We are going through a PCI compliance audit. The auditors are saying that solaris zones are not pci compliant and that we cannot use them. Period. I was wondering if Sun had any insight into this, and possibly how to go around it. I am not happy with the company doing the audit and am not taking their word as the final say. Any help would be greatly appreciated.
thanks
These forums are, generally speaking, a simple user-to-user conversation site.
Theyr're not Sun's techsupport.
(There may be some exceptions on the more esoteric programming topic forums.)
I'd like to suggest you contact your Sun account representative directly.
If there isn't such a person, contact your closest Sun Support Center.
http://www.sun.com/contact/
My understanding of the definition of PCI has always been that it described
an architecture of a particular hardware data bus.
http://en.wikipedia.org/wiki/Peripheral_Component_Interconnect
... the bus and not the data that passes through it.
My rudimentary understanding of the concept of zones
is that they are a 100% software construct.
Since it's possible such a construct could be created
on a number of different hardware architectures,
that audit company is "talking through their @$$" and doesn't have a clue.
Call Sun and get some direct guidance from the company that gave you zones.
I think he's referring to Payment Card Industry compliance. Basically a set of standards to meet so that you're allowed to keep credit-card data on your machine.
https://www.pcisecuritystandards.org/
http://www.pcicomplianceguide.org/aboutpcicompliance.html
I don't even know if compliance is based on meeting certain criteria (which zones might be able to demonstrate), or if particular configurations are specifically mandated (and if zones are out, they're out).
Hopefully there is someone at Sun that's aware of these issues and could give some general guidance.
--
Darren
