System-pci: Difference between revisions

From Bashlinux
Jump to navigationJump to search
Newer edit →
Content deleted Content added
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
No edit summary
 
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
No edit summary
Line 1: Line 1:
__NOTOC__
__NOTOC__
= PCI Compliance =
= PCI Compliance =
The following procedure is to setup CentOS/RHEL 5.

== Vulnerability Scan Tool ==
== Vulnerability Scan Tool ==
==== [[TrustKeeper]] ====
==== [[TrustKeeper]] ====
Line 15: Line 17:


== Fix Vulnerabilities with a script ==
== Fix Vulnerabilities with a script ==
# Download the compressed file from [http://mason.uwink.com/src/fix-vulnerability.tgz]
# Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz]
# Decompress the file
# Decompress the file
# Run the fix-vulnerability.sh script
# Run the fix-vulnerability.sh script
Line 21: Line 23:
<pre><nowiki>
<pre><nowiki>
wget http://mason.uwink.com/src/fix-vulnerability.tgz
wget http://repo.bashlinux.com/src/fix-vulnerability.tgz
tar zxvf fix-vulnerability.tgz
tar zxvf fix-vulnerability.tgz
cd fix-vulnerability/
cd fix-vulnerability/
Line 29: Line 31:


== Vulnerabilities ==
== Vulnerabilities ==
A default installation shoul yields the following results before adjust the system.
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities
# +++ Med OpenSSH X11 Session Hijacking Vulnerability
# +++ Med OpenSSH X11 Session Hijacking Vulnerability
Line 49: Line 52:
** added ''[[AddressFamily]] inet''
** added ''[[AddressFamily]] inet''
** checked ''Protocol 2''
** checked ''Protocol 2''
* Build openssh rpm from fedora srpm
* Updated version: 4.5p1-6 ''''From Fedora Core 7''''
** ''Updated version 4.5 > Required version 4.4''
<pre><nowiki>
# mkdir openssh-fc7
# cd openssh-fc7/
# scp mason.uwink.com:/var/www/html/distro/fc7/Fedora/openssh*.rpm .
# rpm -Uvh openssh*
</nowiki></pre>

* ''Updated version 4.5 > Required version 4.4''


==== OpenSSL ====
==== OpenSSL ====
* Create certificats as specified in [[openssl|OpenSSL]] section.
* Get keys from macmini, IP 10.0.0.120
* Generate self-signed key to avoid prompt for password when reboot apache
* Generate self-signed key to avoid prompt for password when reboot apache
Line 70: Line 65:
</nowiki></pre>
</nowiki></pre>


* Add certificate and key to {{/etc/httpd/conf.d/ssl.conf}} file
* Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file
<pre><nowiki>
<pre><nowiki>
...
...
SSLCertificateFile /etc/pki/local/local.uwink.com.crt
SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt
...
...
SSLCertificateKeyFile /etc/pki/local/local.uwink.com.pem
SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem
...
...
</nowiki></pre>
</nowiki></pre>
Line 84: Line 79:


==== HTTP ====
==== HTTP ====
* Disabled _LoadModule autoindex_module modules/mod_autoindex.so_ on {{/etc/httpd/conf/httpd.conf}} file
* Disabled ''[[LoadModule]] autoindex_module modules/mod_autoindex.so'' on `/etc/httpd/conf/httpd.conf` file
** Enclose _mod_autoindex_ variables
* Enclose ''mod_autoindex'' variables
** Open in line 588 with _<[[IfModule]] mod_autoindex.c>_ directive
* Open in line 588 with ''<[[IfModule]] mod_autoindex.c>'' directive
** Closed on line 659 with _</IfModule>_ directive
* Closed on line 659 with ''</IfModule>'' directive


== Links ==
== Links ==

Revision as of 07:28, 5 February 2010

PCI Compliance

The following procedure is to setup CentOS/RHEL 5.

Vulnerability Scan Tool

TrustKeeper

The original tool used : [[1]]

  1. Click on "Questionnaires" along left side.
  2. Click on "Network Questionnaire".
  3. Enter in IP addresse(s).
  4. Click on "Vulnerability Scan" along left side.
  5. Click "Directed Scan Request" (This will scan the IP addresses set in #3)

SAINT

Using the SAINT scanner is the way to go serious on internal audits. [[2]]

Fix Vulnerabilities with a script

  1. Download the compressed file from [3]
  2. Decompress the file
  3. Run the fix-vulnerability.sh script
  4. Done
 wget http://repo.bashlinux.com/src/fix-vulnerability.tgz
 tar zxvf fix-vulnerability.tgz
 cd fix-vulnerability/
 ./fix-vulnerability.sh


Vulnerabilities

A default installation shoul yields the following results before adjust the system.
  1. ++++ High OpenSSH <4.4 Multiple Vulnerabilities
  2. +++ Med OpenSSH X11 Session Hijacking Vulnerability
  3. +++ Med SSH Protocol Version
  4. +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability
  5. ++ Low SSL Weak Encryption Algorithms
  6. ++ Low Indexable Web Directories
  7. + info TCP/IP Technical Information
  8. + info Discovered HTTP Methods
  9. + info Discovered Web Directories
  10. + info Discovered Web Files

Services

The following services have been modified in order to fix the vulnerabilities on each of them.

OpenSSH

  • Version 4.3p2-24
  • -Updated version: 4.3p2-26-
  • Edited `/etc/ssh/sshd_config` to check the following values:
  • Build openssh rpm from fedora srpm
    • Updated version 4.5 > Required version 4.4

OpenSSL

  • Create certificats as specified in OpenSSL section.
  • Generate self-signed key to avoid prompt for password when reboot apache
 # scp -r 10.0.0.120:/etc/pki/local /etc/pki/
 # cd /etc/pki/local
 # openssl rsa -in local.uwink.com.key -out local.uwink.com.pem
  • Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file
 ...
 SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt
 ...
 SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem
 ...
  • Restart http server
    • key length 1024 > required key length 128

HTTP

  • Disabled LoadModule autoindex_module modules/mod_autoindex.so on `/etc/httpd/conf/httpd.conf` file
  • Enclose mod_autoindex variables
  • Open in line 588 with <IfModule mod_autoindex.c> directive
  • Closed on line 659 with </IfModule> directive

Links

  • Saint Documentaion and Vulnerability info
[[4]]
Retrieved from "https://wiki.bashlinux.com/index.php?title=System-pci&oldid=119"