Difference between revisions of "System-pci"
From Bashlinux
Line 3: | Line 3: | ||
The following procedure is to setup CentOS/RHEL 5. |
The following procedure is to setup CentOS/RHEL 5. |
||
+ | == How to find vulnerabilities with [[TrustKeeper]] == |
||
− | == Vulnerability Scan Tool == |
||
− | ==== [[TrustKeeper]] ==== |
||
The original tool used : [[https://verifone.trustkeeper.net]] |
The original tool used : [[https://verifone.trustkeeper.net]] |
||
# Click on "Questionnaires" along left side. |
# Click on "Questionnaires" along left side. |
||
Line 12: | Line 11: | ||
# Click "Directed Scan Request" (This will scan the IP addresses set in #3) |
# Click "Directed Scan Request" (This will scan the IP addresses set in #3) |
||
− | + | == How to find vulterabilities with SAINT == |
|
− | Using |
+ | Using SAINT scanner is the way to go serious on internal audits. |
[[http://www.saintcorporation.com/]] |
[[http://www.saintcorporation.com/]] |
||
+ | == How to fix vulnerabilities in one step == |
||
− | == Fix Vulnerabilities with a script == |
||
+ | The fast easy way is to download the following script and let it do the work |
||
# Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz] |
# Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz] |
||
# Decompress the file |
# Decompress the file |
||
Line 30: | Line 30: | ||
+ | == How to deal with vulnerabilities == |
||
− | == Vulnerabilities == |
||
− | A default installation |
+ | A default installation should yields the following results before adjust the system. |
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
||
# +++ Med OpenSSH X11 Session Hijacking Vulnerability |
# +++ Med OpenSSH X11 Session Hijacking Vulnerability |
||
Line 43: | Line 43: | ||
# + info Discovered Web Files |
# + info Discovered Web Files |
||
+ | == How to modify system services in order to pass the PCI compliance == |
||
− | == Services == |
||
The following services have been modified in order to fix the vulnerabilities on each of them. |
The following services have been modified in order to fix the vulnerabilities on each of them. |
||
Revision as of 08:18, 9 November 2012
PCI Compliance
The following procedure is to setup CentOS/RHEL 5.
How to find vulnerabilities with TrustKeeper
The original tool used : [[1]]
- Click on "Questionnaires" along left side.
- Click on "Network Questionnaire".
- Enter in IP addresse(s).
- Click on "Vulnerability Scan" along left side.
- Click "Directed Scan Request" (This will scan the IP addresses set in #3)
How to find vulterabilities with SAINT
Using SAINT scanner is the way to go serious on internal audits. [[2]]
How to fix vulnerabilities in one step
The fast easy way is to download the following script and let it do the work
- Download the compressed file from [3]
- Decompress the file
- Run the fix-vulnerability.sh script
- Done
wget http://repo.bashlinux.com/src/fix-vulnerability.tgz tar zxvf fix-vulnerability.tgz cd fix-vulnerability/ ./fix-vulnerability.sh
How to deal with vulnerabilities
A default installation should yields the following results before adjust the system.
- ++++ High OpenSSH <4.4 Multiple Vulnerabilities
- +++ Med OpenSSH X11 Session Hijacking Vulnerability
- +++ Med SSH Protocol Version
- +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
- ++ Low SSL Weak Encryption Algorithms
- ++ Low Indexable Web Directories
- + info TCP/IP Technical Information
- + info Discovered HTTP Methods
- + info Discovered Web Directories
- + info Discovered Web Files
How to modify system services in order to pass the PCI compliance
The following services have been modified in order to fix the vulnerabilities on each of them.
OpenSSH
- Version 4.3p2-24
- Updated version: 4.3p2-26
- Edited `/etc/ssh/sshd_config` to check the following values:
- added AddressFamily inet
- checked Protocol 2
- Build openssh rpm from fedora srpm
- Updated version 4.5 > Required version 4.4
OpenSSL
- Create certificats as specified in OpenSSL section.
- Generate self-signed key to avoid prompt for password when reboot apache
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/ # cd /etc/pki/local # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem
- Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file
... SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt ... SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem ...
- Restart http server
- key length 1024 > required key length 128
HTTP
- Disabled LoadModule autoindex_module modules/mod_autoindex.so on `/etc/httpd/conf/httpd.conf` file
- Enclose mod_autoindex variables
- Open in line 588 with <IfModule mod_autoindex.c> directive
- Closed on line 659 with </IfModule> directive
Links
- Saint Documentaion and Vulnerability info
[[4]]