Difference between revisions of "System-pci"

__NOTOC__

= PCI Compliance =

== Vulnerability Scan Tool ==

==== [[TrustKeeper]] ====

The original tool used : [[https://verifone.trustkeeper.net]]

# Click on "Questionnaires" along left side.

# Click on "Network Questionnaire".

# Enter in IP addresse(s).

# Click on "Vulnerability Scan" along left side.

# Click "Directed Scan Request" (This will scan the IP addresses set in #3)

==== SAINT ====

Using the SAINT scanner is the way to go serious on internal audits.

[[http://www.saintcorporation.com/]]

== Fix Vulnerabilities with a script ==

# Download the compressed file from [http://mason.uwink.com/src/fix-vulnerability.tgz]

# Decompress the file

# Run the fix-vulnerability.sh script

# Done

<pre><nowiki>

wget http://mason.uwink.com/src/fix-vulnerability.tgz

tar zxvf fix-vulnerability.tgz

cd fix-vulnerability/

./fix-vulnerability.sh

</nowiki></pre>

== Vulnerabilities ==

# ++++ High OpenSSH <4.4 Multiple Vulnerabilities

# +++ Med OpenSSH X11 Session Hijacking Vulnerability

# +++ Med SSH Protocol Version

# +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability

# ++ Low SSL Weak Encryption Algorithms

# ++ Low Indexable Web Directories

# + info TCP/IP Technical Information

# + info Discovered HTTP Methods

# + info Discovered Web Directories

# + info Discovered Web Files

== Services ==

The following services have been modified in order to fix the vulnerabilities on each of them.

==== OpenSSH ====

* Version 4.3p2-24

* -Updated version: 4.3p2-26-

* Edited `/etc/ssh/sshd_config` to check the following values:

** added ''[[AddressFamily]] inet''

** checked ''Protocol 2''

* Updated version: 4.5p1-6 ''''From Fedora Core 7''''

<pre><nowiki>

# mkdir openssh-fc7

# cd openssh-fc7/

# scp mason.uwink.com:/var/www/html/distro/fc7/Fedora/openssh*.rpm .

# rpm -Uvh openssh*

</nowiki></pre>

* ''Updated version 4.5 > Required version 4.4''

==== OpenSSL ====

* Get keys from macmini, IP 10.0.0.120

* Generate self-signed key to avoid prompt for password when reboot apache

<pre><nowiki>

# scp -r 10.0.0.120:/etc/pki/local /etc/pki/

# cd /etc/pki/local

# openssl rsa -in local.uwink.com.key -out local.uwink.com.pem

</nowiki></pre>

* Add certificate and key to {{/etc/httpd/conf.d/ssl.conf}} file

<pre><nowiki>

...

SSLCertificateFile /etc/pki/local/local.uwink.com.crt

...

SSLCertificateKeyFile /etc/pki/local/local.uwink.com.pem

...

</nowiki></pre>

* Restart http server

** ''key length 1024 > required key length 128''

==== HTTP ====

* Disabled _LoadModule autoindex_module modules/mod_autoindex.so_ on {{/etc/httpd/conf/httpd.conf}} file

** Enclose _mod_autoindex_ variables

** Open in line 588 with _<[[IfModule]] mod_autoindex.c>_ directive

** Closed on line 659 with _</IfModule>_ directive

== Links ==

* Saint Documentaion and Vulnerability info

[[http://www.saintcorporation.com/demo/saint/documentation.html]]