System-pci
From Bashlinux
PCI Compliance
Vulnerability Scan Tool
TrustKeeper
The original tool used : [[1]]
- Click on "Questionnaires" along left side.
- Click on "Network Questionnaire".
- Enter in IP addresse(s).
- Click on "Vulnerability Scan" along left side.
- Click "Directed Scan Request" (This will scan the IP addresses set in #3)
SAINT
Using the SAINT scanner is the way to go serious on internal audits. [[2]]
Fix Vulnerabilities with a script
- Download the compressed file from [3]
- Decompress the file
- Run the fix-vulnerability.sh script
- Done
wget http://mason.uwink.com/src/fix-vulnerability.tgz tar zxvf fix-vulnerability.tgz cd fix-vulnerability/ ./fix-vulnerability.sh
Vulnerabilities
- ++++ High OpenSSH <4.4 Multiple Vulnerabilities
- +++ Med OpenSSH X11 Session Hijacking Vulnerability
- +++ Med SSH Protocol Version
- +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
- ++ Low SSL Weak Encryption Algorithms
- ++ Low Indexable Web Directories
- + info TCP/IP Technical Information
- + info Discovered HTTP Methods
- + info Discovered Web Directories
- + info Discovered Web Files
Services
The following services have been modified in order to fix the vulnerabilities on each of them.
OpenSSH
- Version 4.3p2-24
- -Updated version: 4.3p2-26-
- Edited `/etc/ssh/sshd_config` to check the following values:
- added AddressFamily inet
- checked Protocol 2
- Updated version: 4.5p1-6 'From Fedora Core 7'
# mkdir openssh-fc7 # cd openssh-fc7/ # scp mason.uwink.com:/var/www/html/distro/fc7/Fedora/openssh*.rpm . # rpm -Uvh openssh*
- Updated version 4.5 > Required version 4.4
OpenSSL
- Get keys from macmini, IP 10.0.0.120
- Generate self-signed key to avoid prompt for password when reboot apache
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/ # cd /etc/pki/local # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem
- Add certificate and key to Template:/etc/httpd/conf.d/ssl.conf file
... SSLCertificateFile /etc/pki/local/local.uwink.com.crt ... SSLCertificateKeyFile /etc/pki/local/local.uwink.com.pem ...
- Restart http server
- key length 1024 > required key length 128
HTTP
- Disabled _LoadModule autoindex_module modules/mod_autoindex.so_ on Template:/etc/httpd/conf/httpd.conf file
- Enclose _mod_autoindex_ variables
- Open in line 588 with _<IfModule mod_autoindex.c>_ directive
- Closed on line 659 with _</IfModule>_ directive
Links
- Saint Documentaion and Vulnerability info
[[4]]