PCI-DSS Compliance

M

marotori

Member
Jun 17, 2009
161
1
16
Right.. I have hit a rather frustrating problem that I am pretty certain is going to affect ALLOT of people.

My latest PCI compliancy scans on one of my servers threw up a problem.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1146

It seems the kernel 2.6 series of linux (all flavours) has a flaw in it. As a result, PCI compliancy is being denied.

Whats the problem with this?

If you run anything in a container, you get kernel 2.6.32.XX from the guest machine.

Result.

If you run openVZ containers, you have no way of getting PCI-DSS compliance!

Dont know if anyone has any magic fixes to this issue?

Rob
 
As best I can this vulnerability requires that the kernel is compiled with CONFIG_CGROUPS=y
Not all distributions have this enabled so using KVM virtualization with a distro that has this option disabled should be enough to get around this problem.

The Proxmox kernel does have this option enabled.
So it is indeed an issue for Proxmox and openvz containers.

I see no bugs on openvz bugzilla related to this.
openvz pulls kernel from RedHat, their bug basically states that CGROUPS are disabled therefore it is not an issue:
https://bugzilla.redhat.com/show_bug.cgi?id=800813

Can we disable CGROUPS in Proxmox to address this? I assume that maybe openvz needs them but I really have no idea.
If CGROUPS are needed then Proxmox or openvz will need to backport a patch to fix this.
 
e100 said:
As best I can this vulnerability requires that the kernel is compiled with CONFIG_CGROUPS=y
Not all distributions have this enabled so using KVM virtualization with a distro that has this option disabled should be enough to get around this problem.

The Proxmox kernel does have this option enabled.
So it is indeed an issue for Proxmox and openvz containers.

I see no bugs on openvz bugzilla related to this.
openvz pulls kernel from RedHat, their bug basically states that CGROUPS are disabled therefore it is not an issue:
https://bugzilla.redhat.com/show_bug.cgi?id=800813

Can we disable CGROUPS in Proxmox to address this? I assume that maybe openvz needs them but I really have no idea.
If CGROUPS are needed then Proxmox or openvz will need to backport a patch to fix this.
Click to expand...
Hi,
I think CGROUPS are an important tool so I hope it's don't need to be disabled in PVE.

Udo
 
What are they used for?

I just hope an easy solution exists :)


Rob


Sent from my iPhone using Tapatalk
 
Please can you report a bug at bugzilla.openvz.org?
 
Last edited by a moderator:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back