not going to be taken by traditional malware. Any attacker worth his salt is gonna do it through the web browser. Email: lame. Open ports: too much work. SSH: maybe. Web browser: booyah!

The web browser is the ultimate vector, because you as a user, are giving some portion of control of your computer to a remote machine. Just look at the recent OS X viruses, they change your system network settings so your traffic goes to the bad guys site. Oh snap!

At any rate, PCI removing the statement that Unix systems are not commonly affected by malware has no basis in reality and exists *soley* to make big, slow, outdated, technology companies more money.

That’s bad enough in and of itself. But what makes it worse is the fact that PCI auditors are just an army of box ticking robots. Seriously. Trying to reason with one is an exercise in futility.

Now the worst part: There’s nothing we can do about it. PCI can come up with any bull shit, cockamamie rule they feel like, and you have comply or you’re out of business. Rant off.

P.S. – To any box ticking robots that read this, get off your Huffy and write to me. I’m not an auditor, what’s your side of the story.

login.c:79: error: 'struct utmpx' has no member named 'ut_name'

To fix this, open opie-2.4/libopie/login.c and change line 79 from:

  strncpy(u.ut_name, name, sizeof(u.ut_name));

to

  strncpy(u.ut_user, name, sizeof(u.ut_user));

I’m not anywhere near smart enough to figure that out on my own, but this Google search lead me to this page, which gave the clue to do this. After you make this change, opie will compile, but won’t install because it looks for chown in /bin, so after monkeying with the make files and what not, I gave up and just created symlink, like so: sudo ln -s /usr/sbin/chown /bin/chown.

To save time, I created a new archive with the change I made, it’s available here. The code was released under the Naval Research Laboratory (NRL) license which appears to be a derivative of the UC Berkley license. As far as I can tell, this is not the ‘BSD’ license, but is similar, so I don’t think I’m in violation of the license by redistributing this.

Since I don’t like to create accounts on every site I visit, and Rom’s blog requires you to be logged in to comment, I’ll write the comment on my site.

Rom wrote “I am curious as to how this is achieved specially when you are not running as administrator and all applications that you use are saved at the default /Applications, which require admin privileges for write access.”

So how does this happen? To find the answer, go to your Mac, bust out a terminal, and do a long listing on the /Applications directory (ls -l /Applications). You’ll see something like this:

