Difference between revisions of "System-pci"
From Bashlinux
(Redirected page to PCI compliance) |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | #REDIRECT [[PCI compliance]] |
||
− | __NOTOC__ |
||
− | = PCI Compliance = |
||
− | == Vulnerability Scan Tool == |
||
− | ==== [[TrustKeeper]] ==== |
||
− | The original tool used : [[https://verifone.trustkeeper.net]] |
||
− | # Click on "Questionnaires" along left side. |
||
− | # Click on "Network Questionnaire". |
||
− | # Enter in IP addresse(s). |
||
− | # Click on "Vulnerability Scan" along left side. |
||
− | # Click "Directed Scan Request" (This will scan the IP addresses set in #3) |
||
− | |||
− | ==== SAINT ==== |
||
− | Using the SAINT scanner is the way to go serious on internal audits. |
||
− | [[http://www.saintcorporation.com/]] |
||
− | |||
− | == Fix Vulnerabilities with a script == |
||
− | # Download the compressed file from [http://mason.uwink.com/src/fix-vulnerability.tgz] |
||
− | # Decompress the file |
||
− | # Run the fix-vulnerability.sh script |
||
− | # Done |
||
− | |||
− | <pre><nowiki> |
||
− | wget http://mason.uwink.com/src/fix-vulnerability.tgz |
||
− | tar zxvf fix-vulnerability.tgz |
||
− | cd fix-vulnerability/ |
||
− | ./fix-vulnerability.sh |
||
− | </nowiki></pre> |
||
− | |||
− | |||
− | == Vulnerabilities == |
||
− | # ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
||
− | # +++ Med OpenSSH X11 Session Hijacking Vulnerability |
||
− | # +++ Med SSH Protocol Version |
||
− | # +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability |
||
− | # ++ Low SSL Weak Encryption Algorithms |
||
− | # ++ Low Indexable Web Directories |
||
− | # + info TCP/IP Technical Information |
||
− | # + info Discovered HTTP Methods |
||
− | # + info Discovered Web Directories |
||
− | # + info Discovered Web Files |
||
− | |||
− | == Services == |
||
− | The following services have been modified in order to fix the vulnerabilities on each of them. |
||
− | |||
− | ==== OpenSSH ==== |
||
− | * Version 4.3p2-24 |
||
− | * -Updated version: 4.3p2-26- |
||
− | * Edited `/etc/ssh/sshd_config` to check the following values: |
||
− | ** added ''[[AddressFamily]] inet'' |
||
− | ** checked ''Protocol 2'' |
||
− | * Updated version: 4.5p1-6 ''''From Fedora Core 7'''' |
||
− | |||
− | <pre><nowiki> |
||
− | # mkdir openssh-fc7 |
||
− | # cd openssh-fc7/ |
||
− | # scp mason.uwink.com:/var/www/html/distro/fc7/Fedora/openssh*.rpm . |
||
− | # rpm -Uvh openssh* |
||
− | </nowiki></pre> |
||
− | |||
− | * ''Updated version 4.5 > Required version 4.4'' |
||
− | |||
− | ==== OpenSSL ==== |
||
− | * Get keys from macmini, IP 10.0.0.120 |
||
− | * Generate self-signed key to avoid prompt for password when reboot apache |
||
− | |||
− | <pre><nowiki> |
||
− | # scp -r 10.0.0.120:/etc/pki/local /etc/pki/ |
||
− | # cd /etc/pki/local |
||
− | # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem |
||
− | </nowiki></pre> |
||
− | |||
− | * Add certificate and key to {{/etc/httpd/conf.d/ssl.conf}} file |
||
− | |||
− | <pre><nowiki> |
||
− | ... |
||
− | SSLCertificateFile /etc/pki/local/local.uwink.com.crt |
||
− | ... |
||
− | SSLCertificateKeyFile /etc/pki/local/local.uwink.com.pem |
||
− | ... |
||
− | </nowiki></pre> |
||
− | |||
− | * Restart http server |
||
− | ** ''key length 1024 > required key length 128'' |
||
− | |||
− | ==== HTTP ==== |
||
− | * Disabled _LoadModule autoindex_module modules/mod_autoindex.so_ on {{/etc/httpd/conf/httpd.conf}} file |
||
− | ** Enclose _mod_autoindex_ variables |
||
− | ** Open in line 588 with _<[[IfModule]] mod_autoindex.c>_ directive |
||
− | ** Closed on line 659 with _</IfModule>_ directive |
||
− | |||
− | == Links == |
||
− | * Saint Documentaion and Vulnerability info |
||
− | [[http://www.saintcorporation.com/demo/saint/documentation.html]] |
Latest revision as of 21:09, 11 June 2015
Redirect to: