System-pci: Difference between revisions
From Bashlinux
Jump to navigationJump to search
Content deleted Content added
No edit summary |
Redirected page to PCI compliance |
||
| Line 1: | Line 1: | ||
#REDIRECT [[PCI compliance]] |
|||
__NOTOC__ |
|||
= PCI Compliance = |
|||
The following procedure is to setup CentOS/RHEL 5. |
|||
== How to find vulnerabilities with [[TrustKeeper]] == |
|||
The original tool used : [[https://verifone.trustkeeper.net]] |
|||
# Click on "Questionnaires" along left side. |
|||
# Click on "Network Questionnaire". |
|||
# Enter in IP addresse(s). |
|||
# Click on "Vulnerability Scan" along left side. |
|||
# Click "Directed Scan Request" (This will scan the IP addresses set in #3) |
|||
== How to find vulterabilities with SAINT == |
|||
Using SAINT scanner is the way to go serious on internal audits. |
|||
[[http://www.saintcorporation.com/]] |
|||
== How to fix vulnerabilities in one step == |
|||
The fast easy way is to download the following script and let it do the work |
|||
# Download the compressed file from [http://repo.bashlinux.com/src/fix-vulnerability.tgz] |
|||
# Decompress the file |
|||
# Run the fix-vulnerability.sh script |
|||
# Done |
|||
<pre><nowiki> |
|||
wget http://repo.bashlinux.com/src/fix-vulnerability.tgz |
|||
tar zxvf fix-vulnerability.tgz |
|||
cd fix-vulnerability/ |
|||
./fix-vulnerability.sh |
|||
</nowiki></pre> |
|||
== How to deal with vulnerabilities == |
|||
A default installation should yields the following results before adjust the system. |
|||
# ++++ High OpenSSH <4.4 Multiple Vulnerabilities |
|||
# +++ Med OpenSSH X11 Session Hijacking Vulnerability |
|||
# +++ Med SSH Protocol Version |
|||
# +++ Med OpenSSH Duplicate Block Denial of Service Vulnerability |
|||
# ++ Low SSL Weak Encryption Algorithms |
|||
# ++ Low Indexable Web Directories |
|||
# + info TCP/IP Technical Information |
|||
# + info Discovered HTTP Methods |
|||
# + info Discovered Web Directories |
|||
# + info Discovered Web Files |
|||
== How to modify system services in order to pass the PCI compliance == |
|||
The following services have been modified in order to fix the vulnerabilities on each of them. |
|||
==== OpenSSH ==== |
|||
* Version 4.3p2-24 |
|||
* ''Updated version: 4.3p2-26'' |
|||
* Edited `/etc/ssh/sshd_config` to check the following values: |
|||
** added ''[[AddressFamily]] inet'' |
|||
** checked ''Protocol 2'' |
|||
* Build openssh rpm from fedora srpm |
|||
** ''Updated version 4.5 > Required version 4.4'' |
|||
==== OpenSSL ==== |
|||
* Create certificats as specified in [[openssl|OpenSSL]] section. |
|||
* Generate self-signed key to avoid prompt for password when reboot apache |
|||
<pre><nowiki> |
|||
# scp -r 10.0.0.120:/etc/pki/local /etc/pki/ |
|||
# cd /etc/pki/local |
|||
# openssl rsa -in local.uwink.com.key -out local.uwink.com.pem |
|||
</nowiki></pre> |
|||
* Add certificate and key to `/etc/httpd/conf.d/ssl.conf` file |
|||
<pre><nowiki> |
|||
... |
|||
SSLCertificateFile /etc/pki/local/local.bashlinux.com.crt |
|||
... |
|||
SSLCertificateKeyFile /etc/pki/local/local.bashlinux.com.pem |
|||
... |
|||
</nowiki></pre> |
|||
* Restart http server |
|||
** ''key length 1024 > required key length 128'' |
|||
==== HTTP ==== |
|||
* Disabled ''[[LoadModule]] autoindex_module modules/mod_autoindex.so'' on `/etc/httpd/conf/httpd.conf` file |
|||
* Enclose ''mod_autoindex'' variables |
|||
* Open in line 588 with ''<[[IfModule]] mod_autoindex.c>'' directive |
|||
* Closed on line 659 with ''</IfModule>'' directive |
|||
== Links == |
|||
* Saint Documentaion and Vulnerability info |
|||
[[http://www.saintcorporation.com/demo/saint/documentation.html]] |
|||
Latest revision as of 21:09, 11 June 2015
Redirect to:
