PCI compliance

From Bashlinux
Revision as of 21:09, 11 June 2015 by Manpaz (talk | contribs) (Created page with "__NOTOC__ The following procedure is to setup a compliant CentOS/RHEL 5 server(s). === How to find vulnerabilities with TrustKeeper === The tool used can be found at: https:/...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The following procedure is to setup a compliant CentOS/RHEL 5 server(s).

How to find vulnerabilities with TrustKeeper

The tool used can be found at: https://verifone.trustkeeper.net

  • Click on "Questionnaires" along left side.
  • Click on "Network Questionnaire".
  • Enter in IP addresse(s).
  • Click on "Vulnerability Scan" along left side.
  • Click "Directed Scan Request" (This will scan the IP addresses set in #3)

How to find vulterabilities with SAINT

Using SAINT scanner is the way to go serious on internal audits. The tool used can be found at: http://www.saintcorporation.com

How to deal with vulnerabilities

A default installation should yields the following results before adjust the system.

  1. ++++ High OpenSSH <4.4 Multiple Vulnerabilities
  2. +++ Med OpenSSH X11 Session Hijacking Vulnerability
  3. +++ Med SSH Protocol Version
  4. +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
  5. ++ Low SSL Weak Encryption Algorithms
  6. ++ Low Indexable Web Directories
  7. + info TCP/IP Technical Information
  8. + info Discovered HTTP Methods
  9. + info Discovered Web Directories
  10. + info Discovered Web Files

How to modify system services in order to pass the PCI compliance

The following services have been modified in order to fix the vulnerabilities on each of them.

OpenSSH

  • Current Version: 4.3p2-24
  • Updated version: 4.3p2-26
  • /etc/ssh/sshd_config has been edited to check the following values:
    • AddressFamily inet - Added
    • Protocol 2 - Already present
  • Build openssh rpm from fedora srpm
    • Required version: 4.4
    • Updated to version 4.5

OpenSSL

  • Create certificates as specified in OpenSSL entry.
  • Generate self-signed key to avoid prompt for password when reboot Apache
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/
# cd /etc/pki/local
# openssl rsa -in pci.bashlinux.com.key -out pci.bashlinux.com.pem
  • Add the certificate and key to /etc/httpd/conf.d/ssl.conf file
...
SSLCertificateFile /etc/pki/local/pci.bashlinux.com.crt
...
SSLCertificateKeyFile /etc/pki/local/pci.bashlinux.com.pem
...
  • Restart http server
    • Required key length: 128
    • Current key length:1024

HTTP

  • Disabled LoadModule autoindex_module modules/mod_autoindex.so on /etc/httpd/conf/httpd.conf file
  • Enclose mod_autoindex variables
  • Open block on line 588 with <IfModule mod_autoindex.c> directive
  • Close block on line 659 with </IfModule> directive

References