PCI-DSS Compliance

Voyaller

Member
Nov 15, 2020
17
2
23
Hello,

We need be compliant with PCI-DSS.

Systems hardening and vulnerability appeasements are a big part of the process.

In the past I've used my trusted CIS Benchmarks to harden various new deployments of different systems

I have some considerations with Proxmox and the hardening process before i jump into the lab, one of them being the root account that we most likely have to disable.
Proxmox is a Debian OS with a lot more additional components on top of it. I'm afraid that if i start to harden the system it will stop functioning the way it should.

I'm opening this thread in order to gather information and experiences from other people in similar situation.
 
Last edited:
Have no experience with PCI-DSS, but "disabling root account" means "no root account in the system" or "create other username with the same functionality as root"? The later may allow you just to rename the "root" user. I just can't imagine how to maintain a root less system.

Beside that, most Proxmox services run as root and ssh password less login is set up among nodes in a cluster for their root user, so simply disabling root will indeed break Proxmox.
 
su
Have no experience with PCI-DSS, but "disabling root account" means "no root account in the system" or "create other username with the same functionality as root"? The later may allow you just to rename the "root" user. I just can't imagine how to maintain a root less system.

Beside that, most Proxmox services run as root and ssh password less login is set up among nodes in a cluster for their root user, so simply disabling root will indeed break Proxmox.
"no root account in the system"

-> it's impossible ;)

pci-dss just say: you can't log directly with root account, you need personal login for each person for tracability + sudo if needed.

disable ssh login with password in sshd_config should be enough for proxmox root actions.