Compliance Verification

3 min read Web Security Fundamentals

Compliance Verification

Implement compliance checking for common standards:

#!/bin/bash
# /usr/local/bin/compliance-check.sh

# PCI DSS Compliance Checks for Web Servers

echo "=== PCI DSS Web Server Compliance Check ==="
echo "Date: $(date)"
echo

COMPLIANCE_SCORE=0
TOTAL_CHECKS=0

check_requirement() {
    local req_id="$1"
    local description="$2"
    local check_command="$3"
    local expected="$4"
    
    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
    
    echo -n "[$req_id] $description... "
    
    result=$(eval "$check_command" 2>/dev/null)
    
    if [[ "$result" == *"$expected"* ]]; then
        echo "PASS"
        COMPLIANCE_SCORE=$((COMPLIANCE_SCORE + 1))
        return 0
    else
        echo "FAIL"
        echo "  Expected: $expected"
        echo "  Found: $result"
        return 1
    fi
}

# PCI DSS 2.2.2 - Enable only necessary services
echo -e "\n[PCI DSS 2.2.2] Enable only necessary services"
check_requirement "2.2.2.a" "Check for unnecessary Apache modules" \
    "apache2ctl -M 2>/dev/null | grep -E '(status_module|info_module|userdir_module)' | wc -l" \
    "0"

# PCI DSS 2.2.3 - Implement additional security features
echo -e "\n[PCI DSS 2.2.3] Implement additional security features"
check_requirement "2.2.3.a" "Check if mod_security is enabled" \
    "apache2ctl -M 2>/dev/null | grep -c security2_module" \
    "1"

# PCI DSS 2.3 - Encrypt non-console administrative access
echo -e "\n[PCI DSS 2.3] Encrypt non-console administrative access"
check_requirement "2.3.a" "Check SSL/TLS is enforced" \
    "grep -r 'SSLEngine.*on' /etc/apache2/sites-enabled/ 2>/dev/null | wc -l" \
    "1"

# PCI DSS 4.1 - Use strong cryptography
echo -e "\n[PCI DSS 4.1] Use strong cryptography"
check_requirement "4.1.a" "Check TLS protocols" \
    "grep -r 'SSLProtocol' /etc/apache2/ 2>/dev/null | grep -v TLSv1.0 | wc -l" \
    "1"

# PCI DSS 6.5 - Address common vulnerabilities
echo -e "\n[PCI DSS 6.5] Address common vulnerabilities"
check_requirement "6.5.a" "Check security headers" \
    "curl -s -I https://localhost | grep -c 'X-Frame-Options'" \
    "1"

# PCI DSS 8.2.3 - Strong password requirements
echo -e "\n[PCI DSS 8.2.3] Password requirements"
check_requirement "8.2.3.a" "Check htpasswd file permissions" \
    "find /etc -name '.htpasswd' -exec stat -c %a {} \; 2>/dev/null | grep -c '640'" \
    "1"

# PCI DSS 10.2 - Implement automated audit trails
echo -e "\n[PCI DSS 10.2] Implement automated audit trails"
check_requirement "10.2.a" "Check if logging is enabled" \
    "grep -r 'CustomLog' /etc/apache2/sites-enabled/ 2>/dev/null | wc -l" \
    "1"

# Generate compliance report
echo -e "\n=== Compliance Summary ==="
COMPLIANCE_PERCENTAGE=$((COMPLIANCE_SCORE * 100 / TOTAL_CHECKS))
echo "Total Checks: $TOTAL_CHECKS"
echo "Passed: $COMPLIANCE_SCORE"
echo "Failed: $((TOTAL_CHECKS - COMPLIANCE_SCORE))"
echo "Compliance Score: $COMPLIANCE_PERCENTAGE%"

if [ $COMPLIANCE_PERCENTAGE -lt 100 ]; then
    echo -e "\nWARNING: Not fully compliant with PCI DSS requirements"
    echo "Review failed checks and implement necessary controls"
fi

# Save detailed report
cat > "pci-compliance-report-$(date +%Y%m%d).txt" << EOF
PCI DSS Web Server Compliance Report
Generated: $(date)
Server: $(hostname)
Compliance Score: $COMPLIANCE_PERCENTAGE%

Detailed Findings:
[Include detailed check results here]

Recommendations:
1. Address all failed requirements
2. Implement compensating controls where necessary
3. Schedule regular compliance reviews
4. Document all remediation efforts
EOF