Difference between revisions of "System-pci"
From Bashlinux
Line 1: | Line 1: | ||
__NOTOC__ |
__NOTOC__ |
||
= PCI Compliance = |
= PCI Compliance = |
||
+ | The following procedure is to setup CentOS/RHEL 5. |
||
+ | |||
== Vulnerability Scan Tool == |
== Vulnerability Scan Tool == |
||
==== [[TrustKeeper]] ==== |
==== [[TrustKeeper]] ==== |
||
Line 15: | Line 17: | ||
== Fix Vulnerabilities with a script == |
== Fix Vulnerabilities with a script == |
||
− | # Download the compressed file from [http:// |
+ | # Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz] |
# Decompress the file |
# Decompress the file |
||
# Run the fix-vulnerability.sh script |
# Run the fix-vulnerability.sh script |
||
Line 21: | Line 23: | ||
<pre><nowiki> |
<pre><nowiki> |
||
− | wget http:// |
+ | wget http://repo.bashlinux.com/src/fix-vulnerability.tgz |
tar zxvf fix-vulnerability.tgz |
tar zxvf fix-vulnerability.tgz |
||
cd fix-vulnerability/ |
cd fix-vulnerability/ |
||
Line 29: | Line 31: | ||
== Vulnerabilities == |
== Vulnerabilities == |
||
+ | A default installation shoul yields the following results before adjust the system. |
||
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
||
# +++ Med OpenSSH X11 Session Hijacking Vulnerability |
# +++ Med OpenSSH X11 Session Hijacking Vulnerability |
||
Line 49: | Line 52: | ||
** added ''[[AddressFamily]] inet'' |
** added ''[[AddressFamily]] inet'' |
||
** checked ''Protocol 2'' |
** checked ''Protocol 2'' |
||
+ | * Build openssh rpm from fedora srpm |
||
− | * Updated version |
+ | ** ''Updated version 4.5 > Required version 4.4'' |
− | |||
− | <pre><nowiki> |
||
− | # mkdir openssh-fc7 |
||
− | # cd openssh-fc7/ |
||
− | # scp mason.uwink.com:/var/www/html/distro/fc7/Fedora/openssh*.rpm . |
||
− | # rpm -Uvh openssh* |
||
− | </nowiki></pre> |
||
− | |||
− | * ''Updated version 4.5 > Required version 4.4'' |
||
==== OpenSSL ==== |
==== OpenSSL ==== |
||
+ | * Create certificats as specified in [[openssl|OpenSSL]] section. |
||
− | * Get keys from macmini, IP 10.0.0.120 |
||
* Generate self-signed key to avoid prompt for password when reboot apache |
* Generate self-signed key to avoid prompt for password when reboot apache |
||
Line 70: | Line 65: | ||
</nowiki></pre> |
</nowiki></pre> |
||
− | * Add certificate and key to |
+ | * Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file |
<pre><nowiki> |
<pre><nowiki> |
||
... |
... |
||
− | SSLCertificateFile /etc/pki/local/local. |
+ | SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt |
... |
... |
||
− | SSLCertificateKeyFile /etc/pki/local/local. |
+ | SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem |
... |
... |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 84: | Line 79: | ||
==== HTTP ==== |
==== HTTP ==== |
||
− | * Disabled |
+ | * Disabled ''[[LoadModule]] autoindex_module modules/mod_autoindex.so'' on `/etc/httpd/conf/httpd.conf` file |
− | + | * Enclose ''mod_autoindex'' variables |
|
− | + | * Open in line 588 with ''<[[IfModule]] mod_autoindex.c>'' directive |
|
− | + | * Closed on line 659 with ''</IfModule>'' directive |
|
== Links == |
== Links == |
Revision as of 07:28, 5 February 2010
PCI Compliance
The following procedure is to setup CentOS/RHEL 5.
Vulnerability Scan Tool
TrustKeeper
The original tool used : [[1]]
- Click on "Questionnaires" along left side.
- Click on "Network Questionnaire".
- Enter in IP addresse(s).
- Click on "Vulnerability Scan" along left side.
- Click "Directed Scan Request" (This will scan the IP addresses set in #3)
SAINT
Using the SAINT scanner is the way to go serious on internal audits. [[2]]
Fix Vulnerabilities with a script
- Download the compressed file from [3]
- Decompress the file
- Run the fix-vulnerability.sh script
- Done
wget http://repo.bashlinux.com/src/fix-vulnerability.tgz tar zxvf fix-vulnerability.tgz cd fix-vulnerability/ ./fix-vulnerability.sh
Vulnerabilities
A default installation shoul yields the following results before adjust the system.
- ++++ High OpenSSH <4.4 Multiple Vulnerabilities
- +++ Med OpenSSH X11 Session Hijacking Vulnerability
- +++ Med SSH Protocol Version
- +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
- ++ Low SSL Weak Encryption Algorithms
- ++ Low Indexable Web Directories
- + info TCP/IP Technical Information
- + info Discovered HTTP Methods
- + info Discovered Web Directories
- + info Discovered Web Files
Services
The following services have been modified in order to fix the vulnerabilities on each of them.
OpenSSH
- Version 4.3p2-24
- -Updated version: 4.3p2-26-
- Edited `/etc/ssh/sshd_config` to check the following values:
- added AddressFamily inet
- checked Protocol 2
- Build openssh rpm from fedora srpm
- Updated version 4.5 > Required version 4.4
OpenSSL
- Create certificats as specified in OpenSSL section.
- Generate self-signed key to avoid prompt for password when reboot apache
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/ # cd /etc/pki/local # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem
- Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file
... SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt ... SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem ...
- Restart http server
- key length 1024 > required key length 128
HTTP
- Disabled LoadModule autoindex_module modules/mod_autoindex.so on `/etc/httpd/conf/httpd.conf` file
- Enclose mod_autoindex variables
- Open in line 588 with <IfModule mod_autoindex.c> directive
- Closed on line 659 with </IfModule> directive
Links
- Saint Documentaion and Vulnerability info
[[4]]