Difference between revisions of "System-pci"
From Bashlinux
Line 48: | Line 48: | ||
==== OpenSSH ==== |
==== OpenSSH ==== |
||
* Version 4.3p2-24 |
* Version 4.3p2-24 |
||
− | * |
+ | * ''Updated version: 4.3p2-26'' |
* Edited `/etc/ssh/sshd_config` to check the following values: |
* Edited `/etc/ssh/sshd_config` to check the following values: |
||
** added ''[[AddressFamily]] inet'' |
** added ''[[AddressFamily]] inet'' |
Revision as of 07:30, 5 February 2010
PCI Compliance
The following procedure is to setup CentOS/RHEL 5.
Vulnerability Scan Tool
TrustKeeper
The original tool used : [[1]]
- Click on "Questionnaires" along left side.
- Click on "Network Questionnaire".
- Enter in IP addresse(s).
- Click on "Vulnerability Scan" along left side.
- Click "Directed Scan Request" (This will scan the IP addresses set in #3)
SAINT
Using the SAINT scanner is the way to go serious on internal audits. [[2]]
Fix Vulnerabilities with a script
- Download the compressed file from [3]
- Decompress the file
- Run the fix-vulnerability.sh script
- Done
wget http://repo.bashlinux.com/src/fix-vulnerability.tgz tar zxvf fix-vulnerability.tgz cd fix-vulnerability/ ./fix-vulnerability.sh
Vulnerabilities
A default installation shoul yields the following results before adjust the system.
- ++++ High OpenSSH <4.4 Multiple Vulnerabilities
- +++ Med OpenSSH X11 Session Hijacking Vulnerability
- +++ Med SSH Protocol Version
- +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
- ++ Low SSL Weak Encryption Algorithms
- ++ Low Indexable Web Directories
- + info TCP/IP Technical Information
- + info Discovered HTTP Methods
- + info Discovered Web Directories
- + info Discovered Web Files
Services
The following services have been modified in order to fix the vulnerabilities on each of them.
OpenSSH
- Version 4.3p2-24
- Updated version: 4.3p2-26
- Edited `/etc/ssh/sshd_config` to check the following values:
- added AddressFamily inet
- checked Protocol 2
- Build openssh rpm from fedora srpm
- Updated version 4.5 > Required version 4.4
OpenSSL
- Create certificats as specified in OpenSSL section.
- Generate self-signed key to avoid prompt for password when reboot apache
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/ # cd /etc/pki/local # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem
- Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file
... SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt ... SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem ...
- Restart http server
- key length 1024 > required key length 128
HTTP
- Disabled LoadModule autoindex_module modules/mod_autoindex.so on `/etc/httpd/conf/httpd.conf` file
- Enclose mod_autoindex variables
- Open in line 588 with <IfModule mod_autoindex.c> directive
- Closed on line 659 with </IfModule> directive
Links
- Saint Documentaion and Vulnerability info
[[4]]