drwxrwxr-x    3 root      admin       102 Sep 28 23:41 Address Book.app
drwxrwxr-x    5 jtanium  admin       170 Nov 11 22:00 Adobe Reader 7.0.8
drwxrwxr-x    6 root      admin       204 Nov  9 19:57 AppleScript
drwxrwxr-x    3 root      admin       102 Sep 28 23:45 Automator.app
drwxrwxr-x    3 root      admin       102 Aug 20 04:56 Calculator.app
drwxr-xr-x    3 jtanium  admin       102 Sep 11 05:30 Camino.app
drwxrwxr-x    3 root      admin       102 Aug 20 03:52 Chess.app
drwxr-xr-x    3 jtanium jtanium    102 Nov  1 21:30 CocoaMySQL_0.7b5.app
drwxr-xr-x    3 jtanium  admin       102 Sep 28 15:16 CrossOver.app
drwxrwxr-x    3 root      admin       102 Sep 28 23:37 DVD Player.app
drwxrwxr-x    3 root      admin       102 Sep 11 20:37 Dashboard.app
drwxr-xr-x    3 jtanium  admin       102 Nov 10 07:18 DbVisualizer.app
drwxr-xr-x    3 jtanium  admin       102 Nov  9 16:24 Delicious Library.app
drwxrwxr-x    3 root      admin       102 Apr 21  2005 Dictionary.app
drwxr-xr-x    4 jtanium  admin       136 Nov 10 07:09 Firefox.app
drwxrwxr-x    7 root      admin       238 Nov 12 11:48 Flip4Mac
drwxrwxr-x    3 root      admin       102 May 27  2005 Font Book.app
drwxrwxr-x    3 root      admin       102 Nov  9 20:37 GarageBand.app
drwxr-xr-x    3 jtanium  admin       102 Jul 27 01:11 Google Notifier.app
drwxrwxrwx   15 root      admin       510 Nov 12 15:42 Hewlett-Packard
drwxrwxr-x    3 root      admin       102 Aug 20 00:36 Image Capture.app
drwxr-xr-x   13 jtanium  admin       442 Jun 15 04:45 IntelliJ IDEA 5.1.2.app
drwxrwxr-x    3 root      admin       102 Sep 28 22:11 Internet Connect.app
drwxrwxr-x    3 root      admin       102 Mar  3  2005 Mail.app
drwxrwxr-x    3 jtanium  admin       102 Nov 10 07:30 Microsoft AutoUpdate.app
drwxrwxr-x   16 jtanium  admin       544 Nov 10 07:41 Microsoft Office 2004
drwxr-xr-x    3 jtanium  admin       102 Aug  2 13:41 OmniGraffle Professional.app
drwxrwxr-x    3 root      admin       102 Mar 14  2006 OmniOutliner.app
drwxrwxr-x    3 jtanium  admin       102 Sep 19 02:49 Opera.app
drwxrwxr-x    3 root      admin       102 Aug  4 12:31 Photo Booth.app
drwxrwxr-x    3 root      admin       102 Sep 11 20:44 Preview.app
drwxrwxr-x    3 root      admin       102 Nov 10 06:48 QuickTime Player.app
drwxrwxr-x    3 root      admin       102 Feb 10  2005 Safari.app
drwxrwxr-x    3 root      admin       102 Sep 28 23:42 Sherlock.app
drwxr-xr-x    3 jtanium  admin       102 Aug  5 15:34 Shiira.app
drwxrwxr-x    3 root      admin       102 Aug 20 06:36 Stickies.app
drwxr-xr-x    4 jtanium  admin       136 Sep 21 06:37 StuffIt 11
drwxrwxr-x    3 root      wheel       102 Aug 20 05:06 System Preferences.app
drwxrwxr-x    3 root      admin       102 Aug 20 06:31 TextEdit.app
drwxr-xr-x    3 jtanium  admin       102 Nov  1 21:22 TextMate.app
drwxrwxr-x   30 root      admin      1020 Nov 12 15:41 Utilities
drwxr-xr-x    3 jtanium  admin       102 May  6  2006 VLC.app
drwxr-xr-x    3 root      wheel       102 Nov 10 07:20 VPNClient.app
drwxrwxr-x    3 root      admin       102 Aug 22 18:48 iCal.app
drwxrwxr-x    3 root      admin       102 Aug 20 14:20 iChat.app
drwxrwxr-x    3 root      admin       102 Nov  9 20:37 iDVD.app
drwxrwxr-x    3 root      admin       102 Nov  9 20:37 iMovie HD.app
drwxrwxr-x    3 root      admin       102 Nov  9 20:37 iPhoto.app
drwxrwxr-x    3 root      admin       102 Aug 20 06:57 iSync.app
drwxr-xr-x    3 jtanium  wheel       102 Nov  9 13:56 iTerm.app
drwxrwxr-x    3 root      admin       102 Nov 10 06:56 iTunes.app

See what’s happening? When you install applications by copying the .app folder to /Applications, OS X, as I understand it, uses sudo to do the copy, hence it prompts you for your password. However you only need sudo to *create* the directory in /Applications, which is owned by root:admin. sudo will maintain the ownership of the files it’s copying. And I’m sure the vast majority of Mac users are in this situation.

Now here’s the fun part: what do you do to fix the situation? Well, everytime you install an app you just need to open a terminal, and execute sudo chown -Rf root:admin /Application/AppYouJustInstalled.app. Unfortunately I can’t recommend this practice wholeheartedly. If you’ve ever tried to run OS X on a case sensitive file system, you’ve probably found third party apps (notably, MS Office and Photoshop), have a lot of issues — I’m worried changing ownership to root:admin would cause similar problems.