System-pci: Difference between revisions
From Bashlinux
Jump to navigationJump to search
Content deleted Content added
No edit summary |
Redirected page to PCI compliance |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
#REDIRECT [[PCI compliance]] |
|||
__NOTOC__ |
|||
= PCI Compliance = |
|||
== Vulnerability Scan Tool == |
|||
==== [[TrustKeeper]] ==== |
|||
The original tool used : [[https://verifone.trustkeeper.net]] |
|||
# Click on "Questionnaires" along left side. |
|||
# Click on "Network Questionnaire". |
|||
# Enter in IP addresse(s). |
|||
# Click on "Vulnerability Scan" along left side. |
|||
# Click "Directed Scan Request" (This will scan the IP addresses set in #3) |
|||
==== SAINT ==== |
|||
Using the SAINT scanner is the way to go serious on internal audits. |
|||
[[http://www.saintcorporation.com/]] |
|||
== Fix Vulnerabilities with a script == |
|||
# Download the compressed file from [http://mason.uwink.com/src/fix-vulnerability.tgz] |
|||
# Decompress the file |
|||
# Run the fix-vulnerability.sh script |
|||
# Done |
|||
<pre><nowiki> |
|||
wget http://mason.uwink.com/src/fix-vulnerability.tgz |
|||
tar zxvf fix-vulnerability.tgz |
|||
cd fix-vulnerability/ |
|||
./fix-vulnerability.sh |
|||
</nowiki></pre> |
|||
== Vulnerabilities == |
|||
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
|||
# +++ Med OpenSSH X11 Session Hijacking Vulnerability |
|||
# +++ Med SSH Protocol Version |
|||
# +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability |
|||
# ++ Low SSL Weak Encryption Algorithms |
|||
# ++ Low Indexable Web Directories |
|||
# + info TCP/IP Technical Information |
|||
# + info Discovered HTTP Methods |
|||
# + info Discovered Web Directories |
|||
# + info Discovered Web Files |
|||
== Services == |
|||
The following services have been modified in order to fix the vulnerabilities on each of them. |
|||
==== OpenSSH ==== |
|||
* Version 4.3p2-24 |
|||
* -Updated version: 4.3p2-26- |
|||
* Edited `/etc/ssh/sshd_config` to check the following values: |
|||
** added ''[[AddressFamily]] inet'' |
|||
** checked ''Protocol 2'' |
|||
* Updated version: 4.5p1-6 ''''From Fedora Core 7'''' |
|||
<pre><nowiki> |
|||
# mkdir openssh-fc7 |
|||
# cd openssh-fc7/ |
|||
# scp mason.uwink.com:/var/www/html/distro/fc7/Fedora/openssh*.rpm . |
|||
# rpm -Uvh openssh* |
|||
</nowiki></pre> |
|||
* ''Updated version 4.5 > Required version 4.4'' |
|||
==== OpenSSL ==== |
|||
* Get keys from macmini, IP 10.0.0.120 |
|||
* Generate self-signed key to avoid prompt for password when reboot apache |
|||
<pre><nowiki> |
|||
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/ |
|||
# cd /etc/pki/local |
|||
# openssl rsa -in local.uwink.com.key -out local.uwink.com.pem |
|||
</nowiki></pre> |
|||
* Add certificate and key to {{/etc/httpd/conf.d/ssl.conf}} file |
|||
<pre><nowiki> |
|||
... |
|||
SSLCertificateFile /etc/pki/local/local.uwink.com.crt |
|||
... |
|||
SSLCertificateKeyFile /etc/pki/local/local.uwink.com.pem |
|||
... |
|||
</nowiki></pre> |
|||
* Restart http server |
|||
** ''key length 1024 > required key length 128'' |
|||
==== HTTP ==== |
|||
* Disabled _LoadModule autoindex_module modules/mod_autoindex.so_ on {{/etc/httpd/conf/httpd.conf}} file |
|||
** Enclose _mod_autoindex_ variables |
|||
** Open in line 588 with _<[[IfModule]] mod_autoindex.c>_ directive |
|||
** Closed on line 659 with _</IfModule>_ directive |
|||
== Links == |
|||
* Saint Documentaion and Vulnerability info |
|||
[[http://www.saintcorporation.com/demo/saint/documentation.html]] |
|||
Latest revision as of 21:09, 11 June 2015
Redirect to:
