Difference between revisions of "System-pci"

From Bashlinux
Jump to: navigation, search
(Redirected page to PCI compliance)
 
Line 1: Line 1:
  +
#REDIRECT [[PCI compliance]]
__NOTOC__
 
= PCI Compliance =
 
The following procedure is to setup CentOS/RHEL 5.
 
 
== How to find vulnerabilities with [[TrustKeeper]] ==
 
The original tool used : [[https://verifone.trustkeeper.net]]
 
# Click on "Questionnaires" along left side.
 
# Click on "Network Questionnaire".
 
# Enter in IP addresse(s).
 
# Click on "Vulnerability Scan" along left side.
 
# Click "Directed Scan Request" (This will scan the IP addresses set in #3)
 
 
== How to find vulterabilities with SAINT ==
 
Using SAINT scanner is the way to go serious on internal audits.
 
[[http://www.saintcorporation.com/]]
 
 
== How to fix vulnerabilities in one step ==
 
The fast easy way is to download the following script and let it do the work
 
# Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz]
 
# Decompress the file
 
# Run the fix-vulnerability.sh script
 
# Done
 
 
<pre><nowiki>
 
wget http://repo.bashlinux.com/src/fix-vulnerability.tgz
 
tar zxvf fix-vulnerability.tgz
 
cd fix-vulnerability/
 
./fix-vulnerability.sh
 
</nowiki></pre>
 
 
 
== How to deal with vulnerabilities ==
 
A default installation should yields the following results before adjust the system.
 
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities
 
# +++ Med OpenSSH X11 Session Hijacking Vulnerability
 
# +++ Med SSH Protocol Version
 
# +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
 
# ++ Low SSL Weak Encryption Algorithms
 
# ++ Low Indexable Web Directories
 
# + info TCP/IP Technical Information
 
# + info Discovered HTTP Methods
 
# + info Discovered Web Directories
 
# + info Discovered Web Files
 
 
== How to modify system services in order to pass the PCI compliance ==
 
The following services have been modified in order to fix the vulnerabilities on each of them.
 
 
==== OpenSSH ====
 
* Version 4.3p2-24
 
* ''Updated version: 4.3p2-26''
 
* Edited `/etc/ssh/sshd_config` to check the following values:
 
** added ''[[AddressFamily]] inet''
 
** checked ''Protocol 2''
 
* Build openssh rpm from fedora srpm
 
** ''Updated version 4.5 > Required version 4.4''
 
 
==== OpenSSL ====
 
* Create certificats as specified in [[openssl|OpenSSL]] section.
 
* Generate self-signed key to avoid prompt for password when reboot apache
 
 
<pre><nowiki>
 
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/
 
# cd /etc/pki/local
 
# openssl rsa -in local.uwink.com.key -out local.uwink.com.pem
 
</nowiki></pre>
 
 
* Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file
 
 
<pre><nowiki>
 
...
 
SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt
 
...
 
SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem
 
...
 
</nowiki></pre>
 
 
* Restart http server
 
** ''key length 1024 > required key length 128''
 
 
==== HTTP ====
 
* Disabled ''[[LoadModule]] autoindex_module modules/mod_autoindex.so'' on `/etc/httpd/conf/httpd.conf` file
 
* Enclose ''mod_autoindex'' variables
 
* Open in line 588 with ''<[[IfModule]] mod_autoindex.c>'' directive
 
* Closed on line 659 with ''</IfModule>'' directive
 
 
== Links ==
 
* Saint Documentaion and Vulnerability info
 
[[http://www.saintcorporation.com/demo/saint/documentation.html]]
 

Latest revision as of 21:09, 11 June 2015

Redirect to: